Mobile Triage and Origination
280tHEd
280tHEd
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Mobile</strong> <strong>Triage</strong> <strong>and</strong><br />
<strong>Origination</strong><br />
EnFuse 2016<br />
Location: Las Vegas
Copyright<br />
This material is subject to copyright, is owned by BlackBag<br />
Technologies, <strong>and</strong> is proprietary. It is being provided to the recipient<br />
under license. By the recipient's receipt of this material, recipient<br />
acknowledges <strong>and</strong> agrees that recipient has been granted a limited<br />
<strong>and</strong> revocable right <strong>and</strong> license to use the information contained<br />
herein solely for general educational purposes. Recipient may not use<br />
these materials for any other purpose (including in connection with its<br />
business operations) <strong>and</strong> may not disclose these materials or its<br />
content, whether in written form or verbally, to any third party.<br />
PAGE: 2<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
Who are we?<br />
BlackBag’s mission is to find the truth in data<br />
BlackBag Technologies is a leading provider of digital forensics<br />
software, training, <strong>and</strong> services. Our team is solely focused on<br />
developing innovative <strong>and</strong> accessible solutions for the complex<br />
challenges presented by an increasingly vast digital crime scene.<br />
As the sea of data exp<strong>and</strong>s, we st<strong>and</strong> by our pledge to be an ally<br />
in pursuit of finding truth within it.<br />
Carpe Datum!<br />
PAGE: 3<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
Derrick Donnelly<br />
Some background<br />
• Federal Law Enforcement Officer in Canada (5 years)<br />
• Have been an Instructor for FBI, DHS, USSS, DoD, <strong>and</strong> other<br />
Federal, State <strong>and</strong> Local agencies<br />
• Head of IT Security Apple Computer (5 years)<br />
• CTO/Founder BlackBag Technologies<br />
• Forensic Analyst Santa Clara Police Department, CA<br />
PAGE: 4<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Using Mobilyze for <strong>Triage</strong><br />
• Types of devices recognized<br />
• How Mobilyze works<br />
• Who can use Mobilyze<br />
• What data is collected<br />
• <strong>Triage</strong> vs. full analysis<br />
PAGE: 5<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Case Manager (No Prior Case/Device)<br />
Initial window<br />
displayed upon <br />
launching Mobilyze<br />
PAGE: 6<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Case Manager (Device Trusted)<br />
PAGE: 7<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Android Information<br />
Case Manager Window<br />
• Must have PIN code<br />
• USB Debugging mode turned on<br />
• Connect phone<br />
• Phone displays - Allow USB Debugging?<br />
• RSA key fingerprint shown<br />
• Click OK<br />
• Available device shown<br />
PAGE: 8<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Case Manager (IOS Device Locked/Unpaired)<br />
Device is connected but unpaired, unable to acquire<br />
• Trust to pair the device<br />
PAGE: 9<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Collection Options<br />
Limited<br />
Full - All available items<br />
PAGE: 10<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Collection Options<br />
Limited Collection with nothing selected<br />
PAGE: 11<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Android Information<br />
Case Manager Window<br />
• Limited Collection button<br />
• MAY have third party applications available<br />
• Some are set for needing root access<br />
• May be able to set the order of collection<br />
• Based on OS allowed behavior<br />
PAGE: 12<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Android Information<br />
Collection process<br />
• BlackBag trusted agent written to the device<br />
• Removed after finished or “Stop Import” implemented<br />
• Do not touch the device until instructed<br />
• Can be disconnected <strong>and</strong> retain data for review<br />
Android data<br />
• Voicemail <strong>and</strong> voice memos not likely available<br />
• Internet - open pages<br />
• No pictures to correlate with the URL<br />
PAGE: 13<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Data Collection Started<br />
Data metrics populate<br />
shortly after starting as<br />
data is collected<br />
PAGE: 14<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Data Collection - iOS 8 <strong>and</strong> iOS9<br />
Devices running iOS 8.x are h<strong>and</strong>led differently<br />
• Some connection methods now blocked by Apple<br />
• Complete processing for each data type may be<br />
necessary before its viewing is possible<br />
PAGE: 15<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Data Collection Completed<br />
• Mobilyze announces when the data collection<br />
process has completed <strong>and</strong> the device can be<br />
safely disconnected<br />
• Processing of the collected data will continue<br />
PAGE: 16<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Mobilyze User Interface<br />
Device View<br />
• Details <strong>and</strong> collection<br />
summary<br />
• Top 10 Contacts<br />
• Accounts<br />
• Filtering<br />
• Navigate to data<br />
PAGE: 17<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Filtering<br />
Allows user to concentrate on items of interest<br />
Filter by keyword<br />
or<br />
date range<br />
PAGE: 18<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Filtering<br />
Keywords <strong>and</strong> phrases can also be used to further filter<br />
the results<br />
PAGE: 19<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Communications<br />
“Comm” view consolidates all the communications<br />
data into one area<br />
Call History Messaging Contacts<br />
Voicemail<br />
Voice Memos<br />
PAGE: 20<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Messages<br />
• SMS<br />
• MMS<br />
• FaceTime<br />
• Skype<br />
• WhatsApp<br />
• Kik<br />
• textPlus<br />
• Textfree<br />
PAGE: 21<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Mobilyze<br />
Messages<br />
Conversation View<br />
PAGE: 22<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
New California Privacy Laws SB 178<br />
Searching<br />
The law requires that after a device is searched, any information that was<br />
obtained that is not relevant to the investigation must be<br />
destroyed <strong>and</strong> cannot be retained by the law enforcement agency. This will<br />
have implications for the ECU, investigations, <strong>and</strong> anyone who dumps phones.<br />
Reporting<br />
The law requires that subsequent to the service of a search warrant or other<br />
search of an electronic device, the law enforcement agency must provide<br />
notification to the owner of the device that the search was conducted. The AG<br />
has provided templates for this notification. This must be completed within<br />
72-hours of the service of the warrant <strong>and</strong> must include a copy of the<br />
warrant. The law identifies the specific information that must be provided to<br />
the owner. It is possible to obtain 9-day extensions in the case of on-going<br />
investigations or other situations where the notification would be detrimental<br />
to the investigation. In cases where a phone is searched <strong>and</strong> there is no<br />
identified owner, the law enforcement agency must report to the DOJ the<br />
above information as well as what was obtained.<br />
PAGE: 23<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Found/Unclaimed Electronic Devices<br />
This law eliminates the concept of “ab<strong>and</strong>oned”<br />
property. Found phones with no identified owner can<br />
no longer be searched for any information other than<br />
that which might help identify the owner.<br />
Probation / Parole / PRCS<br />
Beginning January 1st, Law enforcement cannot search a<br />
phone or other electronic device under probation or parole.<br />
The search of these devices will require “specific consent” or<br />
a search warrant. This fact is agreed upon by the A.G., CAO,<br />
<strong>and</strong> DA’s Office. The resolution for this will be having<br />
probationer <strong>and</strong> parolees sign SB178 specific waivers when<br />
they are released on probation/parole.<br />
PAGE: 24<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
The Mystery Of Photos<br />
Where did the data come<br />
from?<br />
Who created the data?<br />
What was done with the<br />
data?<br />
PAGE: 25<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
Internet Artifacts-Safari<br />
/mobile/Applications/com.apple.mobilesafari/Library/Safari/<br />
History.db<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
26
Safari Continuity<br />
Pages available on iCloud connected device<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
27
Effects of iCloud<br />
Web history cleared on iOS device<br />
• Web pages viewed on Mac computer<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
28
Examine History Database<br />
iOS history file shows pages from OS X<br />
• These were not viewed on the iOS Device<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 29
Safari Suspended State<br />
Accessing Open Safari Pages<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
30
Viewing Suspended State<br />
/mobile/Applications/com.apple.mobilesafari/Library/Safari/<br />
SuspendState.plist<br />
• Lots of information in .plist<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
31
Safari Thumbnails<br />
/mobile/Applications/com.apple.mobilesafari/Library/<br />
Safari<br />
• A thumbnail of pages contained in Suspended State<br />
• Shows exactly how the page was viewed<br />
• Not all pages may get a thumbnail<br />
• May show pages in Private Viewing Mode<br />
• Similar to webpage previews in OS X<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 32
Viewing the Thumbnails<br />
• .png preview of the web page (note zoom)<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
33
Safari Bookmarks<br />
/mobile/Library/Safari/Bookmarks.db<br />
• Sqlite database<br />
• Bookmarks saved to device<br />
• Synced bookmarks from iCloud-enabled devices<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
34
Safari Preferences<br />
/mobile/Applications/com.apple.mobilesafari/Library/<br />
Preferences/com.apple.mobilesafari.plist<br />
• Sites added to Safari Reading List<br />
• Private Browsing Setting<br />
• Recent Web Searches<br />
• Date <strong>and</strong> time of actual search<br />
• Actual search term entered by user<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
35
iOS Settings<br />
Various settings can be changed by user:<br />
• Shows ability to use device<br />
• Shows knowledge of certain features<br />
• Can assist in explaining why something is or is not<br />
available on this device<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 36
Last Boot Time<br />
Last time the device started<br />
• /mobile/Library/Preferences/com.apple.aggregated.plist<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 37
Determining Backups<br />
/mobile/Library/Preferences/com.apple.mobile.idbackup.plist<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 38
Determine iCloud Account<br />
iOS Devices<br />
• icloudpairing.plist<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 39
Is SIRI On?<br />
The SIRI assistant is normally turned on by the user at<br />
setup of the compatible iOS Device<br />
• Settings➔General➔SIRI<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
40
AirDrop Settings<br />
AirDrop Status<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
41
Determine Accounts<br />
Each device can be connected to:<br />
• An iCloud Account<br />
• iTunes Account<br />
Users can have different accounts to do different<br />
things<br />
• Home Sharing<br />
• HomeKit<br />
• Multiple email accounts<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 42
Registered iCloud Account<br />
Can be found in many locations:<br />
• /mobile/Library/Preferences/com.apple.conference.plist<br />
• Key- registration.savedAccountName<br />
• /mobile/Library/Preferences/com.apple.Preferences.plist<br />
• Key- cachediCloudUsername<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 43
Messages Accounts<br />
The Messages app displays SMS, MMS, <strong>and</strong><br />
iMessages<br />
• One or several accounts can be used to send Messages<br />
• com.apple.ids.service.com.apple.private.alloy.sms.plist<br />
• Shows accounts being used to send receive messages<br />
• Shows iCloud account <strong>and</strong> (possible) phone number<br />
• Account ID<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 44
Messages Accounts<br />
Vetted Aliases<br />
• Settings➔Messages➔Send&Receive<br />
• /mobile/Library/Preferences/com.apple.ids.service.com.apple.private.alloy.sms.plist<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
45
H<strong>and</strong>off<br />
Do you have all the data?<br />
• Determine accounts for H<strong>and</strong>off <strong>and</strong> Continuity<br />
• /mobile/Library/Preferences/<br />
com.apple.ids.service.com.apple.private.alloy.phonecontinuity.plist<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
46
iOS Forensics <strong>and</strong> Analysis<br />
Advanced Analysis<br />
Determine the User<br />
How do we determine who the user is?<br />
Accounts<br />
Social Networking<br />
Email<br />
iCloud<br />
Computer(s) synced<br />
Personal Information<br />
Personalization<br />
PAGE: 47<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Advanced iOS Analysis<br />
Account Information<br />
Finding a users account information<br />
/mobile/Library/Accounts/Accounts3.sqlite<br />
• AppleID<br />
• Profile ID<br />
• DSID<br />
• Email accounts<br />
• Full name of user<br />
PAGE: 48<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Advanced Analysis<br />
Accounts3.sqlite<br />
ZAccountproperty Table<br />
Embedded .plist file<br />
PAGE: 49<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Advanced Analysis<br />
Accounts<br />
Places to look for user information<br />
• mobile/Library/Preferences<br />
• com.apple.imservice.iMessage.plist<br />
• com.apple.imservice.FaceTime.plist<br />
• Shows iCloud Account<br />
• Any approved phone number<br />
• Any approved email address<br />
PAGE: 50<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
iOS Forensics <strong>and</strong> Analysis<br />
Advanced Analysis<br />
Other Relevant Name Locations<br />
Listing of files that contain user information:<br />
• mobile/Library/Preferences/com.apple.conference.plist<br />
• shows AppleID of user<br />
• mobile/Library/Preferences/<br />
com.apple.ids.service.com.apple.private.ac.plist<br />
• shows vetted accounts<br />
• /mobile/Library/Preferences/<br />
com.apple.ids.service.com.apple.private.alloy.phonecontinuity.plist<br />
• shows IDs associated with phone for H<strong>and</strong>off<br />
PAGE: 51<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
The Mystery Of Photos<br />
Deeper analysis of<br />
photos<br />
DCIM Folder<br />
Photos Database<br />
Sharing Albums<br />
PAGE: 52<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
DCIM Folder<br />
/mobile/Media/DCIM/<br />
• Folders named 100Apple, 200Apple, etc.<br />
• Maximum 999 pictures/videos in each folder<br />
• Contains<br />
• Pictures, videos, screenshots taken by device<br />
PAGE: 53<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
DCIM PLIST File<br />
/mobile/media/PhotoData/MISC/DCIM_APPLE.plist<br />
PAGE: 54<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
A Look Beyond The Pictures- iOS<br />
Photos.sqlite<br />
• Contains information on all pictures/videos in library<br />
• Face names<br />
• Indexed data on pictures<br />
• Any keyword searches entered by the user<br />
• Dates <strong>and</strong> times pictures/videos are uploaded to cloud<br />
• Extended metadata of pictures<br />
PAGE: 55<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Photos.sqlite<br />
/mobile/Media/PhotoData/Photos.sqlite<br />
PAGE: 56<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Cloud Master Table<br />
ZCLOUDMASTER<br />
ZCREATIONDATE<br />
ZIMPORTDATE<br />
ZCLOUDMASTERGUID<br />
ZIMPORTSESSIONID<br />
ZORIGINALFILENAME<br />
PAGE:<br />
57<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Generic Album<br />
ZGENERICALBUM<br />
ZGUID<br />
ZCLOUDMETADATA<br />
ZTITLE<br />
ZUDID<br />
ZCLOUDPERSONID<br />
ZCLOUDCREATIONDATE<br />
ZCLOUDLASTCONTRIBUTIONDATE<br />
PAGE:<br />
58<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Moment<br />
ZMOMENT<br />
ZENDDATE<br />
ZSTARTDATE<br />
ZREPRESENTEDDATE<br />
ZAPPROXIMATELOCATIONDATA<br />
ZREVERSELOCATIONDATA<br />
PAGE:<br />
59<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Additional Asset Attributes<br />
ZADDITIONALASSETATTRIBUTES<br />
ZEXIFTIMESTAMPSTRING<br />
ZORIGINALFILENAME<br />
ZORIGINALPATH<br />
PAGE:<br />
60<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Additional Tables<br />
ZKEYWORD-<br />
keyword searches conducted by user<br />
ZCLOUDSHAREDALBUMINVITATIONRECORD- shows albums<br />
that have been shared <strong>and</strong> to whom invitation sent<br />
ZPERSON- User identified faces<br />
ZGENERICASSET- shows list of images, their path, <strong>and</strong> dates<br />
associated dates including deleted date<br />
ZASSETDESCRIPTION- if the picture contains a description<br />
contained in the metadata it will be shown here<br />
PAGE: 61<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Photo Sharing<br />
Albums are created <strong>and</strong> can be shared with other<br />
iCloud users<br />
• When album is created a share request is sent<br />
• Message sent by email<br />
• Once accepted recipients Photos album is updated with<br />
new pictures<br />
• Users can unsubscribe but information remains on sending<br />
device<br />
PAGE: 62<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Photo Sharing<br />
Sharing “New Pictures” Album<br />
Album is shared<br />
Email to user is sent<br />
ZCLOUDSHAREDALBUMINVITATIONRECORD<br />
PAGE:<br />
63<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Shared Album Accepted<br />
/mobile/Media/PhotoData/PhotoBulletins.plist<br />
PAGE: 64<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Which Album Was Shared?<br />
ZCLOUDSHAREDALBUMINVITATIONRECORD<br />
PAGE:<br />
65<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Album Info<br />
Info.plist<br />
PAGE: 66<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Adding Photos<br />
Person adds pictures to shared albums<br />
PAGE: 67<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Notification On Device<br />
When a picture is added to an album<br />
Notifications<br />
PAGE:<br />
68<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
PhotoBulletins<br />
PhotoBullentins.plist<br />
PAGE: 69<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Find Last Added Picture<br />
PhotoBullentins.plist<br />
Photos.sqlite- ZGENERICASSET<br />
PAGE: 70<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Last Picture Added<br />
From Photos.sqlite—>ZGENERICASSET<br />
/mobile/Media/PhotoData/PhotoCloudSharingData/UUID/<br />
100CLOUD<br />
PAGE:<br />
71<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Who Sent That Picture?<br />
Photos.sqlite—>ZGENERICASSET<br />
cloudSharePersonInfos.plist<br />
PAGE: 72<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
iOS Device Forensics<br />
iOS Analysis<br />
Summary<br />
/mobile/Media/PhotoData/PhotoCloudSharingData/<br />
cloudSharedEmails.plist<br />
• shows email of person sending invitation<br />
cloudSharedPersonalInfos.plist<br />
• shows full name <strong>and</strong> email address of recipient<br />
PAGE: 73<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
Recently Deleted Photos<br />
Photos App <strong>and</strong> iOS Photos save deleted pictures<br />
• Photos are moved to a the ‘Recently Deleted’ album<br />
• Keeps deleted items for ‘up to 40 days’<br />
• Apple’s documentation says 30 days<br />
• Provides visual notification as to when photo will be<br />
permanently deleted<br />
• Days are counted down <strong>and</strong> displayed in red<br />
• Jailbroken iPhones can hide this album in the UI<br />
• But function for now still works<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 74
iOS Forensics <strong>and</strong> Analysis<br />
Advanced Analysis<br />
Picture Thumbnails<br />
Thumbnails contained in .ithmb<br />
• Thumbs of pictures/videos from DCIM folder<br />
• There are four resolutions of pictures<br />
• 3303.ithmb - very small<br />
• 3309.ithmb - small<br />
• 3319.ithmb - zoomed in<br />
• 4031.ithmb - full<br />
• /mobile/Media/PhotoData/Thumbnails<br />
PAGE: 75<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
Recently Deleted iOS Devices<br />
Recently deleted pictures<br />
• Images taken or saved by the device <strong>and</strong> deleted<br />
• Are maintained in the /DCIM/ folder<br />
• Images synced through cloud <strong>and</strong> deleted<br />
• Are maintained in the iCloud/DCIM/ folder<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 76
Delete A Picture<br />
Picture taken by iOS Device<br />
DCIM Folder<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 77
Picture Deleted<br />
Recently Deleted Album<br />
DCIM Folder<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 78
Locating Deleted Pictures<br />
/mobile/Media/PhotoData/Photos.sqlite<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 79
Using SQLITE Comm<strong>and</strong><br />
Using BlackLight’s sqlite comm<strong>and</strong> bar<br />
• SQLite databases often contain more data than<br />
needed<br />
• Entering SQLite comm<strong>and</strong>s can focus display<br />
SELECT ZTRASHEDSTATE, ZTRASHEDDATE, ZDIRECTORY, ZFILENAME FROM<br />
ZGENERICASSET WHERE ZTRASHEDSTATE = 1;<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
80
Was The Picture Really Taken?<br />
Picture AirDropped to another iOS Deivce<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
81
Picture Being Sent<br />
Sending device<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 82
Picture Is Received<br />
AirDrop picture is accepted<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
83
Analysis Of Device<br />
Analysis of receiving device<br />
Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 84
MD5 Changed<br />
Value has changed between pictures<br />
Original<br />
Received<br />
Advanced iOS Analysis<br />
© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information<br />
85
iOS Forensics <strong>and</strong> Analysis<br />
Advanced Analysis<br />
Thumbnails<br />
Thumbnails/V2/DCIM/<br />
• Folder that relates to parent image in DCIM folder<br />
• One folder per picture/video<br />
• Contained is a file named 5003.jpg<br />
• All thumbs have the same name<br />
• Lower resolution image of the parent from DCIM folder<br />
PAGE: 86<br />
© BlackBag Technologies, Inc. 2015 Proprietary Information
Resources<br />
Support<br />
www.blackbagtech.com/support.html<br />
Free Tools<br />
www.blackbagtech.com/resources/freetools.html<br />
BlackBag Blog<br />
www.blackbagtech.com/blog<br />
PAGE: 87<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
Staying Connected<br />
In Person:<br />
San Jose, CA (HQ) <strong>and</strong> Herndon, VA<br />
Remote offices in Texas, SoCal, New York <strong>and</strong> UK<br />
Online:<br />
www.BlackBagTech.com<br />
www.twitter.com/BlackBagTech<br />
www.linkedin.com/company/blackbagtech<br />
PAGE: 88<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
BlackBag Technologies Update<br />
Mobilyze<br />
• <strong>Mobile</strong> acquisition <strong>and</strong> triage<br />
MacQuisition<br />
• Imaging <strong>and</strong> incident response<br />
BlackLight<br />
• Forensics on OS X <strong>and</strong> Windows<br />
SoftBlock<br />
• Kernel-level write-blocking of<br />
physical devices<br />
PAGE: 89<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information
Thank you!<br />
Questions?<br />
derrick@blackbagtech.com<br />
408-844-8890<br />
C A R P E D A T U M<br />
PAGE: 90<br />
© BlackBag Technologies, Inc. 2016 Proprietary Information