THM — iOS Forensics
My Notes on THM Room.
Data Acquisition & Trust Certificates
The analysis of iPhone backups made with iTunes is an interesting topic, to say the very least. When backing up an iPhone, iTunes accesses the iPhone in a privileged state — similar to using the
sudocommand on Linux to run a command with root privileges.
iPhones will only backup to trusted computers. When plugging into a new device, the iPhone will ask the user whether or not they wish to trust the computer . “Trusting” a computer involves generating a pair certificate on both the iPhone and computer. If the certificate matches up on both devices, the iPhone can be backed up. This process is a fantastic security measure by Apple, namely to prevent attacks such as “Juice Jacking”.
A lockdown certificate stored within
/private/var/db/lockdown on later iOS devices or
/private/var/Lockdown on older iOS devices
Analyzing iOS Files
Presenting in the extension of
plist, these files are property files who consist of data from anything such as preferences to application settings and data
Presenting in either the
db format, Apple uses this file formatting for its traditional purposes: storing data in a structured formatting
Your crime taskforce has been investigating into the root cause of a recent outbreak of criminal activity. Although you’ve apprehended a Mr Brandon Hunter, you need to analyse the filesystem dump of his iPhone to find a lead into the gang.
Although the suspect’s phone is locked with a passcode, you have been able to use a recent “Lockdown Certificate” from the suspect’s computer, allowing you to create a logical file system dump from an iPhone backup he made recently.
Who was the recepient of the SMS message sent on 23rd of August 2020?
Checking in the path \var\mobile\Library\SMS we find a SQLite database that holds the table for messages sent on the device. If we scrolled to the right of this table below, we would see that the recipient is Lewis Randall
What did the SMS message say?
Did you get the goods?
Looking at the address book, what is the first name of the other person in the contacts?
Continuing to search the \var\mobile\Library we find a folder for AddressBooks.
Following on from Question #3, what is their listed “Organization”
Investigate their browsing history, what is the address of the website that they have bookmarked?
The suspected received an email, what is the remote_id of the sender?
Checking in the \Mail\Envelope Index file we find the remote_id
What is the name of the company on one of the images stored on the suspects phone?
What is the value of the cookie that was left behind?
We find this file in the Cookies folder. Since this a .pslist file, we open with Sublime and find the flag.