Join Us!

IOS Mobile Forensic...
 
Notifications
Clear all

IOS Mobile Forensic with Axiom and Oxygen  

  RSS
asriel
(@asriel)
New Member

Hi everyone,

I am trying the software Axiom to do a mobile forensic on IOS. The phone is a jailbreak iphone 7 with IOS 11.

I was asked to get facebook activity deleted, instagram and twitter activity, deleted chats (sms, imessages, whatsapp and messenger), dating apps activity (Tinder, Jswipe, Bumble) and the incognito mode for google.

I am not really successful to get any of all of this.

I thought about the facebook, instagram and twitter URLs to get the activity for these social media. The facebook URLs that axion got are not complete and I can't find a search history of profiles visited. I didn't find any way to get an instagram activity and the twitter URLs don't seem to be complete either. Does anyome know how to get search history and activity for these social media ?

I found the databases for the chats and the dating apps.

Axiom didn't get any deleted chats. I tried to load them in oxygen after it but the deleted content seem to be garbage, it's random numbers and letters. Is there something else to do to get any deleted content ?

The database for the dating apps show activity date like first use last use and last open, but what "use" mean in that case ? Is it swipping ? Send a text in a conversation ? And that doesn't seem right because sometimes these 3 dates are the same day and the app has been used during months. Is anyone know a little more about database of these dating apps ?

I thought about the KnowledgeC database to get app activity but this database stores only 1 month of data. Is it possible to get more from this database like deleted content from months before ?

I am not able to find any database or record of the incognito mode.

Is anyone could help me with any of these problems ?

Thank you very much !

Quote
Posted : 18/03/2019 3:18 pm
mcman
(@mcman)
Active Member

Ok so I'll try to break down the things you're looking for and try to help where I can.

1) A jailbroken acquisition is great, rare but great when you can get it definitely take advantage. Not a lot of devices will come jailbroken so you'll have access to most of the data if it still exists on the device. However, one note, this is still a full file system dump of the phone not a physical image. The data is still encrypted on the device so you'll only be able to carve what still exists in the files and databases and wal files remaining on the device (no unallocated space).

2) The data you'll get from the social apps (fb, instagram, twitter) will vary depending on how the app was used. I would compare what AXIOM/Oxygen recovered to the actual databases and make sure they're getting everything that are in those dbs. While you'll still get facebook data, they actually store a lot of the message data in the cloud so even with a jailbroken device, you'll only get the most recent stuff that was cached on the device. (ex. if you have the phone and it's not actual evidence, look to see if you can see the messages, then put it in airplane mode and see if you can still see the messages, many of them will no longer be accessible. This is because FB is not storing everything on the device, it's pulling stuff from the cloud as needed).

3) Dating apps - AXIOM will support Tinder but not Jswipe or Bumble so you'll have to manually search the databases for the other two and see what you can find. I'm not sure what Oxygen supports. For deleted content, are you able to see it in the app? AXIOM will carve the db for deleted content but if it's not in there, there's not much else to do. Manual review is probably best to confirm whether something is there or not.

4) Chrome incognito - you won't get much here unless you're reading straight from memory. I haven't tested incognito with iOS too much but if it's similar to incognito on the computer, not much gets written to the disk and you're limited to what can be carved out of memory for the most part (which isn't much). AXIOM's generic URL carver ("Potential Browsing Activity" artifact) should pick up any URLs it can find, might not associate it to a given browser but if it finds a URL somewhere, it will be in there.

5) KnowledgeC is a great source of info but yes it's timeframe is limited. I haven't see much outside the time range from carved data.

Hope that helps, short answer is, no data is guaranteed even with a jailbroken device. Make sure you verify the source databases to make sure your tools got everything that was there and let us know if we missed anything you found manually.

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 18/03/2019 3:56 pm
asriel
(@asriel)
New Member

Thank you very much for your answer, it is really helpful.

1) I understand better that part, I thought the softwares were carving in unallocated space. Is there a way to look in unallocated space on a jailbroken phone or it's possible only with a physical image ?
Is there other way than Graykey (we don't have it) to get a physical image ?

2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?

3) I am not able to see the deleted content in the app. I was trying to get a report for dating app usage (each time the app was installed, uninstalled, last used and last opened for each installation) thinking it was accessible in the database of the dating apps. I thought about the battery usage database and the data usage too to get that information but this has a limitation in time.

ReplyQuote
Posted : 18/03/2019 4:30 pm
mcman
(@mcman)
Active Member

Is there other way than Graykey (we don't have it) to get a physical image ?

Even with a GrayKey, it's still a file system dump. It has to do with the data being encrypted at the chip level. No physical acquisitions after iPhone 4. Both a jailbroken phone and GrayKey will get you the best amount of data that's possible with iOS that I'm aware of.

2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?

Yep, if you're legally authorized, both FB/Instagram and most providers have a lawful access guide and typically they'll provide what is stored in the cloud which is usually more than what is on the device.

3) I am not able to see the deleted content in the app. I was trying to get a report for dating app usage (each time the app was installed, uninstalled, last used and last opened for each installation) thinking it was accessible in the database of the dating apps. I thought about the battery usage database and the data usage too to get that information but this has a limitation in time.

Examining app usage is a great method, you won't get much usage details from the database itself (aside from message timestamps, matches, etc.) but definitely the KnowledgeC databases, Screen time, Network Usage history keeps some good information, FSEvents, etc… all are quite helpful to map out this type of usage. KnowledgeC will track per app times, focus times, lock/unlock times, plug/unplug, etc. so you'll get a ton of really good data. The only limitation is if you have to go back too far in time, you may find some of the apps only store 30 days worth of activity. You could also grab all the native system artifacts and build out a timeline of activity across all apps if you're interested in what the user was doing at specific dates/times.

Hope that helps,
Jamie

ReplyQuote
Posted : 18/03/2019 5:41 pm
Mreza
(@mreza)
Member

2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?

Why don`t you try with data extraction from cloud?

ReplyQuote
Posted : 10/04/2019 3:26 pm
Thomass30
(@thomass30)
Active Member

No physical acquisitions after iPhone 4.

Correct me if I'm wrong but I think that full physical acquisition could be done for iPhone 4s, 5 and 5c
There is no full physical acq. for 5s and newer.

ReplyQuote
Posted : 11/04/2019 2:23 pm
mcman
(@mcman)
Active Member

No physical acquisitions after iPhone 4.

Correct me if I'm wrong but I think that full physical acquisition could be done for iPhone 4s, 5 and 5c
There is no full physical acq. for 5s and newer.

I always understood it as the 4s and newer, something with the A5 chip preventing it. The 64-bit chips with the 5s and newer didn't help but I was always under the impression it was before that. I could be wrong too though so don't hold me to it.

I tried to dig up a proper source for it either way but I guess my research skills are falling short today. Found Ron mentioning here on the forums a while back that anything after 4s was a no go but that was it.

http//www.forensicfocus.com/Forums/viewtopic/t=10615/

"iOS 6 is supported for physical extraction when running on devices before the 4S (4S and iPhone 5 are not supported for physical)."

ReplyQuote
Posted : 11/04/2019 6:18 pm
randomaccess
(@randomaccess)
Active Member

Up until iPhone 4 you get obtain and parse a physical extraction

Post iPhone 4 you can jailbreak/exploit and get what some people call a physical, but is really a full file system copy. This is currently the best we can get.

My issue is that some people call a "full file system" a "physical"
And others call a backup with some extra files a "file system"
and it confuses people

Either way, youre not carving deleted pictures and videos. Your best bet is getting access to icloud, hoping they transferred the files elsewhere (for ex they can text it to someone and delete the original, and the texted version still exists on their phone) or looking for thumbnails.

ReplyQuote
Posted : 12/04/2019 1:08 am
Thomass30
(@thomass30)
Active Member

What I mean by physical is that
- on 32 bit Jailbroken devices (iPhone 4s, 5 and 5c) we can get the entire DMG image of the device (unencrypted system partition and encrypted user data partition) with keychain that can be decrypted.
- on 64 bit jailbroken devices (5S and newer) we can get TAR archive which in fact contains the same data as a DMG image however the extracted keychain cannot be decrypted (becase of secure enclave).

Am I right or Am I missing something ? roll

And we can also get certain types of deleted text data like messages oraz contacts stored in SQLite databases

ReplyQuote
Posted : 12/04/2019 11:31 am
mcman
(@mcman)
Active Member

My issue is that some people call a "full file system" a "physical"
And others call a backup with some extra files a "file system"
and it confuses people

This x100. I've tried so hard to match your terminology above in any presentation I've given on mobile (iOS and Android). A backup (iTunes or ADB) is a logical extraction restricted by permissions and an API. A file system extraction (jailbroken/GK image or dm-0, etc.) is still a logical extraction, it simply has elevated privileges. Physical is when you are ripping the entire chip (JTAG/ISP/Chipoff/mmcblk0, etc…).

While I agree with most of your other comments too. I do need to separate some people's thoughts on "carving" and "carving unallocated space", they're not the same thing (not saying you made that jump but many people do). Many people just think carving means searching for deleted files in unallocated space and can only be accomplished with physical images and this adds to the confusion around the terminology above.

You can carve anything. We carve allocated data for records or data fragments in almost every artifact we support and you don't need a physical image to do that. Non-live SQLite records (could be deleted, maybe not) as already mentioned can be carved as long as you get the actual db (and WAL file usually). You can carve pictures and other data from other allocated files quite easily as well. You don't need unallocated space for that either.

I think the debate between the physical 4s and 5s probably lies in whether you consider decrypting data into a logical form still physical or does that move to a file system view. My opinion is that if you can decrypt in a stream regardless of the data that resides there (essentially maintaining unallocated space in this respect) then you're still getting a physical but if the decryption is at the file level or anything other than the stream/block level, then it's moved over to the logical realm and would be a logical/file system.

Again, not very scientific but that's my OCD way to bucket everything I can ) Also interested in other people's thoughts, especially on my last paragraph.

Jamie

ReplyQuote
Posted : 12/04/2019 2:25 pm
Thomass30
(@thomass30)
Active Member

I agree that the iOS file system extraction is in fact just logical acqusition. (4 and later)
I was using term 'physical' in content of iOS just because I was using Elcomsoft iOS forensic toolkit and they called it 'physical' (creating dmg image for 4s,5,5c and later TAR archive).

ReplyQuote
Posted : 12/04/2019 6:22 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Physical acquisition is the binary image of a chip.

Filesystem acquisition (encrypted or not) is a logical acquisition.

ReplyQuote
Posted : 12/04/2019 9:33 pm
asriel
(@asriel)
New Member

2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?

Why don`t you try with data extraction from cloud?

We tried the data extraction from Cloud for Facebook with Axiom, but there was not the option of the search history in it. Is there another software like oxygen that has the option of search history with the data cloud extraction ?

Also the whatsapp cloud extraction didn t work with axiom, we couldn t connect the account to it.

ReplyQuote
Posted : 25/04/2019 10:40 pm
Share: