Vladimir Katalov and Mattia Epifani discuss their research at DFRWS EU 2019.
OK, hello everybody, thank you for coming, my name is Vladimir. I am from Elcomsoft Company based in Moscow, Russia. Unfortunately we’re very limited in time, so we will have to go fast. I think you’re familiar with mobile forensics and in particular in iPhone forensics. This time we are going to speak about what kind of data can be extracted from Apple Watch.
There are basically three main methods of extracting the acquisition of the data from the mobile devices: physical, logical, and cloud. But for the Apple Watch, there are actually some differences.
First, there is no such thing as a backup of the watch itself, but some data is stored inside the iPhone which it’s paired with. And also we can still get some data directly from [the] watch, but that will [unintelligible] be a kind of very limited data. And also we can get some data from the cloud, and I wouldn’t say some, actually a lot, because the watch syncs the data it collects to the iPhone [it’s] paired with. And if the phone is connected to the cloud and connected to the Apple account, a lot of data goes from there to the cloud. That’s mainly about Apple Health.
There is some description of Apple Watch backups, although, as I said, there is no such thing as a watch backup. But some data is stored inside [the] iTunes backup. And Apple Watch creates its backup in only a very limited number of cases, for example, when you unpair [the] watch from the iPhone, then at this time, the backup is being created, or when you pair with a new watch. So there is no way to force creating the backup on Apple Watch, just – only by unpairing it, and that’s actually the only method.
You can see the list of backups created. First, of course, if you try to restore [the] watch from backup, you will see the list of backups available on the iPhone with different versions, and it will list only those versions that can be installed on the current system. So if [the] backup is newer and your current watch’s version is older, you just won’t see the proper backup here.
And also you can look right on your iPhone, if you go to iPhone storage and list through watch, you will see some information about backups, but there is absolutely no control on those backups. You cannot get them right from here, and you cannot delete, for example, individual backups – only all of them together.
What is inside watch backups? There is a kind of description on the Apple website, it’s not really as comprehensive as information about the iTunes backup, and [somewhat] I would say that it is basically settings, various settings, playlists, something about Siri, some information about what kind of data should be seen between [the] watch and [the] iPhone.
What is not included, unfortunately, is Bluetooth pairings, there is no data on payment cards, there is something about the Apple Pay card we have just recently found with a new version, but I really doubt that any kind of payment information will be there, even the last four digits of the card, and of course there is no watch passcode there.
So how to create the backup? As I said, you can unpair the watch from the iPhone, and at that time the backup will be created inside the iPhone file system, and then you just normally create, through iTunes, the backup. And also, please pay attention that you have to create an unencrypted phone backup. There is [an] extremely huge difference between encrypted and [un]encrypted backups. The content is actually not the same, and it is not only about the encryption, but also about the data stored there. Okay? Mattia will continue.[Mattia]
So, what can you find exactly in an iOS backup about the Apple Watch? So first, you have to go through the backup that was created and search for a folder called DeviceRegistry.state. Inside this folder you will find different files. The most interesting ones are historysecureproperties.plist. Here you can find information about [the] wi-fi MAC address and Bluetooth MAC address of the Apple Watch, plus the serial number and UDID of the paired Apple Watch.
Another really interesting file is the StateMachine. The StateMachine will tell you the pairing timestamp, so the exact point in time in which the watch was paired with your iPhone, including the watch’s version that was installed at the time of pairing. This is the StateMachine. In the ActiveStateMachine file, you can get an additional information, so the actually installed watch OS version. So here you can start building your timeline of usage of the Apple Watch paired with the iPhone because you have the pair timestamping Apple [unintelligible].
Then, once you have analyzed the DeviceRegistry.state folder, you can go into the Device Registry folder and here, you have actually the backup of your Apple Watch. The structure of this folder is quite simple. It’s full of interesting plist and SQLite databases, and I will highlight some of them.
The first and most interesting, probably, folder is the Applications folder. Here you can find data from the applications installed on the watch. So the interesting point here is that when you install an application on your iPhone, the same application, if there is the same application for the watch, this will be installed also on your watch. So here you can go and manually dig deeper into these folders and search for information for the different applications.
Regarding native applications, a couple of example
about a native application. This is the NanoMail folder containing information about the email accounts that are set on your iphone, including the email addresses and? [Yes? The email addresses?] Plus the structure of the folder.
So, how the email is organized within different folders and subfolders. You do not have actually the emails stored on the watch, or at least, you have it, but they are not stored on the, they are not backed up with your iPhone, but still here, you can have [the] timestamp, you can have the name of the folder and the actual email addresses.
Another really interesting example are the NanoPasses. What are the NanoPasses? The content of your Apple Wallet. So in your Apple Wallet, you can sync, you can have, for example, your booking or your flight ticket or whatever. If you go into this database, you can find different information.
This is, for example, a reservation of an auto I made in Amsterdam. You have some information here quite easily to be read in the SQLite database, but there is also an embedded plist file. And this embedded plist file, it’s a binary plist file, if you convert it, or just open with a [laughs] plist viewer, you will get all the information about the passes, the information about your wallet data. So it’s a lot of information here. You have timestamps, you have prices, you have name
, you have addresses.
In an Apple backup, in an Apple Watch backup [oh, now it’s you – laughs] in an Apple Watch backup, you also have health data.[Vladimir]
Okay. Yeah, health data is probably the most interesting and most useful for an investigation. And for recovery of the GPS locations, of the heart rate, of [the] number of steps, and so on. Of course, as I said, you can extract everything from the cloud, of course, if the watch is synced with [the] iPhone, which it usually is, if it is being synced but not in the range, then the data for some time will be cached on the watch and [once] it gets in range of the iPhone by Bluetooth, everything is being synced and almost immediately uploaded to the cloud. And yes, it is a way to download from the cloud.
There is an article on [the] Apple website describing how the data is protected in the cloud, and health is a kind of data, along with [the] iCloud keychain and messages synced with the cloud, starting with 11.2, that is protected [an] additional way with another layer: only another personal device from the trusted circle can extract that data, but still it is possible. You will only have to supply the passcode of one of the trusted devices to extract that kind of data.
We have found that there is [a] new issue with, data is not being synced, and you can try it yourself, you can connect two different devices to the same cloud account, and [unintelligible] will restore it only on a single phone and is not being uploaded. But there is a lot of other data there as well.
If you think about iCloud backups of the [core] device, you will find that there is no health data in iCloud backups, and also they exist only in password protected iTunes backups. Now starting with iOS 12, two-factor authentication is required to sync all the data with iCloud, and the key to encrypt all the health data is stored in the keychain, and to access the keychain, as I said, you have to be in a trusted circle, which is not really easy, but still possible. Here is the list of different categories that are being synced between the Apple devices – iOS and macOS, synced with the cloud. And we can actually extract and decrypt everything.
So what are the other possibilities [accept] why analyzing the iTunes backup file and iCloud data?
There is a special adapter. It doesn’t cost much, it’s about [a] hundred, hundred twenty dollars. There are two different models. The S1 model is for [the] Series 1 watch, and S2 is for Series 2 and Series 3 watches. They have [a] different number of pins, as you can see. And on the other side, there is a lightning adapter, where you can connect the usual cable. At this time there is no adapter for watch Series 4, unfortunately.
Connecting the adapter isn’t really easy, you’ll probably spend 15 minutes to try to connect it. First of all, you will have to locate the back port on the Apple Watch. You have to connect the band. And here is a very, very, very small hole here, covered by a plastic cover. You will have to use the pin to open it. And there are five or six connectors there on the watch. Then you will have to connect a special [laughs] Chinese thing here, and then connect that adapter.
And that construction is not really reliable, but once you’ve got it connected with the usual lightning cable, and so launch for example iTunes, first on the Apple Watch you will see that picture, whether [to] trust that computer or not, which is very familiar for you if you if you have connected the iPhone, but probably haven’t seen it on the watch before, and iTunes will recognize the Apple Watch, and show some information, not [much] or a lot, the ID of the device, the serial number, and the software version. There is no such thing as [unintelligible] the [space of a part] and so on.
But once the device is connected, we can use the forensics software that works with the iPhone for logical [and] advanced logical acquisition. As I said there is no backup service running on the iPhone, but we can use several different services. For example, AFC, that stands for Apple File Conduit, to extract the media files. [clears throat] We can extract comprehensive information about the device itself, including different serial numbers, Bluetooth ID, wi-fi ID, and we can also extract the log files that contain a lot of information of what applications we’re running and when.
And here is the software running, having the watch connected. We can see some basic information here and [the] first thing we have done, we have extracted the device info, Mattia will talk about that later, and the list of applications installed. This is not just application names, but also some information, for example, when the software was installed on the iPhone.
Next we can extract the log files. Here is not very many because this is the test watch, not very actively used, but there is still some information about the wifi connections, some diagnostics, and diagnostics contain the time stamp and other very useful information.
So the next thing, we can use the AFC to extract the media files. Folders can be synced between the watches and the iPhone and I think in the latest version it’s up to 500 folders that are being synced. The [unintelligible] of the folders are being transferred to the watch but somehow resized, like a thumbnail, so it’s smaller size, but EXIF data is preserved so you can analyze it and extract the GPS locations and things like that. And also we get the folders’ SQLite database that may still contain some information about the media files that have been already deleted from the iPhone.[Mattia]
Yeah. So, quick overview of what you can find within the file you acquired. So [this is] the basic information that you can get from the device. Plus you can get the list of installed applications with the information about when the application was installed, the version of the installed application, and so on and so forth.
As Vladimir was mentioning, probably one of the most interesting information you can get from here are the logs. One of the most interesting file
you can find in the logs is the com.apple.wifi.plist file containing the list of wifi network that the phone was connected to. So you have – I just used the network of this place. This screenshot was taken yesterday, so you have the BSSID of the network and you have the last joined date and time.
This is quite interesting because it helps you [in] building a timeline and geolocating, of course, the user. And in my personal opinion, it is much more probable that the watch is with the person than a phone, because you can leave your phone at home, but typically you will go around the world with your watch. So logs are really interesting.
Another thing we just discovered yesterday, that we started investigating yesterday, [is] the sysdiagnose. The sysdiagnose is a method [that] by installing an Apple certificate on the phone, [you] get the sysdiagnose from the Apple Watch. I tested [it] yesterday with my Apple Watch and I got more than 300 megabyte
of data. It’s TXT files, plist files, or whatever. We are still trying to understand exactly what is there, but [it’s] still a lot of information.
When you obtain the data with the AFC as Vladimir mentioned, the most interesting things are the images, of course, with metadata, and sometimes you can still find images also when they were deleted from the phone, because they are not all synced. So it’s up to the phone, it’s the phone that is deciding which photos are synced with your watch, because there are different ways of showing pictures in your watch. So you’d never know which kind of pictures are on your watch and they can be there and no more on your phone.
Another interesting folder is the iTunes Control folder containing different file
. The most interesting one is the MediaLibrary.sqlitedb. The MediaLibrary.sqlitedb has a quite complex structure, more than 30 tables with different kind of information. Basically it contains the list of media that the user bought from the Apple Store, but apart [from] that, it contains the account ID of the user, so the iCloud account ID of the user.
So you can imagine this scenario: you have a locked iPhone, you don’t know the Apple ID of this locked iPhone, and you have an Apple Watch. With the Apple Watch, you can get the Apple ID of the user, and with that, go to Apple and make a request [for] the data of that specific user.
With this simple query, you can, [laughs] with this simple SQLite query, you can get the list of all the data that was, all the information that [was] built by the user with [the] timestamp and with the purchase date and with the purchase history ID. That is something that Apple can tell you exactly, which device was in use by the user when this media was bought from the Apple Store.
Last thing, the list of purchases. So when you buy something on iTunes on an iPhone, you cannot take this file out from your iPhone. So this is not for forensics. If you buy your data, if you buy something on [the] Apple Store and this is synced on your Apple Watch, you can actually download the MP3 files on your computer.
Last point, it’s interesting and [unintelligible], manual acquisition. So manual acquisition, I mean, going through the application manually and look[ing] at the content of this application. The most interesting thing we found is that when you delete a message – an SMS or an iMessage – on your phone, the deletion is not propagated on the watch.
So when you delete something on the phone, a message on the phone, the deletion is not propagated. The message is preserved for 30 days. No matter what, it is deleted, or not on the iPhone. Okay, so you can still find deleted message
on the watch that are no more on the phone.
Twenty-one minutes and twenty seconds. [laughs] Thank you.