Mattia Epifani discusses his research at DFRWS EU 2018
Mattia: Hello, thank you. First, my presentation will run for the next four hours, so I’m really pleased that you can stay here up to nine o’clock. No, I’m just joking.
I will go very quickly, because I also have 20 minutes, possibly yes. You already played yesterday with the Apple TV, so I will skip some of the basic stuff. You all know what the Apple TV is. There are six models up to now. These models can be identified by a model number, and [00:34] model number that you saw yesterday. As always, in forensics, the first step is to identify what we have in front of us, and the model number, it’s quite easy to find on an iOS device – you can find it on the back of the device. Every model is with ‘A’ and four digits after. This is interesting to… so that you can understand what you can really get from the device.
For the first generation of the Apple TV, the acquisition and analysis is quite simple. It was using a traditional hard drive, so you can create a traditional forensic image, and there are already publications online, and videos, since 2009, so if you take a look at these videos and the presentation…
With the most recent one – so starting from the second generation to the fourth and fifth generation – the good news is that there’s no way to put, set a passcode protection on the Apple TV, as we have on the iOS, other iOS devices. The bad news is that the USB port is used only, as Apple writes on its website, for “service and support”. So, when you connect the Apple TV to a computer and you launch iTunes, you will get only two options – Eject or Restore. Not really forensics, both of them.
So, iTunes is not a way to get the data. You can do some form of manual acquisition, so turning on the Apple TV and go through the options. It’s a … as always, manual acquisition works, also with smartphones, not really complete and in-depth but it’s good.
But it’s not completely true that the USB port is only for support. The Apple File Conduit, the AFC protocol, the AFC service, is active in all the models. So, you can still have access to some information. You can have access to basic information, you can have of course access to real-time logs, you can have access to a part of the file system, and you can have access to crash logs.
So, we’ll go a little bit in detail with this information. This is the device, these are … this is the device information that you can get by using an open-source tool called libimobiledevice; with the ideviceinfo tool, you can extract basic information from the Apple TV. So, the mac address, the version of the operating system, the serial number, the time zone, the date and time, Wi-Fi mac address, so on and so forth. You can also get sys logs – so, idevice sys log again in libimobiledevice. And you can extract this information – so, both system log and also crash report – by using, for example, this free tool, it’s called iBackupBot. It’s quite easy to use, just connect the Apple TV, get sys log, and the crash report. Crash report can be useful because you can use them to create a sort of timeline of the usage of the Apple TV. So, you can understand if the Apple TV was turned on and if the user was interacting with it.
And you also have access to part of the file system. So, with the AFC protocol, you have access to a part of the file system. In particular, for example, you have access to the DCIM folder. If the user is sharing some pictures through iCloud, you can get pictures there. You can also get a quite interesting database – it’s called the MediaLibrary.sqlitedb. The media library is the shopping library. So, it contains what the user bought on Apple services, on iTunes. The good point here is that this file is shared, is synced among devices. So, if you have an iPhone, for example, and it is locked, and you want to know the account user ID or what the user did on iTunes … sorry, on Apple Store, buying things from the Apple Store, and you have an Apple TV, you can get this information, because there’s no way to set a passcode on the Apple TV.
Recently also, I tested it with the tool, [from Microsoft] and now they added support for AFC. Also, other tools are now supporting of course AFC. I was not lucky in getting data from the Apple TV with various tools, because probably there is some sort of checking that it’s not an iPhone or an iPad, but I think it’s quite easy to implement in other tools. It’s the same protocol, no differences.
These are the basic information that you can get from [05:36] model of the Apple TV, because these are stored [or] in crash logs or in the sys logs, or in files that you can get through the AFC protocol. These are probably the most interesting one. You can get the iCloud account name and the iCloud ID.
These could be useful if you have a locked iPhone, for example, and you want to ask Apple, “Please provide me the data from this user,” and you don’t know the user ID, and you have an Apple TV – you can get the user ID from the Apple TV and then go to Apple and ask for the data. That’s an option.
Also, crash logs can be useful, because you can get not only the history of what happened on the device, you can create a timeline, as I said, but you can also get the information of the Wi-Fi networks where the device was connected to. So, if you have an Apple TV that was moved from one place to another place, in the crash logs you can get a sort of history, a log of the Wi-Fi network that the Apple TV was connected to.
And last, the media library database – this is an example of an information taken from the crash logs, and as you can see, you have phone numbers, you have the email address of the user, and something. It’s interesting for an investigation. This is the structure of the database, quite complex, but the structure is, let me say, coherent in various iOS devices. So, because it has to be synced through devices, the media library on an iPhone, on an Apple TV, on a [Mac OS X], on Windows has the same structure. So, you can get it from the Apple TV, and search inside this library on the most useful information.
We are going to share on our GitHub account a really simple Python script, [with] quite complex SQLite query to extract the most useful information from this library. This is interesting because it can be used not only against the media library extracted from the Apple TV but also for a media library that is stored on a computer or on an iPhone or an iPad and so on and so forth.
And not only the files that were bought through the Apple TV are stored in the media library, but everything, every kind of item that was bought by the user on the Apple servers is synced inside the MediaLibrary.sqlitedb. This is one of the queries, the simplest one. You can get, for example, the date of purchase, the file size, the account ID that was used to buy the things, and so on and so forth.
The last … the second option, because all I said up to now can be done on every kind of device. The second option is to try to jailbreak the device, to go more in-depth. This is what we did to provide you the data for the [08:40]. There are various jailbreaks for Apple TV, these are for the fourth generation of the Apple TV. And there are various processes that were published online, for example, this is for the version nine of the TV OS.
The file system layout is quite similar to iOS, or to Mac OS. Some information … I will go very quickly, because you have already seen some of them yesterday. Time zone – easy to understand, easy to get. Information about the IP configuration, the network that the Apple TV is connected to, was connected to for the last time. The IP addresses, the time in which was connection was done, and so on and so forth. Also, the history of the Wi-Fi network. The history of the Wi-Fi network is interesting because you can get, as you have in the iPhone, information about [join and out join], the mac address of the Wi-Fi network that you can use to search online the geolocation of this network, and so on and so forth. Also, a traditional dynamic test file, the sort of user dictionary. And also information about the accounts that were used on the device, so in this case, for example, you can see that it is not stored in the DB, but in [writer head log] of the Accounts3.sqlite database.
Last, as Vladimir was mentioning, iOS devices are sharing, are syncing information among them. So, what you can extract from the device, from an Apple TV, are some information that were not exactly used by the user on the Apple TV. For example, the image you were playing with yesterday, you found a file called com.apple.wifid.plist. This file is stored on the Apple TV, but the content of this file are the Wi-Fi networks, that my phone connected to. So, my Apple TV was never there. My phone was there. But it’s synced with the Apple TV. So, it’s interesting, because you can get information without the need to crack or enter into the iPhone.
So, again, you can geolocate in some case, some of the Wi-Fi network. Other information that is shared is the weather, [weather cities], again … we had a question yesterday, just a quick information. Santa Marina Salina is a small, tiny village in Sicily, where my grandfather was born. It’s in the Aeolian islands, it’s a small island. My Apple TV was never there. My phone was there of course. So, you can at least say that my phone was there, or I have an interest for that place. Of course, with the Apple TV, there’s no way to check the weather. There’s no application. So, there’s no reason to share this information, but it’s shared.
The headboard is the sort of like the springboard on iOS. You have app order, you can see which app are installed, you can see some pictures from this app, but more interesting, you can see the cached data. So, you can see what the user saw on the screen and when it happens, because you have timestamps for the file. So, you can again create a more complete timeline of the usage of the Apple TV, and also have snapshots from the applications, like we have on every kind of app on iOS or other device, not only iOS of course.
Also, TV movies – so you can get which movies the user bought or saw on the Apple TV store. Also, the video, the cached video is stored there. So, you can find it’s a structure, the file, composed in the first half by the plist containing information with the URL, when the video was downloaded, and so on and so forth, and the second part is actually the content, so the mpeg video. So, embedded in a single file.
You can have third-party application of course installed, you got crazy yesterday trying to understand the Netflix application. [laughs] We have both the app … so, the content, the bundle, and the data. The data is stored in a different sub-folder of course. In the case, for example, of YouTube, you can have simple plist file telling you information like the country, in which country it was launched, where was the Apple TV, which kind of YouTube website or preferences the user was seeing, and for example, a timestamp of the last activity that can be of course converted to a timestamp, to a real date and time. Again, for [every and each] application, you have snapshots. So, you can recover a sort of history of what a user saw on his Apple TV. This is an example.
So, to … that was quite quick. In 20 minutes.
So, a sort of guideline, if you will ever have to handle an Apple TV. Start with the identification of the model. If it’s a first generation, it’s quite easy; if it’s a second to fourth generation, my suggestion is to start with the acquisition of what you can get without any kind of jailbreak. So, real-time logs, [fresh] logs, and file system, part of the file system through the AFC protocol. Then check if you need some more additional information via a manual acquisition. And in the end, check if jailbreak is available, applicable to the specific version and try to acquire the whole file system. These are some useful tools that you can get, and in the end, you have a list of the actually available jailbreak for the Apple TV up to tvOS 11.1.
Thanks again, as I said yesterday, to Sarah, because she provided us a jailbroken Apple TV for testing, research, and for preparing the [rodeo]. And these are our contacts, on our website you can find a link to our GitHub account, where we will publish in the next week probably, our script as soon Claudia will finish it. Because she is still working in some conversions of that. So, thanks.
Host: Thank you so much.[applause]
End of transcript