Budget iOS Device Extraction

Back in the early days of iOS extraction, the Zdziarski Method was the goto for acquiring a forensic image of an iPhone. This was quickly adopted by many of the main products and for a short period, all was well with the world of Apple device forensics, until Apple applied hardware encryption.

This has since left analysts with the options of varying levels of logical acquisition and decoding provided by the main vendor’s products, provided you have the passcode/backup password for the device. Obviously, there have been recent advances with offers to LE from main vendors to bypass passcodes and the new Grayshift black boxes on offer.

A large portion of the information which we as analysts want to parse and analyse does tend to sit in many of the logical areas accessible by these tools and some of the extraction methods are essentially just iTunes backups.

So what if we could extract iTunes backups using some open source tools using just our Mac or Linux box?

Enter Homebrew and the libimobiledevice tools.

Homebrew

Homebrew is a package manager for macOS which allows you to run Linux tools natively on the mac.

Installation

Installing Homebrew is pretty trivial and instructions for this can be seen on the Homebrew site: https://brew.sh/

Once Homebrew is installed, we need to then add the libimobiledevice cask.

This can be done by running the command to install:

brew install libimobiledevice

 

Extraction

Running the ideviceinfo command initially shows the following output:

ideviceinfo

We will be required by iTunes to unlock the iPhone with the users passcode and then selecting trust on the handset, and entering the passcode a second time.

iTunes

iPhone Trust

Once we have trust between the iPhone and Computer we can then continue to query the device.

With the ideviceinfo tool, we can establish some basic information about the device.

BluetoothAddress: 8x:xe:x2:xa:1x:xa
EthernetAddress: xc:8x:x2:xa:x6:ax
FirmwareVersion: iBoot-4076.50.126
IntegratedCircuitCardIdentity: 8961xx46xxxxxxxxx9
InternationalMobileEquipmentIdentity: 358xxxxxxxx66
InternationalMobileSubscriberIdentity: 50502xxxxxxxx6
MobileEquipmentIdentifier: 35xx71xx553xx6
PhoneNumber: +61 000 000 000
ProductName: iPhone OS
ProductType: iPhone8,1
ProductVersion: 11.3.1
TimeZone: Australia/Sydney
WiFiAddress: 8c:8e:xx:4a:16:xx

For analysts who have worked in units or departments where they have the authority to perform subscriber checks, you will spot some important information here which can be used and go a long way to attribution. You will also notice that there is information here which can be used to identify the device on wireless networks.

I will generally send the output from this command to a text file to accompany the backup. As you can see there are a number of options including one to dump a list of files to CSV, unpack the backup and also to disable backup encryption (you will need to feed it the backup password to do this).

Screen Shot 2018-05-11 at 9.44.34 am

We can perform an iTunes backup from Terminal using the following command:

idevicebackup2 backup /pathtobackup

Screen Shot 2018-05-09 at 9.50.49 pm

Screen Shot 2018-05-09 at 9.51.23 pm

screen-shot-2018-05-09-at-9-58-47-pm-e1525867202811.png

Once it completes, we are free to start interrogating our backup using other tools whether that be a product from one of the main vendors, other open source tools or some of the cheaper products which fall somewhere in-between. Please note that the iTunes backup password will be required to decode the contents of the backup.

Reference:

http://www.libimobiledevice.org/

https://brew.sh/

https://www.zdziarski.com/blog/

https://graykey.grayshift.com/

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.