Mac & iPhone Forensics Blog

FTS iXAM

Sean Morrissey — Mon, 04 Jan 2010 14:20:00 GMT

I am happy to announce that FTS has graciously given me a trial of iXAM. The results of this study will be published in the upcoming book. "iPhone Forensic Analysis". Some of the other tools that will be reviewed, are as follows

Access Data FTK 3.0
Cellebrite UFED
Paraben Device Siezure
Susteen Secure View
Oxygen Forensic Suite 2010
MSAB .XRY and .XACT
Fernico ZRT
ABC Amber iPhone Converter

and many free tools

Keep your eyes and ears open, something is coming January 2009, St. Louis, MO

Sean Morrissey — Tue, 08 Dec 2009 00:42:00 GMT

Keep your eyes and ears open, something is coming January 2009, St. Louis, MO

Deleted SMS

Sean Morrissey — Thu, 05 Nov 2009 02:23:00 GMT

Was doing some work for the PFIC 2009 Conference, and I was looking at the SMS.db of a logical backup. I was looking at the database in a Hex Editor, and to my surprise I saw a SMS that I received from my former Boss that I had deleted. So I looked even further and found some more, not just the content of the text, the phone number associated, all what you normally find in a non-deleted text. So, now one more item that can be retrieved from the logical data, and no need to conduct a intrusive search on the iPhone. There is a utility for windows that claims to retrieve deleted SMS from the logical backup. Haven't validated this tool yet. When I have completed testing, I will post the results.

Dutch Hacker attacks Jailbroken iPhones

Sean Morrissey — Thu, 05 Nov 2009 02:02:00 GMT

So, you want to jailbreak your iPhone, you may want to read this before using the latest and greatest hacks out there.

http://gizmodo.com/5395645/dutch-hacker-holds-jailbroken-iphones-hostage-for-5-ransom-while-exposing-security-vulnerability

So, what was the fix? The fix that this hacker was proposing was to replace iPhones with the original Apple Firmware.

Question From Techno Forensics Conference

Sean Morrissey — Sun, 01 Nov 2009 14:37:00 GMT

Question from Techno Forensics Conference

Have you seen Picture Safe?

Picture Safe

After using Picture Safe application on the iPhone, I found that it's not so safe, the passcode is in plain text in the plist and the images are very readable. All from the Logical backup. Not a secure application, should be given away, not worth the $1.99.

Picture Vault

That is another story, all the images are placed in readable folders, however the images themselves are encrypted.

EFF and its effect on Law Enforcement

Sean Morrissey — Mon, 17 Aug 2009 00:18:00 GMT

With the EFF trying to make jailbreaking legal. The effects on LE could have far reaching implications. First with the possibility that jailbreaking leaves the iPhone vulnerable to attack, Second, the position that Apple has taken in that a jailbroken phone can do damage to our infrastructure. Not to add more but, to be able to charge a person federally with a crime. Bravo, ICE with charging individuals with violations of the DMCA.

iTablet - Fact or Fiction

Sean Morrissey — Sat, 01 Aug 2009 16:46:00 GMT

There has been alot of chatter in reference to a possible release of a tablet device from Apple. With the return of Steve Jobs, the clamor has been getting louder. Apple is known for great disinformation campaigns and alot of us feed into it. If Apple is to release a tablet and join the netbook market, Apple has to raise the bar and change the game. A tablet from Apple has to look cool, and function far better than existing and future netbooks. Alot of speculators believe that the tablet will appear in November, just in time for Christmas. Why not bring it out at CES 2010? That only Apple knows.

What will it look like, and what will it have inside?

1. LTE support? Why not Verizon, and AT&T are going to use LTE.

2. HD support? absolutely

3. 10" screen? best guess.

4. OS? Full OS X or iPhone OS? Yep, Apple knows that too! However the App Store is the money train, I lean towards iPhone OS.

Lets wait and see what Apple actually puts out to market.

iPhone Encrpytion

Sean Morrissey — Sat, 01 Aug 2009 13:29:00 GMT

The pro ported iPhone Encryption of the iPhone, is easily bypassed with widely proliferated jailbreaks. iPhone owners need to keep better track of their phones. If you don't passcode your phone, do it. If you don't have a mobile Me Account, have one. AT&T and or Apple needs to allow Mobile Me account owners to wipe their phones with a simple call to AT&T. Not everyone can get to the Internet right after they notice that their phone is missing.

File Vault Passwords

Sean Morrissey — Wed, 22 Jul 2009 00:11:00 GMT

In OS X everyone should be concerned with File Vault passwords. Cracking File Vault isn't that difficult.

1. there is an end around that investigators need to try first.

a.In the /private/var/vm folder, sits the sleep image and swap files. the sleep image is a system image similar to Windows Hiberfile. The difference is that there is a wealth of information that can be gleaned from the sleepimage. Since the subject matter is File Vault, we will limit the dicussion to it. Passwords for file vault can ( and emphasize can, not always) be found in the sleep image. Since everything is mostly plain text, a simple search can locate not only File Vault passwords, but a multitude of passwords.

b.So how do we find them. Well, there are two ways. from the command line create a grep expression that looks for text after "longname". This will locate all user name and passwords from the sleepimage. Look at all the hits. the hits with the passwords, will have theuser name followed by "password" and the actual password in plain text. for example,

strings -8 /var/vm/sleepimage | grep -A 4 -i longname

c.For windows examiners, Encase can be used to locate them as well. First from the tree pane navigate and locate the sleepimage. Blue check the sleep image and create a keyword for "longname". Run the keyword search and minimize the search to the single blue checked sleepimage. Look at all the hits. the hits with the passwords, will have the user name followed by "password" and the actual password in plain text.

2. If the passwords can't be located then your going to have to use some tools that can crack File Vault. There are a couple of tools that can assist in this. One, well you have to be LE and if you email me, you can get it to you free. George Starcher has also created crowbarDMG.

3. If passwords are not located in either the swapfile or sleep image, there are two other methods to crack file vault.

Crack the user's login passwords locate at /private/var/db/shadow/hash

Crack the KeyChains themselves. ( The keychains are unencrypted except for the passwords themselves. Many items of interest can be located just by using strings.)

Attack File vault itself.

One possible command line fix, which I haven't verfied in use with OS X v10.5.8

sudo pmset -a hibernatemode NUMBER

0 - no sleepimage is used, and RAM contents are kept alive.

1 - only sleepimage is used, and RAM contents are purged.

3 - RAM is kept alive and a sleepimage is used when power reaches critical levels.

5 - only sleepimage is used, but with secure virtual memory enabled.

7 - both live RAM and sleepimage are used, but with secure virtual memory enabled.

Apple can fix this and improve the security of OS X.
Credit goes to Johnny Long who originally identified this vunerability 4 years ago.
And to my mentor Thane Erickson, Thanks for your leadership and guidance.