Difference between pages "IOS" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Extraction)
 
(Created page with "== Definition == === From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): === Joint Test Action Grou...")
 
Line 1: Line 1:
{{expand}}
+
== Definition ==
 +
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
  
iOS (pronounced i-O.S.) is the name of the operating system for Apple's mobile devices (iPhone/iPad/iPod Touch).
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
  
The current version of iOS is 5.0, released on October 12, 2011.
+
=== Forensic Application ===
  
 +
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
  
----
+
== Procedures ==
  
== File System ==
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
iOS runs a reduced variant of [[Mac OS X|OSX]] and [[HFS|HFSX]] as a file system.
+
 
+
A majority of the useful information is stored in /private/var2/mobile/
+
However there is other useful information stored in the keychains and db folders.
+
 
+
iOS uses sqlite and plist files to store information.
+
 
+
'''/private/var2/mobile'''
+
 
+
This contains three folders: Applications, Library and Media
+
 
+
Applications contains a series of folders, which contain the data for all of the apps stored on the phone. The name of each app is stored in its iTunesMetadata.plist.
+
 
+
Library contains the most useful information:
+
- Address Book
+
- Calendar
+
- Safari - favorites, open tabs, web history
+
- Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed
+
- SMS - sms.db, which may include deleted SMS messages
+
- Notes - notes.sqlite, which may include deleted notes
+
- Voicemail
+
- Spotlight - Spotlight database may contain text messages that have since been deleted.
+
 
+
Media contains all Photos loaded onto the device, Books, Purchases, Podcasts, Recordings and Pictures/Videos taken
+
 
+
== Extraction ==
+
There are several tools available to extract information out of iOS operating systems (listed alphabetically):
+
* Aceso by Radio Tactics [[http://www.radio-tactics.com/products/law/aceso-kiosk]]
+
* Blacklight by Black Bag Technology [[https://www.blackbagtech.com/]]
+
* Lantern by Katana Forensics [[http://katanaforensics.com/]]
+
* [[Nuix Desktop]] and [[Proof Finder]] by [[Nuix]].
+
* Oxygen Forensic Suite by Oxygen Software [[http://www.oxygen-forensic.com/en/]]
+
* UFED and Physical Analyzer by Cellebrite [[http://www.cellebrite.com/]]
+
* XRY by Micro Systemation [[http://www.msab.com/]]
+
 
+
== External Links ==
+
* [http://linuxsleuthing.blogspot.com/2011/05/iphone-forensics-tools.html Database Parsing Tools]
+
* [http://esec-lab.sogeti.com/post/Low-level-iOS-forensics Low-level iOS forensics]
+
 
+
[[Category:Operating systems]]
+

Revision as of 11:38, 6 August 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Procedures