Difference between pages "Apple iPhone" and "Forensic Disk Differencing"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (See Also)
 
Line 1: Line 1:
The '''iPhone''' is a smartphone made by [[Apple Inc.]] and sold with service through AT&T. It can be used to send/receive [[email]] (see [[IPhone Mail Header Format]]), keep schedules, surf the web, and view videos from YouTube. A large number of forensic products can process iPhones, such as [[Oxygen Forensic Suite 2010]].
+
Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.
  
In December 2009, Nicolas Seriot presented ([http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf PDF]) a harvesting application, [http://github.com/nst/spyphone SpyPhone]. This application grabs data as sensitive as location data and a cache of keyboard words. It neither requires jailbreaking nor makes Private API calls (which Apple's App Store does not allow in any application it distributes).
+
==Differencing Tools==
 +
===idifference.py===
 +
idifference.py is part of the [[Digital Forensics XML]] Python Toolkit distributed with [[fiwalk]]. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.
  
== Tools ==
+
For example, using the '''nps-2009-canon2''' series of disk images:
* [Cellebrite UFED http://www.cellebrite.com/forensic-solutions/ios-forensics.html]
+
* [http://code.google.com/p/iphone-dataprotection/ iphone Data Protection] is a set of tools that can image and decrypt an iPhone. The tools can even brute-force the iPhone's 4-digit numerical password.
+
* [http://www.iosresearch.org Jonathan Zdziarski] has released tools that will image iPhones, iPads and iPod Touch. (law enforcement only).
+
* [http://www.libimobiledevice.org/ libimobiledevice] is a library with utilities for backing up iPhones. The output format is an iTunes-style backup that can be examined with traditional tools.  They are available in the Debian-testing packages '''libimobiledevice''' and '''libimobiledevice-utils'''.
+
* [[Nuix Desktop]] and [[Proof Finder]] can detect and analyse many databases from iOS and iPhones and can directly ingest HFSX dd images.
+
  
== Publications ==
+
<pre>
* Gómez-Miralles, Arnedo-Moreno. [http://openaccess.uoc.edu/webapps/o2/bitstream/10609/11862/1/iPadForensics.pdf Versatile iPad forensic acquisition using the Apple Camera Connection Kit.] Computers And Mathematics With Applications, Volume 63, Issue 2, 2012, pp.544-553.
+
$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw
 +
>>> Reading nps-2009-canon2-gen2.raw
 +
>>> Reading nps-2009-canon2-gen3.raw
  
== External Links ==
+
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw
* [http://www.apple.com/iphone/ Official web site]
+
 
* [http://en.wikipedia.org/wiki/IPhone Wikipedia: iPhone]
+
New Files:  
* [http://en.wikipedia.org/wiki/IOS_jailbreaking Wikipedia: IOS jailbraking]
+
 
* [http://github.com/nst/spyphone SpyPhone]. Noted on [http://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29 Slashdot].
+
2008-12-23 14:26:12 1315993 DCIM/100CANON/IMG_0041.JPG
* [https://viaforensics.com/resources/white-papers/iphone-forensics/ iPhone Forensics], by [[Andrew Hoog]], [[Katie Strzempka]], in November 2012. Covers 13x iOS forensic tools and provides detailed information on the results for the iPhone 3G.
+
 
 +
Deleted Files:  
 +
 
 +
2008-12-23 14:12:38 855935 DCIM/100CANON/IMG_0001.JPG
 +
2008-12-23 14:22:38 1347778 DCIM/100CANON/IMG_0037.JPG
 +
 
 +
Files with modified content (but size unchanged):  
 +
 
 +
Files with changed file properties:  
 +
 
 +
DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
 +
DCIM/CANONMSC/M0100.CTG crtime changed to 1230070924 -> 1230071142
 +
DCIM/CANONMSC/M0100.CTG mtime changed to 1230070924 -> 1230071142
 +
DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 +
 
 +
Timeline
 +
 
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG crtime changed 1230070924 -> 1230071142
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG mtime changed 1230070924 -> 1230071142
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 +
2008-12-23 14:26:12 DCIM/100CANON/IMG_0041.JPG created
 +
$
 +
</pre>
 +
 
 +
Here are some more examples:
 +
* [[File:Idifference-demo1.txt]] --- idifference.py run on two disks from the 2009-M57 Patents scenario (Jo's November 23 vs. November 24th disk)
 +
 
 +
==See Also==
 +
*[http://dfrws.org/2012/proceedings/DFRWS2012-6.pdf A general strategy for differential forensic analysis]

Latest revision as of 21:21, 21 October 2013

Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.

Differencing Tools

idifference.py

idifference.py is part of the Digital Forensics XML Python Toolkit distributed with fiwalk. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.

For example, using the nps-2009-canon2 series of disk images:

$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw 
>>> Reading nps-2009-canon2-gen2.raw
>>> Reading nps-2009-canon2-gen3.raw

Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw 

New Files: 

2008-12-23 14:26:12	1315993	DCIM/100CANON/IMG_0041.JPG

Deleted Files: 

2008-12-23 14:12:38	855935	DCIM/100CANON/IMG_0001.JPG
2008-12-23 14:22:38	1347778	DCIM/100CANON/IMG_0037.JPG

Files with modified content (but size unchanged): 

Files with changed file properties: 

DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
DCIM/CANONMSC/M0100.CTG	crtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	mtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	resized	180	->	188

Timeline 

2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	crtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	mtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	resized	180	->	188
2008-12-23 14:26:12	DCIM/100CANON/IMG_0041.JPG	created
$

Here are some more examples:

  • File:Idifference-demo1.txt --- idifference.py run on two disks from the 2009-M57 Patents scenario (Jo's November 23 vs. November 24th disk)

See Also