Difference between pages "Apple iPhone" and "Bulk extractor"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (Created page with '==Sample Output== Running on 2.4Ghz iMac with MacOS 10.5.8 on the nps-2009-realistic.aff disk image, bulk extractor version 0.0.10 took 21816 seconds (6 hours, 3 minutes) and pro…')
 
Line 1: Line 1:
The '''iPhone''' is a smartphone made by [[Apple Inc.]] and sold with service through AT&T. It can be used to send/receive [[email]] (see [[IPhone Mail Header Format]]), keep schedules, surf the web, and view videos from YouTube. A large number of forensic products can process iPhones, such as [[Oxygen Forensic Suite 2010]].
+
==Sample Output==
 +
Running on 2.4Ghz iMac with MacOS 10.5.8 on the nps-2009-realistic.aff disk image, bulk extractor version 0.0.10 took 21816 seconds (6 hours, 3 minutes) and produced an output with 14,160 lines.
  
In December 2009, Nicolas Seriot presented ([http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf PDF]) a harvesting application, [http://github.com/nst/spyphone SpyPhone].  This application grabs data as sensitive as location data and a cache of keyboard words.  It neither requires jailbreaking nor makes Private API calls (which Apple's App Store does not allow in any application it distributes).
+
Here are the first 200 lines:
 +
<pre>
 +
Input file: /corp/images/nps/nps-2009-domexusers/nps-2009-realistic.aff
 +
Starting page number: 0
 +
Last processed page number: 2559
 +
Time: Tue Aug 11 04:39:03 2009
  
== Tools ==
+
Top 10 email addresses:
* [Cellebrite UFED http://www.cellebrite.com/forensic-solutions/ios-forensics.html]
+
=======================
* [http://code.google.com/p/iphone-dataprotection/ iphone Data Protection] is a set of tools that can image and decrypt an iPhone. The tools can even brute-force the iPhone's 4-digit numerical password.
+
domexuser1@gmail.com: 572
* [http://www.iosresearch.org Jonathan Zdziarski] has released tools that will image iPhones, iPads and iPod Touch. (law enforcement only).
+
domexuser2@gmail.com: 412
* [http://www.libimobiledevice.org/ libimobiledevice] is a library with utilities for backing up iPhones. The output format is an iTunes-style backup that can be examined with traditional tools.  They are available in the Debian-testing packages '''libimobiledevice''' and '''libimobiledevice-utils'''.
+
domexuser3@gmail.com: 319
* [[Nuix Desktop]] and [[Proof Finder]] can detect and analyse many databases from iOS and iPhones and can directly ingest HFSX dd images.
+
ips@mail.ips.es: 268
 +
premium-server@thawte.com: 252
 +
CPS-requests@verisign.com: 243
 +
someone@example.com: 232
 +
domexuser2@live.com: 192
 +
inet@microsoft.com: 145
 +
domexuser2@hotmail.com: 138
  
== Publications ==
+
Top 10 email domains:
* Gómez-Miralles, Arnedo-Moreno. [http://openaccess.uoc.edu/webapps/o2/bitstream/10609/11862/1/iPadForensics.pdf Versatile iPad forensic acquisition using the Apple Camera Connection Kit.] Computers And Mathematics With Applications, Volume 63, Issue 2, 2012, pp.544-553.
+
=====================
 +
gmail.com: 1693
 +
hotmail.com: 630
 +
netscape.com: 543
 +
example.com: 470
 +
microsoft.com: 390
 +
thawte.com: 376
 +
live.com: 329
 +
msn.com: 298
 +
mail.ips.es: 268
 +
passport.com: 267
  
== External Links ==
+
Top 10 URLs:
* [http://www.apple.com/iphone/ Official web site]
+
=====================
* [http://en.wikipedia.org/wiki/IPhone Wikipedia: iPhone]
+
http://www.microsoft.com/contentredirect.asp.: 6257
* [http://en.wikipedia.org/wiki/IOS_jailbreaking Wikipedia: IOS jailbraking]
+
http://ocsp.verisign.com0: 3030
* [http://github.com/nst/spyphone SpyPhone]. Noted on [http://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29 Slashdot].
+
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul: 2241
* [https://viaforensics.com/resources/white-papers/iphone-forensics/ iPhone Forensics], by [[Andrew Hoog]], [[Katie Strzempka]], in November 2012. Covers 13x iOS forensic tools and provides detailed information on the results for the iPhone 3G.
+
http://: 1666
 +
http://crl.verisign.com/tss-ca.crl0: 1515
 +
http://crl.verisign.com/ThawteTimestampingCA.crl0: 1513
 +
http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0: 1311
 +
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O: 1310
 +
http://www.mozilla.org/MPL/: 1000
 +
http://support.microsoft.com: 974
 +
 
 +
All email addresses:
 +
====================
 +
domexuser1@gmail.com: 572
 +
domexuser2@gmail.com: 412
 +
domexuser3@gmail.com: 319
 +
ips@mail.ips.es: 268
 +
premium-server@thawte.com: 252
 +
CPS-requests@verisign.com: 243
 +
someone@example.com: 232
 +
domexuser2@live.com: 192
 +
inet@microsoft.com: 145
 +
domexuser2@hotmail.com: 138
 +
domexuser1@hotmail.com: 135
 +
domexuser1@live.com: 133
 +
myname@msn.com: 115
 +
example@passport.com: 111
 +
ca@digsigtrust.com: 110
 +
info@valicert.com: 94
 +
piracy@microsoft.com: 91
 +
certificate@trustcenter.de: 80
 +
hewitt@netscape.com: 69
 +
name_123@hotmail.com: 67
 +
talkback@mozilla.org: 67
 +
lord@netscape.com: 64
 +
someone@microsoft.com: 53
 +
mcgreer@netscape.com: 51
 +
domexuser1%40gmail.com@imap.gmail.com: 48
 +
neil@parkwaycc.co.uk: 47
 +
9name_123@hotmail.com: 43
 +
mazrob@panix.com: 43
 +
Outldomexuser2@gmail.com: 41
 +
server-certs@thawte.com: 37
 +
sspitzer@netscape.com: 36
 +
49091023.6070302@gmail.com: 35
 +
73A94919-FF6B-4E3F-938E-FB39BBC7497C@gmail.com: 34
 +
cps@netlock.net: 33
 +
ellenorzes@netlock.net: 33
 +
thayes@netscape.com: 33
 +
DOMEXUSER2@GMAIL.COM: 32
 +
personal-basic@thawte.com: 32
 +
nome_123@hotmail.com: 31
 +
alecf@netscape.com: 30
 +
ManageLinks.aspx%3Fmkt%3Den-us%26noteid%3DNote.Linked%26notelevel%3D1%26notesec%3D0%26username%3Ddomexuser1@hotmail.com: 29
 +
domesxuser2@gmail.com: 28
 +
javi@netscape.com: 28
 +
mscott@mozilla.org: 28
 +
personal-premium@thawte.com: 28
 +
admin@digsigtrust.com: 27
 +
personal-freemail@thawte.com: 27
 +
49091664.70508@gmail.com: 26
 +
admin@startcom.org: 25
 +
cmanske@netscape.com: 24
 +
feste@feste.org: 24
 +
fritz@google.com: 22
 +
silver-certs@saunalahti.fi: 21
 +
DOMEXUSER1@GMAIL.COM: 20
 +
exemplo@passport.com: 20
 +
gold-certs@saunalahti.fi: 20
 +
jemand@example.com: 20
 +
joku@example.com: 20
 +
meunome@msn.com: 20
 +
osoba@example.com: 20
 +
prova@example.com: 20
 +
toolkit@mozilla.org: 20
 +
CPh@99841.PA: 19
 +
alguem@exemplo.pt: 19
 +
birisi@example.com: 19
 +
ddrinan@netscape.com: 19
 +
noen@example.com: 19
 +
valaki@example.com: 19
 +
eksempel@passport.com: 18
 +
navn_123@hotmail.com: 18
 +
law@netscape.com: 17
 +
mano@mozilla.com: 17
 +
microsof@t.com: 17
 +
mscott@netscape.com: 17
 +
iemand@microsoft.com: 16
 +
myk@mozilla.org: 16
 +
ndarnamn@example.com: 16
 +
nekdo@example.com: 16
 +
nekdo@priklad.com: 16
 +
niekto@example.com: 16
 +
adamw@gnome.org: 15
 +
en@li.org: 15
 +
info@netlock.hu: 15
 +
nogen@eksempel.dk: 15
 +
priklad@passport.com: 15
 +
Outldomexuser2@hotmail.com: 14
 +
ben@netscape.com: 14
 +
ca@firmaprofesional.com: 14
 +
ca@ptt-post.nl: 14
 +
correo_cert@correo.com.uy: 14
 +
ben@mozilla.org: 13
 +
doronr@us.ibm.com: 13
 +
ehsan.akhgari@gmail.com: 13
 +
info@e-trust.be: 13
 +
314d3a220810291941w4b52597fh206faba1e5063365@mail.gmail.com: 12
 +
DOMEXUSER3@GMAIL.COM: 12
 +
MSNPrivacy@msn.com: 12
 +
alguien@example.com: 12
 +
bsmedberg@covad.net: 12
 +
glazman@netscape.com: 12
 +
someone@msn.com: 12
 +
xyx@example.com: 12
 +
Beispiel@passport.com: 11
 +
MeinName@msn.com: 11
 +
Name_123@hotmail.com: 11
 +
St@atus.eU: 11
 +
bienvenu@nventure.com: 11
 +
disttsc@bart.nl: 11
 +
esempio@passport.com: 11
 +
exemple@passport.com: 11
 +
grafta@bl.com: 11
 +
hwaara@chello.se: 11
 +
mijnnaam@msn.com: 11
 +
mionome@msn.com: 11
 +
mojanazwa@msn.com: 11
 +
monnom@msn.com: 11
 +
ms@n.com: 11
 +
naam_123@hotmail.com: 11
 +
nazwa_123@hotmail.com: 11
 +
przyklad@passport.com: 11
 +
voorbeeld@passport.com: 11
 +
zeniko@gmail.com: 11
 +
christopher@aillon.com: 10
 +
community@linuxhall.org: 10
 +
dolske@mozilla.com: 10
 +
i18n@mova.org: 10
 +
id@Us.tc: 10
 +
info@netlock.net: 10
 +
locales@geez.org: 10
 +
rangansen@netscape.com: 10
 +
rcassin@supernova.org: 10
 +
WindowsXP@gn.microsoft.com: 9
 +
ad@msn.com: 9
 +
blaker@netscape.com: 9
 +
corehc@aol.net: 9
 +
exempel@passport.com: 9
 +
gnom@prevod.org: 9
 +
icw5@gn.microsoft.com: 9
 +
jmeno_123@hotmail.com: 9
 +
jwalden+code@mit.edu: 9
 +
mitnavn@msn.com: 9
 +
mittnamn@msn.com: 9
 +
name@domain.com: 9
 +
namn_123@hotmail.com: 9
 +
nevem@msn.com: 9
 +
ntsbvt@microsoft.com: 9
 +
ornek@passport.com: 9
 +
pelda@passport.com: 9
 +
rbs@maths.uq.edu.au: 9
 +
robert@accettura.com: 9
 +
tatarish.l10n@gmail.com: 9
 +
alexeyc@bigfoot.com: 8
 +
beng@google.com: 8
 +
blakeross@telocity.com: 8
 +
</pre>

Revision as of 20:46, 11 August 2009

Sample Output

Running on 2.4Ghz iMac with MacOS 10.5.8 on the nps-2009-realistic.aff disk image, bulk extractor version 0.0.10 took 21816 seconds (6 hours, 3 minutes) and produced an output with 14,160 lines.

Here are the first 200 lines:

Input file: /corp/images/nps/nps-2009-domexusers/nps-2009-realistic.aff
Starting page number: 0
Last processed page number: 2559
Time: Tue Aug 11 04:39:03 2009

Top 10 email addresses:
=======================
domexuser1@gmail.com: 572
domexuser2@gmail.com: 412
domexuser3@gmail.com: 319
ips@mail.ips.es: 268
premium-server@thawte.com: 252
CPS-requests@verisign.com: 243
someone@example.com: 232
domexuser2@live.com: 192
inet@microsoft.com: 145
domexuser2@hotmail.com: 138

Top 10 email domains:
=====================
gmail.com: 1693
hotmail.com: 630
netscape.com: 543
example.com: 470
microsoft.com: 390
thawte.com: 376
live.com: 329
msn.com: 298
mail.ips.es: 268
passport.com: 267

Top 10 URLs:
=====================
http://www.microsoft.com/contentredirect.asp.: 6257
http://ocsp.verisign.com0: 3030
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul: 2241
http://: 1666
http://crl.verisign.com/tss-ca.crl0: 1515
http://crl.verisign.com/ThawteTimestampingCA.crl0: 1513
http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0: 1311
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O: 1310
http://www.mozilla.org/MPL/: 1000
http://support.microsoft.com: 974

All email addresses:
====================
domexuser1@gmail.com: 572
domexuser2@gmail.com: 412
domexuser3@gmail.com: 319
ips@mail.ips.es: 268
premium-server@thawte.com: 252
CPS-requests@verisign.com: 243
someone@example.com: 232
domexuser2@live.com: 192
inet@microsoft.com: 145
domexuser2@hotmail.com: 138
domexuser1@hotmail.com: 135
domexuser1@live.com: 133
myname@msn.com: 115
example@passport.com: 111
ca@digsigtrust.com: 110
info@valicert.com: 94
piracy@microsoft.com: 91
certificate@trustcenter.de: 80
hewitt@netscape.com: 69
name_123@hotmail.com: 67
talkback@mozilla.org: 67
lord@netscape.com: 64
someone@microsoft.com: 53
mcgreer@netscape.com: 51
domexuser1%40gmail.com@imap.gmail.com: 48
neil@parkwaycc.co.uk: 47
9name_123@hotmail.com: 43
mazrob@panix.com: 43
Outldomexuser2@gmail.com: 41
server-certs@thawte.com: 37
sspitzer@netscape.com: 36
49091023.6070302@gmail.com: 35
73A94919-FF6B-4E3F-938E-FB39BBC7497C@gmail.com: 34
cps@netlock.net: 33
ellenorzes@netlock.net: 33
thayes@netscape.com: 33
DOMEXUSER2@GMAIL.COM: 32
personal-basic@thawte.com: 32
nome_123@hotmail.com: 31
alecf@netscape.com: 30
ManageLinks.aspx%3Fmkt%3Den-us%26noteid%3DNote.Linked%26notelevel%3D1%26notesec%3D0%26username%3Ddomexuser1@hotmail.com: 29
domesxuser2@gmail.com: 28
javi@netscape.com: 28
mscott@mozilla.org: 28
personal-premium@thawte.com: 28
admin@digsigtrust.com: 27
personal-freemail@thawte.com: 27
49091664.70508@gmail.com: 26
admin@startcom.org: 25
cmanske@netscape.com: 24
feste@feste.org: 24
fritz@google.com: 22
silver-certs@saunalahti.fi: 21
DOMEXUSER1@GMAIL.COM: 20
exemplo@passport.com: 20
gold-certs@saunalahti.fi: 20
jemand@example.com: 20
joku@example.com: 20
meunome@msn.com: 20
osoba@example.com: 20
prova@example.com: 20
toolkit@mozilla.org: 20
CPh@99841.PA: 19
alguem@exemplo.pt: 19
birisi@example.com: 19
ddrinan@netscape.com: 19
noen@example.com: 19
valaki@example.com: 19
eksempel@passport.com: 18
navn_123@hotmail.com: 18
law@netscape.com: 17
mano@mozilla.com: 17
microsof@t.com: 17
mscott@netscape.com: 17
iemand@microsoft.com: 16
myk@mozilla.org: 16
ndarnamn@example.com: 16
nekdo@example.com: 16
nekdo@priklad.com: 16
niekto@example.com: 16
adamw@gnome.org: 15
en@li.org: 15
info@netlock.hu: 15
nogen@eksempel.dk: 15
priklad@passport.com: 15
Outldomexuser2@hotmail.com: 14
ben@netscape.com: 14
ca@firmaprofesional.com: 14
ca@ptt-post.nl: 14
correo_cert@correo.com.uy: 14
ben@mozilla.org: 13
doronr@us.ibm.com: 13
ehsan.akhgari@gmail.com: 13
info@e-trust.be: 13
314d3a220810291941w4b52597fh206faba1e5063365@mail.gmail.com: 12
DOMEXUSER3@GMAIL.COM: 12
MSNPrivacy@msn.com: 12
alguien@example.com: 12
bsmedberg@covad.net: 12
glazman@netscape.com: 12
someone@msn.com: 12
xyx@example.com: 12
Beispiel@passport.com: 11
MeinName@msn.com: 11
Name_123@hotmail.com: 11
St@atus.eU: 11
bienvenu@nventure.com: 11
disttsc@bart.nl: 11
esempio@passport.com: 11
exemple@passport.com: 11
grafta@bl.com: 11
hwaara@chello.se: 11
mijnnaam@msn.com: 11
mionome@msn.com: 11
mojanazwa@msn.com: 11
monnom@msn.com: 11
ms@n.com: 11
naam_123@hotmail.com: 11
nazwa_123@hotmail.com: 11
przyklad@passport.com: 11
voorbeeld@passport.com: 11
zeniko@gmail.com: 11
christopher@aillon.com: 10
community@linuxhall.org: 10
dolske@mozilla.com: 10
i18n@mova.org: 10
id@Us.tc: 10
info@netlock.net: 10
locales@geez.org: 10
rangansen@netscape.com: 10
rcassin@supernova.org: 10
WindowsXP@gn.microsoft.com: 9
ad@msn.com: 9
blaker@netscape.com: 9
corehc@aol.net: 9
exempel@passport.com: 9
gnom@prevod.org: 9
icw5@gn.microsoft.com: 9
jmeno_123@hotmail.com: 9
jwalden+code@mit.edu: 9
mitnavn@msn.com: 9
mittnamn@msn.com: 9
name@domain.com: 9
namn_123@hotmail.com: 9
nevem@msn.com: 9
ntsbvt@microsoft.com: 9
ornek@passport.com: 9
pelda@passport.com: 9
rbs@maths.uq.edu.au: 9
robert@accettura.com: 9
tatarish.l10n@gmail.com: 9
alexeyc@bigfoot.com: 8
beng@google.com: 8
blakeross@telocity.com: 8