Initialization vectors: iLEAPP: iOS Logs, Events, And Properties Parser

Tuesday, December 24, 2019

iLEAPP: iOS Logs, Events, And Properties Parser

Introducing a Python 3 scripts that merges all my previous iOS digital forensics and incident response scripts (DFIR) into one.

iLEAPP
Many thanks goes to Jessica Hyde (@B1N2H3X) for suggesting I start merging my standalone scripts into a unified tool during OSDFcon. You are the best Jess. Also tons of thanks to Phill Moore (@phillmoore) for helping me with coding one of the artifacts. I'm really grateful for Christopher Vance (@cScottVance) and Geraldine Blay (@i_am_the_gia) for allowing me to create scripts based on their areas of iOS research. Last but never least my respect and appreciation to Sarah Edwards (@iamevltwin)for her trailblazing work in iOS DFIR and for showing me the existence of the Mobile Installation logs.

Name:
    iLEAPP: iOS Logs, Events, And Properties Parser

Download:
    https://github.com/abrignoni/iLEAPP

Purpose:
  1. Create a central point for iOS scripts made by the writer.
  2. Serve as a open source tool (OST) option to validate commercial DFIR tools.
  3. Be a zero cost option to forensic examiners that are tasked with iOS mobile forensics but lack the budget to acquire a full suite of commercial DFIR tools.
  4. Enable me to work on my Python coding skills as related to DFIR. 
Features:
  • Python 3 script
  • Coded and tested in macOS Catalina.
  • Script can parse an iOS full file system directory directly from a .tar file or it's decompressed contents. 
Current parsing capabilities:
Development:
    The scripts utilized are fully open source and can be used and modified by others. Looking forward to sharing and merging these with other OST DFIR tools.

    I hope to be able to add the following in the near future:
  1. Graphical user interface for point-and-click selection of source tar file or extraction directory.
  2. Progress bar or indicator of parsing activity to the user.
  3. Additional artifacts like applicationState.db query results, KTX snapshot extraction, and all sorts of plists.
Usage:
ileapp.py [-h] -o {fs,tar} pathtodir 
iLEAPP: iOS Logs, Events, and Preferences Parser. 

positional arguments: 
pathtodir Path to directory

optional arguments: -h, --help show this help message and exit -o {fs,tar} Directory path or TAR filename and path(required).

Internals:

    The script has 3 key components.
  1. ileapp.py
  2. search_files.py
  3. ilapfuncs.py
The ileapp.py script has a python dictionary list where the keys represent the parsing function names and the values are the search patterns to be executed. Here is an example the contents of the dictionary.


The flow is fairly simple. 
  • The values portion is used to traverse the tar file or logical file system for a match per the saerch_files.py script. If traversing a .tar file a temporary folder is created in the reports folder and the matching file/s are exported and stored there for parsing by the ilapfuncs.py script per the key function name. For a logical file system search no temporary file creation is needed since the file/s are already in a ready for parsing state. 
  • The ilapfuncs.py functions perform the analysis and write the proper reports.
  • The temporary folder is deleted after parsing. I am still debating if the temporary folder should be left in place for easy report validation.
Any of the key:value pairs can be deleted and/or new ones added. Any new key value pairs will be called by ileapp.py as a function that should be defined in ilapfuncs.py.

CAVEAT:
Some of the artifacts are dependent on knowing which iOS version is being worked on. The ileapp.py scripts depends on the iOS version output from the lastbuild function. If this key is removed from the dictionary of items it will break both the knowledgeC and iOS Notifications functions. It is suggested (to the point of requirement) that the lastbuild key remains in the dictionary and it that precedes all the aforementioned ones.

Conclusion:
Some, if not the majority, of the artifacts these scripts will eventually parse will not be of my discovery or making. One of the reasons I code things others have done, and even done better, is that it enables me to be grow by having something to compare my development with. Many times we think that the way to excellence is to come up with things no one has seen before, to imagine something never thought of. It is my experience that the only way to be better at what we do is to understand that which has already been done. Only then will the unknown be apparent to us. To depend and take advantage of the works of others that have come both before us or are currently with us on our DFIR journey and to contribute in any way we can is the way to successfully work our cases faster, more efficiently, to give justice to those who need it, and to feel joy while doing it. 

To that end, as always, I can be reached on twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.