Thursday, April 23, 2020

Meet M.E.A.T. - It's really well done!

Short version

Make no mistake, M.E.A.T. had me at hello. iOS extraction open source python software by Jack Farley (@JackFarley248). It creates a file system extraction of jailbroken iOS devices using Apple File Conduit 2.

Meat puns are the wurst

Get some M.E.A.T. here:
https://github.com/jfarley248/MEAT
I also highly recommend Jack's iTunes Backup Reader. It takes unencrypted iTunes backups an recreates the full file system structure. Get it here:
https://github.com/jfarley248/iTunes_Backup_Reader
Update:

Video version


Long version

I love Twitter but sometimes the algorithm, or just plain bad timing, has me miss some of the most juicy tweets and announcements. Thanks to Phill Moore (@phillmoore) I was made aware of the newly release Mobile Evidence Acquisition Toolkit (M.E.A.T.) by Jack Farley. I've been following his work and using his code for a while now. I cannot encourage you more to give his scripts a shot. From a learning/training use to a data acquisition and validation perspective, these tools are worth your time.

M.E.A.T. will give you a full file system extraction from iOS devices with a single command. If you had the pleasure (or pain) of extracting a full file system over WiFi using SSH you will appreciate the speed and simplicity of this USB based method. The following is a quick guide and review on the scripts and how to execute them.

Pre-requisites & download

Go to the github repo for M.E.A.T and download the scripts. As stated in the repo's readme you will need a Windows machine with Python 3.7.4 or 3.7.2 installed. Before running the scripts make sure you go unzip the downloaded file and run the following command from the root directory of the scripts.
pip install -r requirements.txt
This will make sure all the dependencies are installed. Also your target iOS device will need to be jailbroken and have Apple File Conduit 2 (AFC2) installed via Cydia.

A great guide on what jailbreaking entails with emphasis on the Checkra1n implementation of Checkma8 see Ian Whiffin & Shafik G. Punja blog post here.

Assuming the target device is jailbroken with AFC2 and your device has Python with all proper dependencies you are ready to go.

Let's beat it

Connect your iOS device to your computer. As expected make sure to select Trust Device at the prompt on your iOS device and provide the proper pin/code/pass as needed. With trust established we can connect to the phone.

Navigate to the script's root directory. It will look like this:


 Open a command line interface at this location and run the following command to examine the help documentation.
python MEAT.py -h
You will see the following. Pretty self-explanatory.

Sick MEAT ascii art. I think it is cured by now.

As seen in the help you can generate MD5 and SHA1 hashes for your extracted files. Delicious!
For this example I will run a file system extraction that will pull everything from the root of the device. The logical option will only extract data from the \private\var\mobile\Media directory. Be aware that the -v option will add some additional time to the extraction since you will be getting a lot of output sent to the screen.

Before starting the extraction I create the output folder in the same directory from where I am running the script. You don't have to do this of course. I do because it shortens how long the extraction command will be. In this example I typed the following to create my output directory:
mkdir output
To start the extraction process in verbose mode without hashing type this:
python MEAT.py -iOS -filesystem -o ./output -v
At the start of the process you will see your target device information.


Since we are running in verbose mode you will see a flying matrix movie like screen of text on screen.


These are files being extracted. `The process on my device took around 90 minutes for a 15 GB extraction in verbose mode. When done you will have an iOS file system folder and a log. If you selected the hashing option then you would have seen a csv file with all the calculated hashes.


Be aware that you might find some difficulty running scripts on some older iOS devices. This is OK. No software executes a 100% of the time. That is to be expected as well as these scripts getting better with time. The fact that even though these were released a few days ago you are able to extract so much from so many iOS devices is amazing.

Here is the contents of the iOS-Filesystem directory.

Now what?
iLEAPP for M.E.A.T.

With the extraction done you can parse it with your favorite digital forensics commercial tools. In order to keep the open source vibe going I will parse it with my own tool, the iOS Logs Events And Properties Parser (iLEAPP), and see what we can get. You can get iLEAPP here:
https://github.com/abrignoni/iLEAPP
As expected the tool parses the artifacts and provides a report. Currently I am updating the reporting function in iLEAPP so it has searching by report section and an overall more polished look. Credit goes to Yogesh Khatri (@swiftforensics) for his work on the reporting features in ALEAPP that I am now porting to iLEAPP.

iLEAPP command line execution:


iLEAPP reporting from M.E.A.T. extraction:


Conclusion:

We are truly living in the golden age of mobile digital forensics in the midst of a vibrant community of practitioners that work together to make the industry, tools, and knowledge more useful and accessible. Again, a big thank you to Jack Farley for his work on this tool. It is greatly appreciated.

As always, I can be reached on twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.



Sunday, April 19, 2020

iOS Houseparty app: More Realm

Short version:

The Houseparty app keeps user generated data in in the following Realm database:
/private/var/mobile/Containers/Data/Application/*GUID*/Documents/
houseparty.rocky.realm
For details on how to jailbreak an iOS device see here: https://www.doubleblak.com/blogPosts.php?id=12. Lots of detail on how to use Checkra1n so a full file system data dump can be extracted for analysis.

For details on Real databases and how to approach their examinations see here: https://abrignoni.blogspot.com/2019/11/realm-database-storage-primer-for.html
It is of note that Cellebrite Physical Analyzer has a database browser that is compatible with Realm databases.

Update

Video version of this blog post:



Long version:

Due to Covid-19, and the fact that social interactions in person have been limited because of it, a slew of group video chat applications have taken off in popularity. One of those is Houseparty for all major operating systems. This post will deal with the iOS version of the app.


 For this analysis I used the excellente public test image created by Josh Hickman (@josh_hickman1). His images have detailed documentation regarding what apps were used, what user activity was generated, and when. This process is key when dealing with an unknown app or one that is not parse by commercial tools. You can get these excellent test images here:
https://thebinaryhick.blog/2020/04/16/ios-13-images-images-now-available/

In order to investigate a non-parsed app the process I recommend is to generate a known data set collection. That way one is aware of what to look for while trying to decipher how is the data stored. In this case Josh's image, since it is so well documented, will serve as our research platform.

Our test image has the following documented activity:
This is the data we will be searching for in our app data store. The first step is to locate the app data folder in the iOS full file system extraction. To do this I ran the extraction on iLEAPP. This is a collection of python 3 scripts designed to extract interesting artifacts from iOS images. You can download iLEAPP here:
https://github.com/abrignoni/iLEAPP

After processing a report is generated. For simplicity I limited the report to the applicationstate.db artifact. This is the database that iOS uses to keep track of what apps are installed and where.


Using the search feature in the report I was able to locate the app and the location where the user generated activity is kept. If you are not sure what the bundle ID of the app is you can easily find it here:
https://offcornerdev.com/bundleid.html

The path to follow is under the Sandbox Path column. Notice how app directories in iOS are identified by a long GUID number. This is why querying the applicationstate.db is so important. It is the fastest way to determine what GUID name directory corresponds to the app of interest.

After arriving to the target directory we find the usual app structure for iOS apps.


Inside the documents folder is our data store of interest. A Real file named houseparty.rocky.realm.
In order to view the contents of this data store one has to have Realm Studio installed on our analysis computer. Real Studio can be found here:
https://realm.io/products/realm-studio
After opening the data store three classes are of interest. The first one is RealNote. This one contains the expected chats with recipient IDs and timestamps.


The second one is RealmPublicUser. This class contains information about the message recipients.


The third one is RealLocalContact. It has additional information of the local user account for the app.


One way of reporting the contents of these data stores is to export the contents to JSON.


With the data in JSON format one can extract whatever classes are needed for reporting purposes.
A quick triage way to visualize the data without the needing Real Studio is to process the exported JSON file through a JSON to HTML converter. One can be found here:
https://github.com/abrignoni/JSON-to-HTML-and-XLS
This conversion helps, in my opinion, the user see delimiting lines between keys and values more easily.


Conclusion

Realm databases are becoming more prevalent in mobile analysis. We will be well served in practicing how to approach these new data stores. I believe they could possibly replace SQLite databases in the future.

As always, I can be reached on twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.