'Forensics'에 해당되는 글 1건

  1. 2010.11.19 iPhone Forensics White Paper (1)
2010. 11. 19. 11:48

iPhone Forensics White Paper

Summary (from Company Information)

iPhoneAnalyzer is a newcomer to the iPhone forensics market providing a cross-platform software solution. With both open-source and low-cost commercial options is provides a cost-effective way of exploiting iPhone data in a forensically safe way or simply exploring the usually hidden files on an iPhone, iTouch or iPad.

Based on a robust Java library it provides an extensible framework for parsing plist and sqlite file types, including the backup files produced by iTunes. This framework can be used through the rich user interface, from the command line or as a Java library for use in other products. The typical mode of operation is to work with entire backup files; either those from seized computers or as a defensible way of non-intrusively examining a seized device. In either case the entire directory tree is available for browsing, with multiple views on each file (including text, hex, plist browser, sqlite browser and file specific browsing). Alternatively individual files can be examined using the same rich browser, or an entire live device can be accessed over SSH if it has been jailbroken. Currently there is support for info.plist, manifest.plist, address book, calendar, sms, images (including meta-data such as geo-location) and many other types.

iPhoneAnalyzer can be used free as an open-source product, or for more features (including rich searching and reporting) the professional version provides excellent value. Unlike many other products this open source model allows additional features at a reasonable consultancy rate, or it can be incorporated into other products for a licence fee.


I downloaded iPhone Analyzer from http://sourceforge.net/projects/iphoneanalyzer/. I opened the resulting Java Archive (.jar) file on a Macintosh computer which immediately launched the application. Because this software is currently open source, no license or activation key was necessary.

Forensic Acquisition

The iPhone Analyzer either reads the iPhone’s backup files, or if the device is jail broken will look at the internal file structure of the phone through SSH. Because the test iPhone was not jail broken, I proceeded to create a backup file of the phone using iTunes.

Once the backup was complete, I opened the software, and imported the backup file from the “Default iTunes location.”

Figure 1.1. Import Backup File

Results and Reporting

After importing the backup file, 2 main screens are displayed: browse files and examine files. The Device Info is immediately displayed on the main screen, while common bookmarks such as Contacts, Messages, and Photos, are shown on the left-hand side. For each file selected, you have the option to view it as it is displayed on the screen or to view it as a SQL database. Here you can browse the file based on name, phone number, etc. (depending on the file).

Figure 1.2. Device Info

Here is what is displayed for the address book (Tip: be patient with larger files. This file contained over 2,000 contacts, so it took about a minute to load.) The file is in the form of a sqlitedb, and does not display nicely on the screen. However, if you click on a contact, details of that individual will be displayed in a more organized format on the right-hand side. This particular file might be best displayed as a SQL database.

Figure 1.3. Contacts

Under Messages, you have the option to view Sent, Received, or All text messages. This section does include MMS messages sent, however it is difficult to determine what these are. In this test case, the 2 lines which have a blank “message” column are both multimedia messages. The images attached to these messages are displayed within the photos section.

Figure 1.4. All Messages

Under the “Shortcuts” heading are the photos, which are displayed in thumbnails by default. Though not labeled, videos are also displayed in this section. You can click on a particular photo/video to see a larger image as well as view exif data. There is also an “Export all images” option, however I was unable to get this option to work.

Figure 1.5. Photos/Videos

Once you’ve browsed through the bookmarks, you have the option to browse through the file system folders by selecting the arrow next to “bookmarks.”

Figure 1.6. File System Directory

Within the the file system directory, you can view any database file or plist file within the software itself. One issue is that any other type of file which cannot be viewed within the software, can also not be exported. For example, I tried to navigate to the voicemails, which are .amr files. This file was viewed as “unidentified” and I could not export the file to open it in a media player. I had the same issue with a video (.mov file) located in the “Documents” folder.

Finally, I decided to test out the searching capabilities within the software. I selected Search > Find, and entered the name of one of the wireless access points that the device was synced with. The search took less than 1 minute, and provided the results I was expecting. Results are displayed in a separate pane at the bottom of the screen.

Figure 1.7. Search

Figure 1.8. Search Results

Matrix of Results

The following are the results from iPhone Analyzer:

Figure 1.9. iPhone Analyzer Matrix of Results


iPhone Analyzer was able to immediately locate the device’s backup file and import its data. While it did take a little bit of time to load the data when a new category was selected, the searching functionality was quicker than expected.

The following ranking establishes iPhone Analyzer’s overall rating of 2.8 on the four criteria established at the beginning of this white paper.

출처 : http://viaforensics.com/

Trackback 0 Comment 1
  1. 2010.11.22 17:55 address edit & del reply