Mac & iOS Forensics Cheatsheet & Tools
My favourite tool! Essential for quick MacOS/iOS analysis. Install using these instructions and run:
source env/bin/activate
cd mac_apt
python mac_apt.py -o /path/to/output [format] -i /path/to/input ALL
python ios_apt.py -o /path/to/output [format] -i /path/to/input ALL
#when finished
deactivate
In-depth analysis of iOS filesystems and iTunesBackups.
git clone https://github.com/abrignoni/iLEAPP
cd iLEAPP
pip3 install -r requirements.txt
sudo apt-get install python3-tk
python3 ileapp.py -t [type] -i /path/to/input -o /path/to/outpu
Artifact Analysis: Credentials
This script will decrypt the ‘keychain-2.db’ file located in the User’s keychain directory. User’s password is required for decryption.
LOVE LOVE LOVE anything by no fate. Literally so many of the scripts I wrote are based on his work!
python2 iChainbreaker.py -p /path/to/Library/Keychains -k [password] -v [MacOS Version] -X [exportfile]
It’s best to read the ReadMe of the package because it has a lot of different usages. Personally, this is what I do:
python2 chainbreaker.py -e -o /path/to/output -p [keychainfile]
Keychain-dumper is an executable that you upload over ssh to a target jailbroken iOS device. It will read, decrypt and print the contents of the ‘keychain-2.db’ database.
sudo iproxy 22 44
scp keychain-dumper [username]@[host]:
scp updateEntitlements.sh [username]@[host]:
ssh [username]@[host]
sudo apt-get install sqlite3 openssl
chmod +x keychain-dumper
mv keychain-dumper /usr/bin
chmod +x updateEntitlements.sh
./updateEntitlements.sh
keychain-dumper -a
Sometimes the Internet Passwords are not printed out, this is depends on the device model and iOS version.
This is another great one! This code also relies on an executable uploaded to a jailbroken iOS Device. As opposed to the previous code, it calls the AppleKeyStore kernel extension to unwrap AES keys from ‘keychain-2.db’. I like this one a lot, because it helps understand the mechanism of Apple Keychain and Encryption. The python code will dump the genp and inet passwords to a property list file.
I have been working on a package that extends it to also the keys and cert table.
#Upload the agent + entitlements and assign privileges
sudo iproxy 22 44
scp keyclass_unwrapper [user]@[hostname]:
scp entitlements.plist [user]@[hostname]:
ssh [user]@[hostname]
ldid -Sentitlements.plist keyclass_unwrapper
chmod +x keyclass_unwrapper
exit
#make sure to edit the python code for the port in use, and the password of the ssh device
A lot lot lot of the codes you see related to iOS Forensics/Security, refers to the iconic iPhone-dataprotection. One of the key things was its ability to extract the AES keys from the device. Golb’s aes_ap does just that. Again, it works only on jailbroken devices. I’ve been playing around for a while with them and unfortunately I cannot confirm whether they work or not because I have been unable to get the Device Key from the AppleKeyStore lockers 🙁
cd golb
make
scp aes_ap [username]@[hostname]:
ssh [username]@[hostname]
./aes_ap
Artifact Analysis: Misc
First, you need to find the key from the MacOS keychain, which Chainbreaker can find.
curl -O https://github.com/n0fate/OS-X-Continuity/blob/master/Call%20History%20Decryptor/callhistorydecryptor.py
python2 callhistorydecryptor.py -k [key] -f /path/to/CallHistory.storedata
Installation depends on your OS. Basically, this code will parse and decrypt encrypted Apple Notes, with the provided password. The actual commands vary so much that I advise you to read the ReadMe section to find what works best for you!
This is a script I wrote! Basically, it decrypts WhatsApp iCloud backups. However there are limitations, due to how WhatsApp works.
– The key is generated on the device that requests an iCloud backup. That key can decrypt iCloud backups on MacOS/iOS, given that it’s for the same account.
– If the user migrates to a new phone, a new key is generated. That means that the key from the new phone will not be able to decrypt iCloud backups saved ON the previous phone – locally.
– To get the key run iOS keychain decryptor or Keychain-dumper and look for the value wa.backup.e