iOS Forensics is similar to Mac Forensics, but the images are usually either Full filesystem (a filesystem copy of a jailbroken device) or logical (usually acquired with iTunes).
There are many open-source tools available for both. I used ios_apt, iLEAPP and walitean for this category.
Jailbroken is an iPad case investigation that exposes different aspects of IOS systems.
Information
Category Name: Jailbroken
Files: c19-jailbroken.zip 3.3 GB
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/Jailbroken && cd Documents/CyberDefenders/JailbrokenDownload it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c19-jailbroken.zipSHA1: 67b2d3bb549e32727b126232b8c862a3e7816bd0
Then extract it with the provided the password.
It might be tempting to not keep the directory structure of the Zip archive, but for the tools to work you will have to extract the archive and keep it as it is.
The tools I used for this CTF were:
You can download and install following the instructions. ios_apt will complain about two file paths, you just need to do some editing:
– rename the directory Jailbroken/private/var/preferences to Jailbroken/private/var/Preferences;
– modify the code to change Mobile to mobile
sed -i 's/\/Mobile\//\/mobile\//g' mac_apt/plugins/basicinfo.py
and then run:
cd mac_aptsource env/bin/activate
python ios_apt.py -i /home/remnux/Documents/CyberDefenders/Jailbroken/Jailbroken -o /home/remnux/Documents/CyberDefenders/Jailbroken ALL deactivate cd ~/Documents/CyberDefenders/Jailbroken
Walkthrough
1. What is the IOS version of this device?
iOS Version can be found in the SystemVersion.plist located in System/Library/CoreServices. Alternatively, you can open the ios_apt.db and look at the Basic_Info table:
The iOS Version is 9.3.5
Answer: 9.3.5
2. Who is using the iPad? Include their first and last name. (Two words)
In ios_apt.db, the InternetAccounts table shows that the username is tim.apple@fruitinc.xyz:
To confirm that this is indeed the user of the iPad, we can grep for his name:
grep -r 'Tim Apple' *
There are several matches, but the most interesting one is Calendar.sqlitedb. If we copy and open it:
cp Jailbroken/private/var/mobile/Library/Calendar/Calendar.sqlitedb .
sqlitebrowser Calendar.sqlitedb
In the Identity table, there is only one display_name which is Tim Apple!
Answer: Tim Apple
3. When was the last time this device was 100% charged? Format: 01/01/2000 01:01:01 PM
Battery data is stored in the CurrentPowerlog.PLSQL database. We can find it and copy it directly to find the answer:
find . -name "CurrentPowerlog.PLSQL" -exec cp "{}" . \;
sqlitebrowser CurrentPowerlog.PLSQL
Opening the database at PlBatteryAgent_EventBackward_Battery, filtering with Level 100 and sorting by ID Descending:
The timestamp 1586976031.21529 needs to be converted from epoch to datetime, which results in : Wednesday, April 15, 2020 6:40:31.215 PM
Answer: 04/15/2020 06:40:31 PM
4. What is the title of the webpage that was viewed the most? (Three words)
Safari history is stored in ‘History.db’. We can copy the Database and open it to see the contents:
find . -name 'History.db' -exec cp "{}" . \;
sqlitebrowser History.db
When filtering the database for ‘Google Search’ in the table history_visits it shows that the only terms searched were ‘Pokemon but gay’:
Given that History.db has an associated .db-wal file, we can copy the .db-wal and re-open the database to see if additional data is parsed:
find . -name 'History.db-wal' -exec cp "{}" . \;
sqlitebrowser History.db
Now, if we filter ‘title’ with Google Search in history_visits the most searched item is “kirby with legs“!
Answer: kirby with legs
5. What is the title of the first podcast that was downloaded?
Podcasts related data is stored in the MTLibrary.sqlite database. We can copy and open it:
find . -name 'MTLibrary.sqlite' -exec cp "{}" . \;
sqlitebrowser MTLibrary.sqlite
In the table ZMTEPISODE, sort by ZDOWNLOADDATE:
The first download is WHERE ARE WE?
Answer: WHERE ARE WE?
6. What is the name of the WiFi network this device connected to? (Two words)
sqlitebrowser ios_apt.db
There is only one entry in the Wifi table:
Answer: black lab
7. What is the name of the skin/color scheme used for the game emulator? This should be a filename.
Google is my best friend. We are looking for a file with the .gbaskin extension.
find . -name "*.gbaskin"
# returns ./Jailbroken/Applications/GBA4iOS.app/Default.gbaskin
Answer: default.gbaskin
8. How long did the News App run in the background?
Background runtime is stored in the same database as Question 3, CurrentPowerlog.PLSQL. If we open the table PLAppTimeService_Aggregate_AppRunTime, and filter BundleID with “com.apple.news”
We can see that the BackgroundTime is 197.810275.
Answer: 197.810275
9. What was the first app download from AppStore? (Two words)
In reference to Question 11, we found that two applications were installed from the App Store: Cookie Run and Pokemon Quest.
iOS logs AppStore installations in private/var/installd/Library/Logs/MobileInstallation/ log files. We can grep for the Bundle IDs in that directory:
grep -r 'devsisters' Jailbroken/private/var/installd/Library/Logs/MobileInstallation/
grep -r 'pokemonquest' Jailbroken/private/var/installd/Library/Logs/MobileInstallation/
Cookie Run’s first ever entry in the log is on Wed Apr 15 03:58:14 2020.
Whereas Pokemon Quest’s is on Wed Apr 15 04:49:45 2020.
Cookie Run was installed around an hour before Pokemon Quest.
Answer: Cookie Run
10. What app was used to jailbreak this device?
In ios_apt.db, the Apps table contains all Applications installed on the device. Skimming through it, you can see that the App Phoenix (com.VN337S8MSJ.supplies.wall.phoenix) refers to the Phoenix jailbreak.
Answer: Phoenix
11. How many applications were installed from the app store?
Default applications are stored in the /Applications directory. Installed Applications are stored in /private/var/containers/Bundle/Application.
In the Apps table of ios_apt.db, we can filter ‘Bundle_Path’ with the path above. It returns three Applications:
Logically, Phoenix was not downloaded from the App Store. The only two applications installed from the app store are Cookie Run and Pokemon Quest.
Answer: 2
12. How many save states were made for the emulator game that was most recently obtained?
In Question 7, we found that there is an App called GBA4iOS.app on the device, which is a game-boy emulator.
The games are first downloaded as .zip files on the device. We can find downloaded history in the History.db database:
sqlitebrowser History.db
Filtering the history_items table with .zip, there are two matches ‘Pokemon Leaf Green’ and ‘Legend of Zelda’:
Now, we can check the history_visits table and filter the history_item with the corresponding ids:
63 is Pokemon, with a timestamp of 608636536.234073:
66 is Zelda, with a timestamp of 608636658.692032:
Zelda is the most recent download. Now, we need to find where the games are installed. Game-boy games have a gba extension, so we can look for files matching the extension:
find . -name "*.gba"
ls -la private/var/mobile/Documents/
##shows a directory called 'Save States'
ls -la private/var/mobile/Documents/Save\ States/*/
Both games have only one Save Sate.
Answer: 1
13. What language is the user trying to learn?
In Question 6, Tim was listening to a DuoLingo Podcast in Spanish.
Answer: Spanish
14. The user was reading a book in real life but used their IPad to record the page that they had left off on. What number was it?
Recording means most likely the Notes database or a picture. The notes database doesn’t contain relevant information.
The user recorded this page using a video, in private/var/mobile/Media/DCIM/100APPLE. You can view it with vlc:
vlc Jailbroken/private/var/mobile/Media/DCIM/100APPLE/IMG_0008.MOV
Answer: 85
15. If you found me, what should I buy?
There is nothing in Pictures/Videos that could answer this question. Since we opened the database in the question above, we know where the answer is. But in normal conditions, I would do the following:
grepping for ‘buy’ is endless, but we can pipe the output to grep for extensions:
grep -r -s -l -i 'buy' * | grep plist
grep -r -s -l -i 'buy' * | grep sqlite
grep -r -s -l -i 'buy' * | grep db
If we look at the results above, we can eliminate items in Library/Caches and Library/Cookies. In a CTF you are usually time restricted, a way to check fast if the file contains a potential flag is to use strings directly on the file.
strings private/var/mobile/Containers/Shared/AppGroup/4466A521-8AF9-4E09-800B-C3203BB70E0E/NoteStore.sqlite | grep -i buy
The question is badly formatted, as it asks what shoud I buy, not YOU!
Answer: ‘Crash Bandicoot Nitro-Fueled’
16. There was an SMS app on this device's dock. Provide the name in bundle format: com.provider.appname
The device dock configuration is managed by Springboard and can be found at private/var/mobile/Library/SpringBoard/IconState.plist. Since the property list is in Binary format we need to convert it before looking at it:
plistutil -i Jailbroken/private/var/mobile/Library/SpringBoard/IconState.plist -o Iconstate.plist
cat Iconstate.plist
The items in the Dock are stored under the buttonBar key.
Answer: com.apple.MobileSMS
17. A reminder was made to get something, what was it?
In recent iOS versions, reminders are stored in private/var/mobile/Library/Reminders. In this version, the directory doesn’t exist. The most likely database to store this data is Calendar.sqlitedb. Since we already copied the database, we can simply open it:
sqlitebrowser Calendar.sqlitedb
In the table CalendarItem there are two items, one is ‘Get milk’:
Answer: milk
Description
Jailbroken is an iPad case investigation that exposes different aspects of IOS systems.
