The CyberJungle Radio Program also met with a representative of Lantern by Katana Forensics here at PFIC.
For example, did the use enter in a search engine string that is relevant to the investigation? Or, did the user start to enter a note with relevant information, and then delete the note? This keylogging feature can contain a treasure-trove of valuable information. That feature saves a running log of recent keystrokes. IBackupBot will also allow the viewing of all "captured text." The iPhone has a spell checker to improve the accuracy of the on-screen keyboard. iBackupBot is a Microsoft Windows application, and therefore is more useful for forensic labs, where Windows is still the predominate operating system. Finally, most iOS tools are Mac-only tools (developed by Mac developers for Mac users). And, the applications allows the export of the data to CSV files for easier creation of charts for use in reports. iBackupBot allows the investigator to view the device's databases, images, SMS messages, notes, address book, call history calendar, and more. With iBackupBot, the investigator can view and analyze the iTunes backup files, and quickly identify the relevant files of interest. IBackupBot is an easy-to -use shareware/nagware tool allows an investigator to view and analyze the iOS backup files that reside on the computers end users use to manage their iOS devices.
And it's iTunes that provides a wealth of information for the forensic investigator.
All iPhone users must use iTunes to manage their device. The hands-on part of the bootcamp was to a great extent focused on using the iBackupBot. Ben uses an excellent tool for conducting iOS forensic analysis, and provided helpful "boots in the trenches" tips. The focus of the bootcamp was mostly on iPhone forensics, although many of the principals apply to the other devices. Lemere has worked in forensics for The Feds, and the private sector. The iOS Forensics Bootcamp was instructed by Ben Lemere of Basis Technologies. With the exploding popularity of these devices (well, except for the iTV), Law Enforcement, corporate investigators, and other forensic professionals are looking to learn more about this platform. Apple's iOS is the operating system that powers the Apple iPhone, iPod Touch, the iPad, and the Apple iTV device. We can then browse to the tar file, select the modules we want to run, and hit “Process”.One of the training classes with high attendance at the Paraben Forensic Innovations Conference this week in Park City, Utah, was the Apple iOS Forensics Bootcamp. For the Windows version, all we need to do is open the “ileappGUI.exe”. But this tool is built on Python which means we can also run it on Linux, or macOS if needed. We downloaded the “iLEAPP-windows.zip” version since we’re running on Windows. Since we acquired an iOS device image with ArtEx in the previous step, we can use that image and run it through iLEAPP to process the data. It provides fast support for parsing out iDevice artifacts.
iLEAPPĪnother excellent tool aimed at iDevices is iLEAPP. So instead of the old way of testing which took hours where you had to acquire a device, make changes to the apps, and then reacquire the entire device again, you can now do the whole process in minutes. The highlight of this feature is that you’ll be able to see the files on the device, make a change in an app or on the device (send a message, take a picture, or navigate somewhere in a browser), and then ‘remap’ the live connection and it will show you a refreshed look and the new files/artifacts associated with the changes you just made. Once you find the correct package, you’ll just need to install it. The first step is to search for and install OpenSSH on your jailbroken iDevice from Cydia. We’ve mentioned this before, but it’s always recommended to use a jailbroken iDevice to obtain the most data possible and ArtEx will require it for extraction and connecting live devices. We’ll look at getting both methods working here. ArtExĪrtEx is a great tool to both acquire an image of your iOS device AND to also look at a live device. A couple of tools we'll take a look at are Artifact Examiner (ArtEx) and the iOS Logs, Events, And Plists Parser (iLEAPP). While there are a lot of heavy hitters out there with the commercial tools that provide excellent support for iOS devices, it's always recommended and beneficial to try additional tools to verify data you get from those commercial tools. We're going to look at a few free resources available for iOS examinations.