Posts iSleuth - The iOS Odyssey Challenge Walkthrough
Post
Cancel

iSleuth - The iOS Odyssey Challenge Walkthrough

Posted Nov 5 2023-11-05T00:00:00+03:00 by Stephen Kageche

iSleuth - The iOS Odyssey

We equip our employees with a phone of their preference. We keep an observant eye on these devices, ensuring there’s no misuse or suspicious behavior. But things went awry when one such device started showing strange activities— from dubious browser history to peculiar emails and unauthorized social media access. Our in-house forensics team is a tad out of their depth with this one, and that’s where you come in! We’ve armed them with a state-of-the-art software—Belkasoft Evidence Center X—but it’s up to you to use it and crack the case.

Instructions:

  • Download the trial version of Belkasoft Evidence Center X from Belkasoft X Please note: VM installations aren’t supported!
  • Investigate the leads, navigate through the digital trails, and unravel the story.
  • If you find yourself at a dead-end, remember—Google can be your trusty sidekick!
  • Download the artifacts here. Password will be shared at the event.

Challenge Creation.

So i relaized there’s an old iPhone 6 larking around with no purpose and decided to embark on a journey of learning Mobile Forensics. I came across a LinkedIn post from Belkasoft where they offered a 7day free access to their iOS Forensics Course.

gif

I took the course and learnt a thing or two.😁✌ I hope I’ll breakdown this branch of forensics in an easy and educational way.

gif

But first things first, the goal of creating this challenge was to introduce you to a suite of tools by Belkasoft. Specifically Belkasoft X which can be used to Acquire, examine and analyze evidence from mobile, computer and cloud storage.

Download the software from here and install it. Load the 30day license and lets get strated.

First, we create a new case. This is more like an Analysts workspace.

image

Fill out the basic details and hit Create.

image

You will then be asked to add a new data source to the case.

image

At this point, just hit close for now and lets proceed. From the initial dashboard, there is some sample data sources from a macbook and iphone. We can see some potential Application types and Artifacts that can be collected for analysis.

image

Lets acquire evidence.

image

Belkasoft Allows you to Acquire Drives, Tableau, Mobile (Android & iOS) as well as cloud.

image

Lets start with Cloud acquisition. Here, you have the option to acquire data from a variety of sources.

image.

Looking at the Mobile Device acquisiton types:

image

Starting with Android devices, the tools supports a variety of devices supported. For a complete list, check out.

image

For iOS devices, we have:

image

For SIM Acquisition, we have the following options, but to keep it simple, this is out of scope for now.

image

There are several forensically sound acquisition methods available for iOS devices. They can be roughly categorized by the amount of extracted data:

  • Backup acquisition methods (iTunes- and iCloud-based) enable examiners to obtain the files and folders that the devices create to be able to restore their configuration and information; those will include lots of valuable evidence, including the keychain file that helps to get access to encrypted data, but will not have a number of system files that can provide additional insights into the device usage

  • Full file system acquisition methods (agent backup, checkm8-based) gain administrative access to the device, decrypting and copying all system folders and files; you must keep in mind that these methods are based on system exploits, so you need to thoroughly follow the instructions provided by the tool and may sometimes need to repeat the acquisition procedure a few times to get a result

Note: Jailbreak is not a forensically sound iOS acquisition method since it involves procedures that may alter or wipe the information on devices. However, if a smartphone or tablet is already jailbroken, Belkasoft X enables you to acquire its full file system. The product supports all the latest jailbreaks, such as checkra1n, odyssey, unc0ver, and others

  • AFC, or Apple File Conduit, is a method based on the service that iOS devices use to copy media files like photos and videos from and to devices. The amount of data you can acquire with it is limited to these types of files

  • Crash reports acquisition enables you to extract iOS application and system crash logs that can provide some data on what was happening on the device
  • Screen capturer is an acquisition method that helps you take screenshots of data displayed on a device and save them as a data source

With the free trial version, you will only have access to the iTunes backup (lockdown files), Crash logs, AFC, Automated screen capturing capabilities.

image

You can read more about Mobile data acquisition methods here

Acquisition States

AFU

AFU is an acronym for After First Unlock. It refers to the mode an iPhone is in when a user enters the correct passcode for the device after a reboot or power-on event.

In other words, when a user restarts or turns on their iPhone and then types in the passcode, the device ends up in the AFU mode.

AFU is a considerably less secure iPhone mode, especially when compared to BFU. Forensic toolkits enjoy more success when they are used to extract data from an iPhone in the AFU state because the files are not encrypted then.

Some extraction procedures employ fast brute force techniques (numerous cracking attempts) to access data on iPhones in the AFU state.

BFU

BFU is an acronym for Before First Unlock. Before First Unlock refers to the mode an iPhone is in immediately after reboot or power-on when it is yet to be unlocked.

In other words, after a user reboots or puts on their iPhone, it enters BFU and remains in that mode until the user inputs the passcode.

Security experts consider BFU the most secure mode for an iPhone. The files inside an iPhone stay encrypted until a user fills in the required password, which (if correct) is used to decrypt its file system.

The description here is an oversimplification of the events that occur, but the ideas behind it are quite solid.

Here, you can see the results from checkm8-based acquisition from the same iPhone with and without the passcode:

image

Acquisition Types

1. iTunes backup

iTunes backups are a standard procedure that allows iOS users to create a device backup image on a computer to restore their data and settings if they lose or damage the device. Such backups typically include configuration files, installed applications, their data and settings, media files, messages, contacts, calendars, and what is important—the keychain file where users can store credentials for websites and apps. iOS device users can secure their iTunes backups with a password. Such backups protect the backup from access by a third party and include more data.

The forensic iTunes backup acquisition mimics the standard iOS device backup procedure. When performing it, Belkasoft X suggests turning backup encryption on to obtain more data. If the device user has previously created an encrypted backup in iTunes, the product will reset the user’s password with its standard password for iTunes acquisition; to do it, you will need to unlock the device with its passcode. Later on, when selecting the acquired device image for analysis, Belkasoft X automatically applies the password to decrypt it.

If you use Belkasoft X to analyze an encrypted iTunes backup image acquired with another tool, you can provide the password to decrypt it on the Tasks tab or on the Artifacts → Structure tab using the context menu. iTunes backup acquisition typically works for all device models and versions. To run it in Belkasoft X, you must install the Microsoft Store iTunes application on the workstation you use for acquisition and have the passcode to access the device or its lockdown file.

Supported iOS versions: any (including iOS 16)

Practical

First, we need an iPhone. In my case, i’m using an iPhone 6. i created a test iCloud account for the purpose of this challenge/demo.

image

After installing iTunes on my analyst worsktation, i logged in using the iCloud account.

image

Connecting the phone to the analyst workstation, the device is detected

image.

In this prompt, you get an option for doing Automatic or Manual Back ups. You can backup important data only, or full backup.

In this challenge, i choose to do a full backup of my phone on this computer.

image

It is adviced to do an Encrypted Backup, but for the sake of this walkthrough, i did not encrypt the backup.

image

Select the device

image

Choose iTunes backup

image

Connect the mobile device and click next.

image

Once the device is detected, click next

image

With the screen unlocked, click next

image

I choose not to encrypt the backup , so i selected no.

image

Select the path to store the artifacts and start the process.

image

image

image

image

Lockdown files

When a user connects an iOS device to a computer for the first time or initiates an iTunes backup, the device usually displays a prompt asking whether it should trust the computer. If the user confirms the request, the device pairs with the computer and creates a lockdown file to auto-approve further connections to it.

You can look for iOS device lockdown files on the computers they have connected to. Here are the paths where you can find them on different operating systems:

  • Mac OS X: /private/var/db/Lockdown/ (may require additional access permissions)
  • Windows 7, Windows 8, Windows 10: C:\ProgramData\Apple\Lockdown

image

When you use a lockdown file for iTunes backup acquisition, you can get the most of the device data if the device has been unlocked with a passcode at least once after being restarted or powered on (it is not possible to overstate how important it is to keep the device charged and powered on after seizure). Also, note that the file can expire after a while (Apple does not mention its exact validity period), and it also expires if the device is factory reset.

2. iCloud acquisition

iCloud holds a wealth of user data for various iOS devices, including but not limited to iPhones and iPads. Apart from photos and various application data such as calendar, notes, and reminders, it can also contain device backups, which can be crucial for a digital forensic investigation or a corporate incident response case. Under some circumstances, it is even possible to acquire iOS device data without having physical access to that particular device. Also, you can acquire backups of all linked devices by having access to a single trusted device, bound to an iCloud account.

There are two methods in Belkasoft X to download iCloud data: iCloud app data and iCloud backups:

image

image

image

The first button (iCloud) allows you to download photos, mail, notes, contacts, calendar, and other supported types of data, which you can see above in the ‘Brief Fact Sheet’.

The second button (iCloud Backups) is devoted solely to iOS backups. These methods use different techniques and thus are separated.

Clicking on iCloud will prompt you to enter iCloud credentials. You will have to enter a valid iCloud account name and password:

image

Note: Do not confuse an iCloud password with an iPhone passcode.

Set path to store artifacts.

image

You will have to enter a code received as a second authentication factor (2FA). There are two types of second factors supported by Belkasoft X:

  • SMS: A code from an SMS sent to a phone number, linked to an iCloud account
  • Code: A code sent to a trusted device

image

In my case, a code was sent to the device and since we trust this sign in request, allow

image

image

Module: Basic Information

  • From which iOS version were these artifacts extracted?

BSidesNBI{12.5.7}

  • Can you identify the Device Build Version

BSidesNBI{16H81}

  • Can you identify the device IMEI number?

BSidesNBI{359234062045960}

  • How many additional apps did the user install beyond the default ones provided on the phone?

BSidesNBI{12}

  • A user called “Aiden Wilson” was saved on the target phone. What is his nickname?

BSidesNBI{Adi}

  • Were there any hidden or secretive contents in the user’s iCloud Notes?

BSidesNBI{g00d_70b_d3t3ct1v3}

  • The user paired with someone’s AirPods, which we believe might be stolen. Can you determine the most recent date and time of connection?

BSidesNBI{13/10/2023 19:36:45}

  • Determine the most recent WiFi network to which the device connected?

BSidesNBI{b4:9:31:8:63:10}

  • Was the iTunes Backup encrypted or not?

No

  • Did the mobile device contain a password lock?

Yes

Solution

Investigation

  • The user received a suspicious email from an unknown individual, can you identify the name of the project discussed?

BSidesNBI{XYZ}

  • What name did the “unknown individual” refer to himself as on email?

BSidesNBI{05t3}

  • The user tried to cover his tracks by opting to shift the conversation to another safer platform. Which platform did he suggest?

BSidesNBI{facebook}

  • Dive into the artifacts presented and find facebook login credentials for the said user. use them to login and answer further questions. What is the user’s password?

BSidesNBI{*Nkydx3hN$t%A5X}

  • What was the unknown individual’s identity on the platofrm mentioned previously?

BSidesNBI{Ying_Yang}

  • Can you get the link where the user was expected to download his ticket?

BSidesNBI{https://drive.proton.me/urls/QGZ2468SWM#de0mj4oxooYw}

  • The two users then decided to shift their conversation to yet another platform. What is its name?

BSidesNBI{zangi}

  • The user shared some files with a different user on the platform mentioned above. Can you get his number?

BSidesNBI{1032918028}

Solution

CTF-TIME
iOS iTunes iCloud iOS forensics belksoft aquisition
This post is licensed under CC BY 4.0 by the author.

Recent Update

Contents

BSides Nairobi 2023 Cyber Challenge Walkthrough

DART CTF - Objective 1

Comments powered by Disqus.