Wednesday, May 4, 2011

iPhone Forensics Tools

I've written a couple of articles about my experience with iPhone data ("iPhone Sings like a Jailbird", "Recovering Data from Deleted SQL records", and "Parsing the iPhone SMS Database"), and recently I have been helping others with some iPhone data recovery.  Those experiences have led me to create a few simple iPhone forensics tools.  I'll list them in name order and briefly describe them:

  1. iphone_ab
    iphone_ab is a tool to parse the iPhone address book, which is stored in a SQLite file called AddressBook.db.  The tool links two tables to produce a simple output containing first and last name, phone number/email address, record creation date and record modification date.  There is much more data that can be mined from the database, but this is the basic data that interest most investigators.

  2. iphone_ch
    iphone_ch is a tool to parse the iPhone call history, which is stored in a SQLite file called call_history.db.  The tool reads the 'call' table and reports the date, call type, phone number, and call duration of each record.  Unixepoch time is converted to local time and call flags are interpreted (Incoming, Outgoing, etc.).

  3. iphone_cs
    iphone_cs is a tool to parse the iPhone consolidated.db, which is a SQLite file that stores gps data used by apps.  Experimentation shows that one table in particular, the CellLocationLocal table, records the location of the iPhone handset when it runs apps that use location data.  Don't think location data is restricted to mapping apps--I have seen dictionary apps that ask to use your location.  Now, why is that?  In a word: advertising.  iphone_cs will parse the CellLocation, CellLocationLocal, and WifiLocation tables for GPS data and allow the data to be formatted for mapping tools like gpsbabel or websites like GPSVisualizer.com.

  4. iphone_images
    iphone_images is a tool that will search a path for images and videos (identified by mime type) and provide the EXIF data by use of the excellent exiftool.  Alternatively, files containing GPS data can be parsed to export data suitable for mapping.  Finally, videos purchased through the Apple Store can be sifted for the Apple Store user name and real name of the purchaser.

  5. iphone_music
    iphone_music is a tool that will search a path for audio files, particularly those in the 'iTunes Control/' folder (though not restricted to these files).  iTunes uses random filenames for music it transfers to an iPhone or iPod.  The tool, at its most basic level, reveals the song name, album, and artist to help owners identify their device by its content (think recovered stolen device).  The tool can also produce rich metadata, again, thanks to exiftool, as well as single out those songs purchased through the Apple Store and report Apple Store credentials like iphone_images.

  6. iphone_sms
    iphone_sms is a tool to parse the iPhone SMS database, located in a file called sms.db.  The tool reads the message table and reports the date, message type (sent, received, etc.), phone number, and text message in each record.  Unixepoch time is converted to local time and message flags are interpreted (Sent SMS/MMS, Received MMS , etc.).
All of the tools, written for BASH, attempt to follow the Unix principal of make one tool to do one thing and do it well.  They each have a variety of options that can be read by invoking help, e.g., 'iphone_sms -h'.  The database tools do not find the target database for you, since your iPhone data may come from a variety of sources (iPhone images, backups, etc.).  Output for all files is to stdout (the screen) but may be redirected to a file.  For example, to redirect the mapping data from iphone images and videos, the command 'iphone_images -m /private/var/mobile/Media > images_gps.txt' could be used.

I hope you have success with the tools.  Please contact me with any errors you detect and/or feature suggestions you might have.  I am already contemplating an "export" function to, for example, export the images to a directory that were the source of the GPS data the mapping output from iphone_images.


You can download iphone_tools here.

4 comments:

  1. Does the phone have to be jailbroken in order to removed the sms.db?

    ReplyDelete
    Replies
    1. No, the sms.db can be obtained through a backup. In Linux, I'd recommend the libimobiledevice library and tools to create the backup. The tool 'idevicebackup' has an 'unback' option that restores the flat, iTunes-style backup (all files are placed in a single directory and renamed as a 40-byte SHA-1 hash of the file name and path), to the original file name and path.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. I suspect you could create a ssh and then access the device RAM through its device node. As for the second part of your question, I'm unclear as to what you mean.

      Delete

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...