Professional Documents
Culture Documents
Applica*on
Forensics
Sarah
Edwards
oompa@csh.rit.edu
@iamevltwin
CEIC
-
May
2011
About
Me
Digital
Forensic
Analyst
with
Harris
Corpora*on
Computer
Intrusions
Free
*me
is
used
for
iOS/Mac
forensic
research
Objec*ves
If
you
sit
through
this,
youll
get:
Contacts
Pictures
Documents
Usernames
Passwords
Loca*onal
Data
much
more.
It
is
so
easy,
almost
too
easy.
iOS
Applica*on
Security
Awareness
What
about
Android/Blackberry/Windows?
2011 Harris Corporation
iOS
Apps
Prevalence
iPhone
iPad
iPod
Touch
Caveats
Third-party
applica*ons
only.
Redac*onlots
of
personal
informa*on
in
Apps.
Lots
of
pictures
So^ware
Verica*on
and
Valida*on
Evidence
Admissibility
Detailed
acquisi*on
techniques
Applica*ons
Versions
Backup Files
Mac
~/Library/Applica*on
Support/MobileSync/Backup/
"Zdziarski"
Method
NIST
Approved
LE/Military
Only
/User/Applica*ons Directory
Applica*on Directory
Applica*on
Directories
/private/var/mobile/Applica6on
(Actual
Path,
linked
to
/User/Applica6on)
/User/Applica6ons/########-####-####-####-############
Universally
Unique
ID
<Applica6on_Home>/AppName.app
Applica*on
Bundle
(Not
Backed
Up)
<Applica6on_Home>/Library/ Contains applica*on specic les. (Backed Up) <Applica6on_Home>/Library/Preferences Applica*on Preference Files (Backed Up)
<Applica6on_Home>/Library/Caches Applica*on specic support les. Persistent between applica*on launches. (Not Backed Up)
<Applica6on_Home>/tmp/ Temporary les, not persistent between applica*on launches. (Not Backed Up)
iTunesMetadata.plist
Contains
informa*on
such
as:
Product
Informa*on
Purchase
Data
Apple
Account
Data
iTunesMetadata.plist
hZp://itunes.apple.com/app/id321506742
/Library/Caches/Snapshots/
Might
get
lucky.
This
directory
may
contain
a
screenshot
of
the
screen
when
the
device
was
screen
locked.
2011 Harris Corporation
Contains
App
Specic
data
/var/mobile/Library/Preferences/com.apple.appstore.plist
App
Store
Last
Search
entry
/var/mobile/Library/Preferences/com.apple.loca5ond.plist
List
of
Apps
that
use
the
Loca*on
Services
Binary
seyng
show
if
Loca*on
Services
are
enabled
/var/mobile/Library/Preferences/com.apple.springboard.plist
Contains
the
order
of
Applica*ons
on
each
screen
2011 Harris Corporation
com.apple.mobile.installa*on.plist
com.apple.appstore.plist
com.apple.loca*ond.plist
com.apple.springboard.plist
Dates
Many
use
Absolute
Time
Seconds
from
1/1/2001
00:00:00
GMT
Tools:
Mac:
CFAbsoluteTimeConverter
(hsoi.com/hsoishop/so^ware/)
Windows:
Dcode
(digital-detec*ve.co.uk/freetools/decode.asp)
BlackBags
Epoch
Converter
(blackbagtech.com/resources/freetools/epochconverter.html)
SOCIAL NETWORKING
Facebook v.3.4
com.facebook.Facebook.plist
com.facebook.Facebook.plist
/Documents/friends.db
Facebook
Prole
hZp://www.facebook.com/prole.php?id=<UID>
/Documents/analy*cs_buer
/Library/Caches/Three20/
May
contain:
Prole
Icons
XML
Text
Files
Album
Photos
Miscellaneous
Pictures
/Library/Caches/Three20/
<fql_result>
<name>checkins_ac*vity<name>
Contains
User
IDs
&
coordinates
Lots
of
other
data
/Library/Caches/Three20/
<prole_response><user
Contains
prole
data.
User
ID
Last
Load
Time
Birthday
Name
Hometown
Rela*onship
Status
Friend
Count
Email
Link
to
user
picture
Etc.
/Library/Caches/Three20/
<fql_result>
<name>event<name>
Contains
Event
data
/Library/Caches/Three20/
<stream_post>
<source_id>
Includes
hZp://www.facebook.com/<uid>/posts/<post_id>
/Library/Caches/Three20/
<stream_post>
/Library/Caches/Three20/
<photos_response>
Contains
links
to
photos,
including
descrip*ons,
comments
and
user
data.
<prole_response><album
Contains
photo
album
informa*on.
/Library/Caches/SDURLCache/
Another
cache
directory.
May
contain:
Javascript
Pictures,
complete
with
origina*ng
URL.
LinkedIn v.3.6
com.linkedin.LinkedIn.plist
/Documents/ connec*ons_<memberid>.plist
/Documents/LinkedIn/
/Documents/LinkedIn/ member_<memberid>.plist
/Documents/LinkedIn/ member_<memberid>.plist
/Documents/LinkedIn/ network_update_*
/Documents/ LinkedIn<GUID>.sqlite
ZBUZZTOPICOBJECT
/Documents/ LinkedIn<GUID>.sqlite
ZLIMESSAGE
/Documents/ LinkedIn<GUID>.sqlite
ZLIMESSAGEMEMBER
/Library/Caches/Three20/
Amazon v1.4
com.amazon.Amazon.plist
Chase v.2.8.1202
User
IDs
com.chase.plist /Documents/localcache.dat
Mint v1.7.2
/Documents/mint_gala.db
account Table
transaction_bankcc Table
E*Trade v1.8.4
User ID
Ebay v2.1.1
com.ebay.iphone.plist
/Library/Caches/Seyngs/ <userid>-X-0-user.cache
Contains
User
Informa*on
Full
Address
Email
Address
Account
Name
Phone
Number
Paypal v3.2
com.yourcompany.PPClient.plist
/Documents/PayPalUserDetailsCache
Street Address
Secure Merchant ID
2011 Harris Corporation
Version 4.01
2011 Harris Corporation
iGmail v5.6.8
com.idemfactor.iGmail.plist
/Library/WebKit/Databases/ hZps_mail.google.com_0/0000000000000001.db
Mul*G v1.3
/Documents/Mul*G/People.sqlite
La*tude v2.1.2
/Documents/loca*on.plist Library/Preferences/com.google.GoogleLa*tude.plist
CalenGoo v1.5.11
1305432000 = Sun May 15 00:00:00 EDT 2011 1305777600 = Thu May 19 00:00:00 EDT 2011
UTILITIES
TouchTerm v2.4.2
net.jbrink.mobile.TouchTerm.plist
connec*ons Field
/Documents/pinchmedia/*.sql
/Documents/Cookies.plist
/Library/WebKit/LocalStorage/ hZp_www.google.com_0.localstorage
com.yourcompany.passwd.plist
Passwords
/Documents/<username>@gmail.com.seyng
/Documents/ <username>@gmail.com.sqlite
Unencrypted
password!
VERY
large
SQLite
database
Text
of
RSS
Feeds
Metadata
about
feeds
com.nibirutech.MobileRSSHDFree.plist
/Library/Caches/download/images/ <username>@gmail.com
OpenTable v3.2
com.contextop*onal.OpenTable.plist
BLOGGING
Tumblr v1.2.2
/Documents/userData.mxdata
Unencrypted Password
Email
2011 Harris Corporation
/Documents/textPost.details
WordPress v2.6.4
/Documents/wordpress/blogs.archive
Item
21
=
Username
Item
22
=
BlogID
Item
23
=
Blog
URL
Item
24
=
Blog
name
Item
25
=
Blog
URL
2011 Harris Corporation
/Documents/wordpress/<blog>.wordpress.com/ <blogid>/comment.1.archive
/Documents/wordpress/<blog>.wordpress.com/ <blogid>/post.1.archive
org.wordpress.plist
/Library/Preferences/ com.microso^.binghd.plist
/Documents/BingTab.sqlite
/Documents/weatherSearch
/Documents/MapsCache
/Documents/MapsCache
TRAVEL
TripIt v2.4
/Documents/TripIt.sqlite
/Documents/TripIt.sqlite
/Documents/TripIt.sqlite
ZTRAVELER Table
/Documents/TripIt.sqlite
ZTRIPITOBJECT Table
2011 Harris Corporation
Navigon v1.7
com.navigon.NavigonNorthAmerica.plist
Program
Preferences
Audio
Terrain
POIs
Speed
Warnings
Trac
Etc.
/Library/Preferences/ com.navigon.NavigonNorthAmerica.plist
Last
Posi*on
&
Angle
Metadata
/Documents/LastSearchResult.dat
/Documents/Favourite.targets
/Documents/Recent.targets
FourSquare v2.2.2
/Documents/foursquare.sqlite
ZFSVENUE Table
/Documents/foursquare.sqlite
ZFSNOTIFICATIONOBJECT Table
http://foursquare.com/user/<userid>
2011 Harris Corporation
Evernote v4.0.2
com.evernote.iPhone.Evernote.plist
Evernote2.sqlite.md
<IncomingEmail>@m.evernote.com
Library/Caches/www.evernote.com
applog.txt
Evernote2.sqlite
LOCALFILE
Table
Dropbox v1.3.1
/Documents/Dropbox.sqlite
ZCACHEDFILE
Table
/Library/Caches/Dropbox/
com.getdropbox.Dropbox.plist
com.getdropbox.Dropbox.plist
Content
from
DefaultsAccountInfoKey
in
bplist
format,
can
be
viewed
by
extrac*ng
into
separate
le
shown
below.
/Library/Caches/FavoriteFiles.plist
/Library/Caches/cache.db
/Library/Caches/cache.db
/Library/Caches/cache.db
/Library/Caches/cache.db
/Documents/
/Documents/photodb.sqlite
cn.mmxd.privatephotoslite.plist
Echofon v3.1.8
/Preferences/ net.naan.TwiZerFon.plist
db3.1.5.db
users
Table
/Library/prole_images
hZp://a2.twimg.com/prole_images/
647123757/Muppet-Beaker_normal.jpg
db3.1.5.db
hZp://twiZer.com/statuses/user_*meline/105533433.rss
db3.1.5.db
queries
Table:
saved_search Table:
db3.1.5.db
direct_messages
Table
Names)
Dates
Library/Cookies/Cookies.plist
HootSuite v2.1.0
com.hootsuite.hootsuitelite.plist
com.hootsuite.hootsuitelite.plist
com.hootsuite.hootsuitelite.plist
TwiZeric v3.0.2
/Documents/accounts.plist
Timeline
/Documents/searches.plist
Search Databases
Tweetdeck v1.4.1
/Documents/tddb.0.2.sqlite3
/Documents/column_cache_1
/Documents/tddb.0.2.sqlite3
COMMUNICATION
Skype v3.0.1
/Library/Preferences/com.skype.skype.plist
Skype Logs
Skype Logs
Skype Logs
Skype Logs
com.aol.aim.plist
/Documents/userAccounts/ <GUID>.account
/Documents/userAccounts/ <GUID>.buddylist
/Documents/userAccounts/ <GUID>.history
WRAPPING UP