Tuesday, July 21, 2020

Unsupported Artifacts and How to Deal with them

This blog post will provide a look into dealing with valuable artifacts that are identified, but aren't supported by any of your commercial tools.  This provides a great opportunity to contribute to an open source project such as iLEAPP by @AlexisBrignoni and Yogesh Khatri (@SwiftForensics). 

Like so many of you, the first place I look when my extractions finish parsing is the installed applications.  Funny enough this workflow was covered by @HeatherMahalik and @mattforensic on their podcast, Carved from Unallocated.  I want to start off by getting a better idea of what applications are on the device.  While checking out the installed applications on a recent extraction, I came across the Ookla Speed Test Application.  I had never seen the application before, but I was familiar with the web version, which is commonly used to check download and upload connection speeds.  This is where my curious nature took over, so I started to dig around to see what data was contained in the databases for the application.  I also found it was not parsed by the commercial tool I had used.  To my surprise it was a goldmine of artifacts that would be extremely helpful for this particular case, and likely many others.   

After participating in the 2020 Magnet Forensics Virtual Summit CTF, I became quite familiar with the capabilities of DB Browser for SQLite.  So I exported the speedtest.sqlite database for the Ookla Speed Test Application and went to work.  While inspecting the contents of the database, I found the most valuable information in the table called ZSPEEDTESTRESULT.  This table contained data related to Date, Time, Internal IP Address, External IP Address, Cellular Carrier, ISP, WIFI SSID, Device Make/Model, Latitude/Longitude, and Accuracy related to the Lat/Long data.  Some might be wondering why this is so valuable, but when was the last time you had an artifact for a phone that had a date/time stamp to go along with the IP Address that the device was connected to.  Not just the internal IP Address, but the external IP Address.  So now we have an IP Address to plot on our timeline, but that's not all, we also have GPS Data.  We can now plot the GPS, with a date and time, and the external IP Address.  Imagine the uses for this type of information in intellectual theft cases where the suspect checks upload speeds prior to exfiltrating the data or CSAM where the suspect checks their download speeds at a local free wifi spot.

Let's dig deeper into how helpful some of the other data might be.  The device make/model could be helpful, since the data is stored in an unencrypted backup, and can be restored, connecting multiple devices, again via IP Address and GPS Location data.  The SSID can be searched through Wigle.net to try and locate a unique SSID. 

Now that we have located the data, it was time to perfect our SQLite queries to parse the data that we want to use.  With a little bit of extra time we are able to build a device make/model conversion into the query.  After we have our SQLite query built and we are happy with the data output, we then check out the videos on YouTube by @AlexisBrignoni which provide step by step instructions on creating new artifacts for iLEAPP. 

Creating the new artifact was quite the adventure, but a very rewarding process.  I sent countless messages to @AlexisBrignoni, trying to perfect the script so that the application artifacts could be parsed by iLEAPP and presented in the report it generates.  After I was able to get the scripts to run properly, I needed to confirm the data.  So I used my test device, which is an iPhone SE, running iOS 13.5.1, to download the Ookla Speed Test Application and ran a few network checks.  I noted my external IP Address, the SSID I was connected to, as well as my location.  I then conducted a iTunes Backup of my test device.  After reading the blog post by @AlexisBrignoni, which covers normalizing the iTunes Backups with the help of the script created by Edward Greybeard (https://github.com/edward-greybeard/iOS-UNF).  Now with the iTunes Backup normalized, I was able to validate the all of the data from my test device including the data related to the GPS Location Data, External IP Address, and SSID. 

The new artifact was merged into the main Github repository for iLEAPP and is now available for everyone to use. 

A huge thanks to @AlexisBrignoni for all his work on iLEAPP and for all of his help getting the scripts right to add the new artifact. 

No comments:

Post a Comment

2021 Crack Me If You Can Contest Write-Up

Once again KoreLogic hosted the Crack Me If You Can password cracking contest during DEFCON 29.  I participated in the Street Division as a ...