CTF INFO (2nd half of the workshop)

• Copy the evidence
• 4 USB drives in the classroom
• Register to CTF platform: http://34.60.134.223
• Registration Code: bsidesrocks
• CTF starts at 13:30 (UTC||GTFO)
• CTF ends at 15:15
• Winner gets a price!!!
• You can access the slides for reference.
• See event website for link

Mobile Device Forensics 101

BSides Ume 2025

whoami

Timo Miettinen

• DFIR @ Accenture Global Cyber Response team
• DFIR consulting since 2018
• Cyber Security since 2009

​

​

timo.miettinen@accenture.com

• https://www.linkedin.com/in/timo-miettinen/

Why are we here?

5

Topics

General Process

iOS Data Collection

Android Data Collection

iOS Analysis

Android Analysis

Topics

General Process

iOS Data Collection

Android Data Collection

iOS Analysis

Android Analysis

General Process

General Process

Assumptions

• You own the device you are investigating (or similar conditions)!
• The device is fully functioning

Topics

General Process

iOS Data Collection

Android Data Collection

iOS Analysis

Android Analysis

iOS Data Collection

Basically two options

• iTunes Backup (encrypted) + logs + device information + media files
• Called logical acquisition
• Full file system copy
• Needs Jailbreak

iOS Data Collection

iTunes Backup

• Mac native tools (Finder)
• iTunes on Windows
• idevicebackup2 tool from libimobiledevice [1] on Linux, Mac (or Windows)
• Build and install from source
• If run on WSL, you need to have iTunes installed on Windows + create firewall rule to allow WSL to communicate with the Windows host
• Use password protection for the backup, contains more data

[1] https://libimobiledevice.org/

iOS Data Collection

​

Logs

• Crash logs
• Automatically generated
• Can be valuable in forensic investigations as they provide a record of an application's execution at a specific time
• Managed and generated by the operating system, which means they can remain even after an application is uninstalled
• Can be collected with idevicecrashreport tool from libimobiledevice, by synchronizing the device with a computer, using AirDrop, or using XCode

iOS Data Collection

​

Logs

• Sysdiagnose logs
• Generation must be manually triggered by the user
• Simultaneously pressing and releasing both volume buttons + the Side (or Top) button for 250 milliseconds
• Will be saved under the Crash logs directory
• Sysdiagnose logs can also be customized by loading additional profiles onto the iOS device using Apple Configurator or AirDrop
• Battery Life Logs
• Disk Space Diagnostics Logs
• Wi-Fi Logs

iOS Data Collection

Device information

• Hardware and software versions, MAC addresses, SIM card info, etc.
• Can be collected with ideviceinfo tool from libimobiledevice

iOS Data Collection

Media files

• Just connect your iPhone to Windows or Mac
• On Linux you can mount the device by using ifuse tool from libimobiledevice

​

iOS Data Collection

The whole process for logical acquisition.

Initiate sysdiagnose logs. When done, run:

$ idevicepair pair

$ ideviceinfo > output/ideviceinfo.txt

$ idevicecrashreport -k output/

$ idevicebackup2 -i encryption on

$ idevicebackup2 backup –full output/

$ ifuse ./iphone

$ tar -czvf output/media.tar.gz ./iphone

iOS Data Collection

Jailbreak

https://www.theiphonewiki.com/wiki/Jailbreak

iOS Data Collection

Jailbreak

https://iosref.com/ios-usage (2025-04-18)

iOS Data Collection

Full file system copy

• Jailbreak
• Install OpenSSH from Cydia if not installed
• root:alpine

$ idevice pair

$ iproxy 2222 22

$ sftp -P 2222 root@localhost

sftp> get -aRp / ./output

​

iOS Data Collection

Packet trace

• You can use your Mac to record a packet trace on an attached iOS device using the Remote Virtual Interface (RVI) mechanism

$ rvictl -s <your iOS device UDID>

Starting device <your iOS device UDID> [SUCCEEDED] with interface rvi0

• Output includes the interface name of the newly-created RVI. Supply this interface name to your favorite packet capture tool, for example

$ sudo tcpdump -i rvi0 -w trace.pcap

Operation Triangulation: https://www.youtube.com/watch?v=1f6YyH62jFE

Topics

General Process

iOS Data Collection

Android Data Collection

iOS Analysis

Android Analysis

Android Data Collection

USB debugging

• Facilitates communication between an Android device and the forensic workstation
• Starting from Android 4.2 the developer options is hidden
• Settings -> About Device, tap the Build Number field seven times
• Settings -> Developer Options
• Enable USB debugging

Android Data Collection

Tools

• Install Java Development Kit [1]
• Install Android SDK (Command line tools only) [2]
• Android Debug Bridge (adb)

$ adb devices

$ adb kill-server

[1] http://www.oracle.com/technetwork/java/javase/downloads/index.html

[2] https://developer.android.com/studio/index.html

Android Data Collection

dumpsys

• A tool that runs on Android devices and provides information about system
• Can be executed with adb

$ adb shell dumpsys

​

Android Data Collection

logcat

• tool for extracting real-time and historical logs

$ adb shell logcat -b all -v UTC,usec -d > logs.txt

​

Android Data Collection

Non rooted device

• Android Triage [1]
• Make sure you have adb and dialog installed
• Download the script, make it executable and run it

​

[1] https://github.com/RealityNet/android_triage

$ ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz -

Android Data Collection

Export single APK

$ adb shell pm list packages -f

​

$ adb pull -a /data/app/com.microsoft.teams-8QfosniZBxLCuCX23gMlnA==/base.apk output/teams.apk

​

Android Data Collection

Rooted device

$ adb shell df -h

​

​

​

​

$ adb shell dd if=/dev/block/dm-0 > output/root.img

Topics

General Process

iOS Data Collection

Android Data Collection

iOS Analysis

Android Analysis

iOS Analysis

Interesting data can be found from several types of files. File extensions vary.

• SQLite
• DB Browser for SQLite (GUI), sqlite3 (CLI)
• plist
• Binary plists can be parsed with plutil (macOS), plistutil
• Plain text log files
• Your favourite text editor
• Use the provided SANS posters as a reference

iOS Analysis

Phone Setup

/private/var/mobile/Library/Logs/mobileactivationd/mobileactivationd.log.*

• Original time zone is Cupertino, before set to local time zone.

​

iOS Analysis

User accounts

/private/var/mobile/Library/Accounts/Accounts3.sqlite

select

datetime(zdate+978307200,'unixepoch'),

zaccounttypedescription,

zusername,

zaccountdescription,

zaccount.zidentifier,

zaccount.zowningbundleid

from zaccount, zaccounttype

where zaccounttype.z_pk=zaccount.zaccounttype

​

https://github.com/abrignoni/iLEAPP

iOS Analysis

Safari history

/private/var/mobile/Containers/Data/Application/<GUID>/Library/Safari/History.db

select

history_visits.id,

history_items.url

from history_visits

left join history_items on history_items.id = history_visits.history_item

order by history_visits.id

​

https://github.com/abrignoni/iLEAPP

iOS Analysis

Location

/private/var/root/Library/Caches/locationd/cache_encryptedB.db

• e.g. WiFiLocation

/private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite

• e.g. ZRTCLLOCATIONMO

/private/var/mobile/Media/DCIM

• Photos may have location as meta data

https://github.com/mac4n6/APOLLO

iOS Analysis

Notes

/private/var/mobile/Containers/Shared/AppGroup/<GUID>/NoteStore.sqlite

• ZICNOTEDATA.ZDATA stores the note body as a BLOB, which is a protobuf in a GZIP archive
• iLEAPP has parser module for Notes

iOS Analysis

App installation

/private/var/installd/Library/Logs/MobileInstallation/mobile_installation.log.*

• Includes application installation paths (GUIDs)

iOS Analysis

Applications

• WhatsApp

/private/var/mobile/Containers/Shared/AppGroup/<GUID>/ChatStorage.sqlite

• Telegram

/private/var/mobile/Containers/Shared/AppGroup/<GUID>/telegram-data/<account>/postbox/db/db_sqlite

• iLEAPP has parsers

iOS Analysis

Apple Maps history

/private/var/mobile/Containers/Data/Application/<GUID>/Library/Maps/GeoHistory.mapsdata

• Binary plist
• Actual data is base64 encoded protobuf

iOS Analysis

Other free tools to consider

• ArtEx (Windows only)
• https://www.doubleblak.com/ArtEx/
• Examine extracted data and live Jailbroken devices
• iBackup Viewer (Mac & Windows)
• https://www.imactools.com/downloads
• View contents and extract files from iOS backups
• Sysdiagnose Analysis Framework
• https://github.com/EC-DIGIT-CSIRC/sysdiagnose
• Framework for parsers and analyzers of sysdiagnose logs
• Mobile Verification Toolkit
• https://github.com/mvt-project/mvt
• Detect a potential device compromise based on known IOCs

Topics

General Process

iOS Data Collection

Android Data Collection

iOS Analysis

Android Analysis

Android Analysis

Data of interest on the device

• SQLite
• XML
• Plain text .conf and log files
• Adb backup and file system export from a non-rooted device contains very few interesting files
• APKs
• Live command outputs

Android Analysis

What else do you have

• Google takeout
• Data from products like Gmail, Drive files, Chrome, Photos, and YouTube
• Data about your activity in Google Play Store, Play Books, Google Maps, Play Games Services, YouTube videos, and Play Movies & TV
• Your account's access log activity
• Google Classroom classes, posts, submissions, and registers
• Your Blogger blogs, posts, pages, comments, videos, and your profile
• Health data from services like Google Fit
• Data related to your Google Business profile
• Saved passes, virtual account numbers, and transaction history from Google Pay
• Google Shopping order history, delivery method, addresses, and more
• Your locations and settings from Location History
• Your Google Cloud search history
• Your Android device's configuration data
• Data from your smart home devices like the Google Nest Hub

Android Analysis

APKs

• You can just unzip the APK, but it does not decode or decompile the contents
• apktool
• https://apktool.org/
• A tool for reverse engineering and modifying APKs
• Decompiles dex files to smali format
• MobSF
• https://github.com/MobSF/Mobile-Security-Framework-MobSF
• Automated mobile application analysis tool capable of performing static and dynamic analysis
• Online version at https://mobsf.live (not that staple)
• jadx
• https://github.com/skylot/jadx
• Dex to Java decompiler

Android Analysis

APKs

• AndroidManifest.xml
• Located in the root directory
• Contains metadata about the app, including package names, activity names and the entry point (main activity), Android version required by the app, permissions, and other configurations
• res and assets directories
• Assets and resources that are not compiled, worth checking

Android Analysis

Rooted device

• ALEAPP
• https://github.com/abrignoni/ALEAPP
• Framework for parsers
• Default set of parsers cover system data, native apps and most popular 3rd party apps
• Needs full file system acquisition
• For manual analysis of different files see the provided SANS posters

Thank you!

After coffee break it’s CTF time!

• If not done yet, copy the evidence
• 4 USB drives in the classroom
• Register to CTF platform: http://34.60.134.223
• Registration Code: bsidesrocks
• CTF starts at 13:30 (UTC||GTFO)
• CTF ends at 15:15
• Winner gets a price!!!
• You can access the slides for reference.
• See event website for link
• Password challenge has a hint that gives you the correct flag (password to decrypt the device evidence archives), or you can crack the password to get more points.
• Solving the Password challenge reveals more challenges.
• Google Takeout export does not have a password.