Previous: Heisenberg's Android
Next up we have an iPhone X owned by Beth. She's a feisty one!
Password: 02DB2ECE91DB67E8FA939FC3DC15D16B
Device Connections (10 points)
What is the name of the vehicle Beth’s phone connected to on April 6, 2021?
We can get the answer quick from the following plist:
private\var\containers\Shared\SystemGroup\C272EF97-5B86-4578-B2ED-AAAB06943E85\Library\Preferences\com.apple.MobileBluetooth.devices.plist
iLEAPP pulls this out quickly so we can filter on the date specified and see that the name of the vehicle was MY-QX80.
Figure 1: Bluetooth paired report in iLEAPP
Communication and File Sharing (10 points)
For the picture IMG_0488.heic, which database identifies the person who shared the photo?
What is Marsha’s Signal Recipient ID as found on Beth's iPhone?
This one requires actually decrypting the database first. Luckily, Physical Analyzer does the heavy lifting since we have the keychain for this device. Once it is decrypted we can view the database at the following path:
root\private\var\mobile\Containers\Shared\AppGroup/2436BD7E-5956-425A-B38F-A40F20089674\grdb\signal.sqlite\signal.sqlite.decrypted
In the "model_OWSUserProfile" table, we can scroll to find the profile name and the recipient UUID columns. Here we see Marsha's ID was 0CD79C6E-500B-4F59-9525-629859C090AD.
Where was Beth on June 17, 2021 when she was “with friends”?
How many meters did Beth travel on February 28, 2021 in her local time?
UTF or GTFO! All joking aside, converting the timestamps to the local offset was the hard part of pulling through the Health database. The database of choice is found here:
private\var\mobile\Library\Health\healthdb_secure.sqlite
Using Sarah Edwards formulated query for Health Distance we can get a feel for what entries had distance tied to them and then narrow it down by timestamp. The one thing to note is they are looking for a local time answer and not in UTC so some manipulation needs done. We can copy the query results from DB Browser into Excel and filter on only dates on 2/28/2021 plus one day to account for timezone offset. As seen below we can cut out a few entries because they now fall out of range with the -5 hours subtraction. Notice we pick on entry up at the end that was originally on March 1st in UTC time.
Where was Beth on June 29, 2021 when she made a call to Marsha (only provide the city in your answer)?
Let's first start with the call logs and see what we find. They can be found at the following path:
private\var\mobile\Library\CallHistoryDB\CallHistory.storedata
Make sure to get the -wal because you may not find any data in the regular database. On the ZCALLRECORD, we can find the ZDATE column and convert from the Apple NSDate and filter to 6/29/2021. There were only two records but none with locations but we do get a more narrow scope of timeframe.
Figure 6: CallHistory.storedata database
Moving on we can look at the cached locations from RoutineD, specifically cloud visits. We can use another query from Sarah Edwards (found here) on the data at the path:
private\var\mobile\Library\Caches\com.apple.routined\Cloud-V2.sqlite
Once again, get that -wal. Execute the query in DB Browser and export the results to Excel so we can filter further. Since we know the call was around 16:00-20:00 hour timeframe we can check to see what was around there.
What permissions did Beth grant for Telegram on her iPhone? Select all that are correct.
- Location, iCloud, Calls, Contacts
- Location, iCloud, Siri, Contacts
- Location, iCloud, Calls
- Calls, iCloud, Siri, Contacts
- This application was not installed
private\var\mobile\Library\TCC\TCC.db
Moving on over to the "access" table and filtering on "client" column for "ph.telegra.Telegraph" (the application folder name), we see 4 permissions granted.
Figure 8: TCC.db
We see Address Book and Siri pretty clearly, but what are Liverpool and Ubiquity? Keith Johnson has a good breakdown here, which shows Liverpool relates to location services and Ubiquity is for iCloud. So the answer here would be Location, iCloud, Siri, Contacts.
Settings and Notifications (20 points)
Was iCloud Photos turned on? If yes, when was it turned on? Answer must be YYYY-MM-DD HH:MM:SS.
Without knowing where the flag file is for this it may have been extremely difficult to hunt down. Fortunately we now know it can found here:
private\var\mobile\Media\PhotoData\cpl_enabled_marker
Because this file is available means that iCloud Photos is turned on. Inside we find the date we are looking for, just need to substitute periods (.) for colons (:). Timestamp answer is 2021-02-03 17:46:27.
Which cards were saved in the Apple Wallet?
- Visa
- Capital One and Amex
- None
private\var\mobile\Library\Passes\passes23.db
The "pass" table had nothing to see so I guessed None which was the answer.
Settings: Auto-lock (20 points)
How long does Beth’s phone need to be inactive for the screen to auto-lock?
\private\var\mobile\Library\UserConfigurationProfiles\PublicInfo\PublicEffectiveUserSettings.plist
We want to look at the Root > restrictedValue > maxInactivity > value. Here this value is represented in seconds.
When does Beth's iPhone require a password to unlock the device after locking it?
- Immediately
- After 1 min
- After 5 mins
- After 1 hour
- After 4 hours
Scott's blog goes over this one as well. We'll look at the same file as the previous question once more. This time we look at the path Root > restrictedValue > maxGracePeriod > value.
Figure 10: PublicEffectiveUserSettings.plist passcode requirement
We can see here that that value is set to 0 seconds which is equal to Immediately, the answer.
Device Connections (50 points)
When did Beth connect her device to Marsha’s laptop? Show answer as YYYY-MM-DD HH:MM:SS
Instead of looking for the timestamp on Beth's phone I actually ended up pulling up Marsha's PC evidence file (more coming in a future blog) and correlating USB plug-in entries. We can mount the E01 file using Arsenal Image Mounter and run USB Detective to pull out a report from the mounted image. We can then filter down the description to Apple iPhone to see two different phones were connected to the system.
Figure 11: USB Detective report from Marsha's PC
Since we got 3 tries to get it we tried both first connections, 2021-03-25 00:12:05 and 2021-04-06 22:32:21, the later ended up being correct. I assume the other phone was probably Marsha's.
Device Identification (50 points)
Which iOS version was running on Beth's iPhone on May 7, 2021?
- 14.4
- 14.5.1
- 14.5
- 14.6
This one seemed odd to me, I'm not entirely sure if the solution was the proper way to get it but it worked nonetheless. We can look at the mobile activation logs found here:
private\var\mobile\Library\Logs\mobileactivationd\
iLEAPP processes these pretty well for us. Taking a look at the generated report we can filter on "Upgrade" to see timestamps of iOS version updates.
Figure 12: mobileactiond logs in iLEAPP
My interpretation here was the system was on 18D70 between 3/29/2021 and 5/18/2021. Per this list 18D70 was 14.4.2 which wasn't an option for us here. Notes show that iOS 14.5.1 was released on 5/3/2021 and is associated with the ID 18E212 found on 5/18/2021.
So we went with 14.5.1 and it was correct. I'm wondering if the answer was incorrect or if there is a better file location to look at to get the answer. Regardless, we push forward.
Another source of update information that came across afterwards was found here:
\private\var\logs\lockdownd.log
\private\var\logs\lockdownd.log.1
Basically the same update information found prior was here except in local time instead of UTC.
Location Artifacts (50 points)
Which time zones were visited while the device was on iOS 14.4. Select all that apply.
- Central, Eastern, Mountain
- Pacific, Eastern
- Central, Pacific, Eastern
- Eastern
On July 20, 2021 at 20:06 PM local time Beth’s iPhone received a System message regarding the state of the device. What is the name of the file that contains this information?
This one was a doozy for good measure. Without a little assistance I probably would have never found it. We want to look at the Apple Unified Logs, which no commercial mobile forensics tool really parses at all. Luckily Yogeshi Khatri created something that can (download it here). The three folders that need pulled are:
/private/var/db/diagnostics
/private/var/db/diagnostics/timesync
/private/var/db/uuidtext
WARNING: This parser will take a long time to finish so be patient, there is a lot of data it has to go through. Best to use the SQLITE format for output.
Once it finishes we can open the resulting log database in DB Browser. Remember we are looking for local time in the question and Yogesh's tool parses to UTC so we need to offset it by 4 hours. Filtering on "TimeUtc" column we can see all entries came from the source file of 0000000000000393.tracev3.