Skip to main content

Creating a File System Image of iOS12 (12.1/16B92)



Creating a File System Image of iOS 12

Abstract— Apples’ iOS 12 is the latest iteration in their mobile device software. With each iteration Apple creates new system protections in order to enhance user privacy which in turn inhibits the ability for a forensic analyst to complete forensic analysis on Apple devices. With each iteration comes workarounds to allow forensic analyst access to obtain information stored in these devices. This will explore a popular method using a jailbroken device to gain root access in order to create a File System Image of a device running iOS 12.


I.    Concept

    Since its creation in 2007 Apple’s iPhone and its operating system known as iOS has been a household commodity. At one point in time  Apple accounted for the largest percentage of the mobile device on the mobile network as of 2019 Apples operating system now accounts for roughly 44% of all of mobile operating systems in the United States according to statista.com, making it the second most used mobile iOS behind Android’s mobile operating system. One of the major differences between iOS users and Android users is there is more uniformity in which version of the operating system the majority of users are using due to Apples constant update reminders, applications and special features not working without updating, and Apples creation of the hardware itself. As of February 24,2019, 83% of iOS users have upgraded to and are currently using iOS 12, with only 11% still on iOS 11, and 5% on an earlier version. [14] With each update Apple adds features, makes changes to security which enhances the kernel and root permissions, and may potentially changes folder/file locations. Since 83% of iOS users are using iOS 12 it is pertinent from a digital forensic perspective to image an iOS device that has iOS 12 installed with strong documentation so it can be replicated by the forensic community  and so the image created can be used for further research, analysis and documentation so that further research, tool development, education, and overall training can be done using an iOS 12 image.    

II.   Overview

     The overall goal for this research is to generate a physical image of an iOS 12 device using open source tools available to every forensic examiner to create the file system of an iOS 12 device. The methods used in testing are the same methods used by Sarah Edwards, a well-known forensic analysts who specializes in what is known as “Mac Forensics’, which is forensics revolving around Apple’s family of products (iPhone, iPad, iMac, MacBook and etc.). Sarah published a blog post on Mac4n6.com, a blog about Mac forensic, “iOS Imaging on the Cheap-Part Deux” [5] which outlined methods to obtain the file system from an iOS device. The same method will be used that was used on iOS 10 & 11 devices but for iOS 12. For testing purposes, a GSM iPhone X (MQAN2LL/A) [13] installed with iOS 12.1[2] was used, and @pwn20wnd unc0ver jailbreak for iOS 11.0-12.1.2 v3.0.1 released publicly on 4/23/2019 on @pwn20wnd’s GitHub page. [10] This jailbreak is considered a semi-tethered jailbreak.  

III.  Testing

        The testing was broken down into categories based on the steps taken in order to successfully gain root access to the phone in order to obtain the data stored on the device. This section contains all the steps taken leading up to jailbreaking the device, how the device was successfully jailbroken before  the file system could be created following the Sarah Edward’s “iOS imaging on the cheap” method.

A.   Equipment & Software Used for Testing

·     MacBook Pro OSX 10.14.4
·     GSM iPhone X (MQAN2LL/A)  
·     iOS 12.1
·     Underc0ver Jailbreak v3.0.1 (4/23/2019 release)
·     Cydia Impactor
·     OpenSSH
·     Tar Utility
·     dd Utility  
·     iTunes
·     USB Lighting Cable
·     ftOS Utility & Block iOS Update (ftOS) Utility
·     libimobiledevice

B.   Preparing for the Jailbreaking

       Based on research conducted on ensuring the semi-tethered jailbreak method works on iOS 12 from various videos and subsequent blog postings afterwards led to the following being done to the device before the jailbreak was done to the device.

I.               Check iOS Version 
Version used for research is iOS 12.1. Authors of the jailbreak state that the jailbreak works on iOS versions 11.0-12.1.2. Since testing is based around iOS 12 to conduct testing on this research ensure iOS version is between 12.0-12.1.2 and a A8X-A11 device. Device used for testing is an A11 device (iPhone X).
II.             Create Backup 
A backup of the device was created for safety precautions in case errors occurred during researching how to properly jailbreak the device and if errors occurred once jailbreak has been completed to the device.
III.            Delete iOS Update Installed on iPhone 
One of the important steps in ensuring the semi-tethered jailbreak works on the device is removing all instances of iOS updates on the iPhone, if this is not done the jailbreak will not properly work. This is due to the kernel having the new firmware mounted and this won’t allow the jailbreak to finish all of the exploits needed to finish the process.
IV.            Install ftOS Application on iPhone 
“ftOS” is a 3rd party application that makes use of Apple’s Apple TV OS to make utility applications. This application will be used to download another utility “Block iOS Update” which will ensure that updates aren’t pushed to the device.
V.              Install Block iOS Update Utility 
Using the ftOS 3rd party application installing this utility will ensure firmware updates are pushed to the device.
VI.            Install Underc0ver Application on iPhone 
Once application binary is uploaded to the device the iPhone is ready for the jailbreak process, the underc0ver application handles the rest of the heavy lifting using 35 exploits to semi-tether jailbreak the iPhone and allow for root access of the device along with 3rd party application stores such as the popular Cydia application store.

C.   Jailbreaking 

The jailbreak process is rather simple, as long as all of the preparations were done to the device. Operating the underc0ver application takes care of the heavy lifting, before running the jailbreak turning on the option to “export TFP0” which is supposed to increase root privilege giving more file access which as forensic analyst a good thing is. Once that setting has been set running the jailbreak will take roughly 2-3 minutes and the device will be in a jailbroken state. The goal of jailbreaking the device was to gain root access to the device which is now achieved but now commination with the devices file system must be done. This is accomplished with using openSSH downloaded from the Cydia store and using the libimobiledevice tool suite on the MacBook Pro to interface with the file system.  

D.  Post-Jailbreak 

Once the jailbreak has completed updating the Cydia sources to ensure that the most current updates are installed on the device since this is a new jailbreak and at the time of writing ten days old, however this should always be standard practice since this is an open source application and pushes are being made constantly to update the functionality of the features offered. Downloading OpenSSH allows communication with the device via SSH. Connecting to the device via SSH allows interaction with the file system as root user to gain to highest privilege possible on the device. Using the native terminal in OSX 10.4.4 on the MacBook Pro an SSH connection was made with the device via SSH a USB-SSH tunnel was established with the device for a more stable connection and faster pipeline for data to transfer between. This connection will allow for the transferring of data from the iPhone to the MacBook Pro connected to it allowing for what is considered a physical logical image, which will be used for further analysis in future research. 

E.   Data Acquisition Method 

To begin the data acquisition the method chosen was one used by other forensic analyst the one used in this research is a method used by Sarah Edwards who has published documented research of this method testing it on iOS10 & 11. Another method used is one derived from trial and error after trying other ways to obtain a physical logical image of the iPhone once connected to it via USB-SSH tunnel. Two methods were used to see test which was faster, and which garnered more useful data.


I.               Trial & Error Method 

Prior to using Sarah’s method, I wanted to trial, and error see which folders off limits were and not by initiating a recursive “scp” of the iPhones file system to the acquisition MacBook Pro logging the output to see what the kernel gives access too as root user. This method took roughly 1.5 hours to transfer the file system and the logging showed that Apple restricted a decent amount of file locations even as root user. Prior to using Sarah’s method, I wanted to trial, and error see which folders are off limits and which are not by initiating a recursive “scp” of the iPhones file system to the acquisition MacBook Pro logging the output to see what the kernel gives access too as root user. This method took roughly 1.5 hours to transfer the file system and the logging showed that Apple restricted a decent amount of file locations even as root user.

II.              Sarah Edward’s iOS 11 Method 

Sarah Edward’s method for obtaining the file system is by generating a tar bundle of the file system using the tar utility installed on the device via jailbreak. This is done establishing an USB-SSH connection as root user finding where the tar utility is installed and then issuing a recursive tar command to copy the file system. This method was a lot faster than using the “Trial & Error Method” and took about roughly 20 min. The data is also already compressed as well since it is exported in a tar bundle from the device. Roughly the same access was given to this command as the “scp” utility and the data is synonymous between the two acquisition methods used.   

F.   Data Recovered 

            Apple’s new updates has made it so even with root access there are still various folder locations that aren't allowed access to be written out via tar or scp utility. The folders that are not allowed this access are sub-directories of ‘/private/var/” and are folders that deal with location specific data such as data located in /locationd, email information, spotlight search information, application specific information located in the containers, and health specific data. This change was expected considering the same happen when Apple changed from iOS 10 to iOS 11, this can be seen from the output of Sarah Edward’s research published on her blog mac4n6.com. Based on both acquisition methods used in research more data is gathered when using a scp verses the tar command. Roughly 23 GB were generated using the scp utility versus 12GB using the tar utility. After conducting a basic analysis of both acquisitions recovered from the device; the tar bundle is a more concise capture of the file system containing the same data retrieved from using the scp utility, while the data contained in the scp capture contains duplicate data which accounts for the size difference.   One of the biggest variations is the tar bundle does not gather data from the /User partition.  

G.  Conclusions 

            The majority of the work involved in the research of generating the physical logical image revolved around researching how to successfully jailbreak iOS12 and the subsequent time finding a way to acquisition the data with open source resources. Future work will be done on analyzing data generated over a ten-day period and analyzing the data captured. The image acquired will contain multiple databases for further analysis to create a picture of what was done over the ten-day period. The image will also be distrusted to the mobile forensic community for research by other mobile forensic researchers to also analyze. The overall goal for future work will be further the analysis of an iOS file system to see if all the actions done on the phone can be seen in the data recovered and further documentation of this to provide information to forensic community on iOS12.   

H.  Appendix

iPhone Preparation for Jailbreak

1.    Check iOS Version 

This is done by navigating to Settings>General>About on an iPhone.

                                                
                                                                        Fig.1

Check that the device is between iOS 12-12.1.2, the device used for testing had 12.1 installed on the device.

2.     Create iPhone Backup


Next create a backup of the device, this is done using iTunes and an encrypted copy is created to ensure all passwords and health data was transferred. (Even though this is a test device and none of this was present on the device these are steps that a normal user would take to preserve data.) The reasoning for creating a backup is to ensure that a working copy of a clean iOS is available, in case an errors occur during the jailbreak process.
 
                                                                          Fig. 2
  

3.     Delete iOS Update Installed on Phone

Next once this backup was created and stored on device used for acquisition. the next plan of attack was to delete any copy of an iOS update that may be installed on the phone already and to disable an update from being downloaded in the future.
                                                                           Fig. 3

This can be done by navigating to Settings>General>iPhone Storage and deleting the update which will be at the top of the listed application under the name, in this instance the name is “iOS 12.2 Update”.

                                                   4.     Install ftOS Application on iPhone 

 
Fig. 4

Once this is deleted a 3rd party application was downloaded from ftos.vn by navigating to ftos.vn/install on the mobile device and following the instructions on screen to install the application on the device.

5.  Install Block iOS Update Utility

 
                                                                               Fig. 5

Once application is installed the application should be opened and then navigated to the firmware tab on the bottom of the tool bar and then download Block iOS update utility. Once this is installed, restarted the device to
begin the jailbreak process.

6.     Install Underc0ver Application on iPhone


O
btain the binary to upload and medium for transferring the binary to the device was needed. The binary was downloaded from pwn20wnd’s GitHub and then transferred the binary to the device using Cydia Impactor available for Mac, Windows, and Linux. Testing was done on a MacBook Pro running OSX 10.14.4. Version v3.0.1 of underc0ver jailbreak was used for testing.   Once installed and the binary is downloaded the iPhone should be connected to the acquisition device via lightening cable and then the binary file transferring should begin. To initiate this process open Cydia Impactor and then drag the .ipa file just downloaded from pwn20wnd’s GitHub’s page and drop it in the Cydia impactor.
                                                                             
 
                                                                             Fig.6

Once the password for the device was entered and trust was given to the device connected. When the transfer of the binary is initiated you will be prompted  to enter your iTunes username and password the loader will create a signature for this application to run on your device once you give it the privileges in the user settings under Settings>General>Profiles & Device Management  choosing the profile under your iTunes name and giving it permissions to run once this is complete you are ready for jailbreak!

7.     Jailbreak

       The jailbreak process is simple, the application binary that was uploaded takes care of the heavy lifting. Open the underc0ver application and chose settings and turn on the “export TFP0” setting. Next run the exploit and then wait for the operation to complete, successful jailbreak will be finished by a loading circle as pictured below.

                                                                                                 Fig. 7
  

8.     Post Jailbreak

The reasoning for jailbreaking the device is to gain root access and to download 3rd party applications from the Cydia store that will allow for communication with the devices file system. The application used for this is OpenSSH, an open source application that utilizes the SSH protocol to communicate with the device to allow remote connection with the device. This can be downloaded from the Cydia store.

9.      Data Acquisition Trial & Error

In order to create a physical image of the device the first step in this acquisition is to see where the data is mounted. According to previous research done by other forensic examiners such as Sarah Edwards, Apple’s mobile file system is broken into two file partitions one containing system information and one containing data. The system information is located in the “/” directory and subdirectories the user data is located in the “/private/var/mobile” directory and subdirectories. Using the USB-SSH connection method Sarah Edwards outlines in her blog post, commands were made to dd the system partition and the data partition, both were met with resistance and were not allowed by the kernel even as root user. Subsequently the next method used was the “scp” utility to gather a copy of the files that the kernel would allow me to copy and created a log of the output to analyze what gave user privilege as root and what was denied to compare to the output from Sarah Edwards research of iOS 11. 
Fig. 8 (Output from “scp -r -P 2525 root@localhost:/ /Users/profilename/path/to/binary > scplog.txt) 
                 *Output of file is saved with file tar.
  

10.     Data Acquisition Sarah Edwards Method


                                             *Output of File System Creation 
In Sarah Edwards Blog post, iOS Imaging on the Cheap!-Part Duex (for iOS 10 & 11) to complete her acquisition on iOS 11 she used the tar utility that is installed via the meridian jailbreak to help with the ex-filtration of data from the device. This is the same method that is going to be used for the acquisition of the iOS 12 data. The data tar bundle is saved in the “/usr/bin” directory. With the following command a physical logical image of the phone was created. Imaging took roughly 30 minutes to complete. “ssh -p 2525 root@localhost ‘/usr/bin/tar -cf - /’ >ios_physical_logical_dump.tar.
                                   


References
[1]     Anon, (2019). OpenSSH. [online] Available at: https://www.openssh.com/
[2]     Apple Support. (2019). About iOS 12 Updates 12.1. [online] Available at: https://support.apple.com/en-us/HT209084#121 
[3]     Cydiaimpactor.com. (2019). Cydia Impactor (Software). [online] Available at: http://www.cydiaimpactor.com/
[4]     Edwards, S. (2016). iOS Imaging on the Cheap!. [online] mac4n6.com. Available at: https://www.mac4n6.com/blog/2016/3/23/ios-imaging-on-the-cheap
[5]     Edwards, S. (2018). iOS Imaging on the Cheap! - Part Deux! (for iOS 10 & 11). [online] mac4n6.com. Available at: https://www.mac4n6.com/blog/2018/1/7/ios-imaging-on-the-cheap-part-deux-for-ios-10-11
[6]     En.wikipedia.org. (2019). Dd (Unix). [online] Available at: https://en.wikipedia.org/wiki/Dd_(Unix)
[7]     En.wikipedia.org. (2019). ITunes. [online] Available at: https://en.wikipedia.org/wiki/ITunes
[8]     En.wikipedia.org. (2019). Lightning (connector). [online] Available at: https://en.wikipedia.org/wiki/Lightning_(connector)
[9]     FTiOS Team. (2019). Install ftOS X - FTiOS Team. [online] Available at: https://ftios.vn/install/
[10]   GitHub. (2019). pwn20wndstuff - Overview (Undecimus Jailbreak iOS 11.0-12.1.2). [online] Available at: https://github.com/pwn20wndstuff [
[11]   Gnu.org. (2019). Tar- GNU Project - Free Software Foundation. [online] Available at: https://www.gnu.org/software/tar/
[12]   Libimobiledevice.org. (2019). libimobiledevice - A cross-platform software library and tools to communicate with iOS devices natively. [online] Available at: https://www.libimobiledevice.org/
[13]   LLC, K. (2019). iPhone X (AT&T/T-Mobile/Global/A1901) 64, 256 GB Specs (A1901*, MQAJ2LL/A*, 3175*, iPhone10,6): EveryiPhone.com. [online] Everymac.com. Available at: https://everymac.com/systems/apple/iphone/specs/apple-iphone-x-att-t-mobile-global-a1901-specs.html
[14]   Support, A. (2019). App Store - Support - Apple Developer (Percentage of Users on iOS 12). [online] Developer.apple.com. Available at: https://developer.apple.com/support/app-store/.
[15]   Support.apple.com. (2019). Download macOS Mojave 10.14.4 Update. [online] Available at: https://support.apple.com/kb/DL1994?locale=en_US








Comments

Post a Comment