Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


go deep into ios synchronous computer backup file and identify whatsapp communication trace

Posted by zura at 2020-04-01

In this paper, we will discuss and test the authentication analysis of WhatsApp, the communication software, for IOS devices using the backup extraction method of Apple iTunes official software, and whether the relevant communication dialogue information can be obtained by relevant detection tools, so as to assist the authentication analysis of intelligent mobile devices.

Smart phones have more and more functions. No matter online, sending messages and receiving and sending e-mails, they can almost be carried out on smart phones. In contrast, intentional criminals may also use smart phones to carry out criminal communication or criminal activities. Therefore, when carrying out forensic inspection on a suspect's smart phones, they will have the opportunity to find criminal cases that can be proved and prosecuted Relevant evidence.

According to the market report of the second quarter of 2014 released by International Data Corporation (IDC), global smart phone shipments reached 295.3 million, an increase of 23.1% compared with 240 million in the second quarter of 2013. In the second quarter of this year, the IOS shipments were 35.1 million, up 13% compared with last year, but the market share was reduced from 13% to 11.9% because the total Android smart phone shipments grew more.

However, the new iPhone 6 and iPhone 6 plus launched by apple in September this year, due to the introduction of mobile phones with larger screen sizes, users who were forced to switch to other brand-name mobile phones due to the lack of large screen options have returned one after another. Whether the relevant market share will be further improved remains to be seen.

Although IOS devices are not the most popular mobile devices at present, there are still many loyal users because of its efficiency, function and appearance uniqueness, which still plays an important role in intelligent mobile devices.

Therefore, this paper proposes to identify and analyze WhatsApp files in iPhone backup files, which is to back up iPhone through iTunes official software provided by apple, and analyze and extract the backup data in depth to obtain digital evidence to restore the truth, so as to assist in case identification.

Background introduction

Because of the popularity of intelligent mobile devices, many crimes are closely related to them. For example, online fraud, Internet assistance or communication between criminals and criminal activities through mobile communication platform. If a criminal suspect's smart phone is inspected, it is more likely to find relevant evidence to support criminal prosecution, or it can also assist civil or Investigation of other types of cases.

However, the smart mobile device is always in the state of power on activity and constantly updating data, which may lead to faster loss of evidence. In addition, the updating of intelligent mobile devices to the operating system is very frequent, which makes it difficult for the assurance personnel to keep up with the inspection methods and tools required for each version of the assurance inspection.

Next, we will focus on the research of intelligent device authentication of IOS operating system. First, we will explain the basic authentication knowledge.

Digital authentication of IOS operating system devices

Because IOS smart device does not have any external extended memory card, all data are stored in the memory of the device, and IOS device can use Apple iTunes synchronous backup tool to backup data in the computer. Although iTunes is not designed to be a tool for authentication extraction, it can be used by the authentication personnel to perform data backup in IOS device, through the authentication analysis phase Relevant evidence may be obtained by closing the backup files.

At present, there are two ways to use iTunes for authentication. The first way is to use iTunes backup data for authentication. It is not necessary to get the IOS device, but only to perform authentication on the computer that the user backs up. The second is to extract data from IOS devices, which can be divided into logical extraction and entity extraction.

Based on the above situation, the extraction of IOS digital authentication can be carried out from two aspects: Backup extraction and device extraction.

Backup extraction Apple iTunes is a driver and management program for connecting IOS devices with personal computers. Its backup includes video files, photos, address books, call records, calendars, applications, Safari data (bookmarks, cookies, browsing records), Keyrings (including e-mail account passwords, Wi Fi passwords, application passwords), etc.

These backup files will be stored in each corresponding path of the computer due to different operating systems. The summary of MAC and windows operating systems is shown in Table 1.

Table 1 iTunes backup file storage path

There are two types of extraction: physical extraction and logical extraction. They are described as follows:

·Entity extraction: in order to extract the IOS operating system device, it is necessary to install the authentication tool in the device, extract the internal information through the authentication tool in the way of bit copying or making image file, and then carry out the authentication analysis. However, due to the uniqueness of IOS operating system devices, if the authentication software is to be installed successfully, the authentication personnel must first execute the jailbreak (JB) program. This is a technical program to crack IOS, the operating system developed by apple. After the JB program, it can remove some of the function limitations of iPhone itself, and then install and execute authentication tool software smoothly.