Forensic analysis is the ability to analyze events and circumstances after an important incident occurs. Typically, an analyst will have physical access to the evidence. This could be mobile devices, routers, server computers, etc. Mobile forensics is about analyzing phones (Android, iOS, etc) for potential breach of compromise. Typically, an organization will deploy MDM along with MTD to get visibility into the device’s security posture. However, there are OS limitations that restrict such solutions to obtain critical security signals that might indicate compromise. With device forensics, we can obtain these signals. More importantly, we can retrospectively go back and analyze past events which help us build a timeline of events that would paint a good picture about the history and circumstances of events.

I can confidently say endpoint protection (MTD) alone is not enough to address sophisticated mobile malwares/compromises. An organization should be able to run combination of the below strategies to cover the full spectrum mobile threats

  1. Run a solid mobile security awareness program - Users need to be aware of the risks and train themselves about the different tactics used by malicious actors/APTs. I haven’t run into a company that tries to solve this problem. Most training programs revolve around phishing and not enough mobile specific threats. That’s why I am working on Pwned Report

  2. Endpoint protection - mobile threat defense that can scan the device and give recommendations to the user when the security posture of the device falls behind some defined threshold

  3. Forensics - Not every threat is detected by an on-device threat scanner app; even when MDM is applied. More IOCs are revealed when you connect the device to a desktop/PC and pull in additional details. This is especially true for execs or high-value targets like journalists, politicians, etc

My past articles delve into #1 & #2. This post will explore #3

Sysdiagnose Files

Sysdiagnose extracts information from iPhone and iPad devices and captures it in a log file. You can then read the file to understand software or network issues. You can also use sysdiagnose log files to troubleshoot issues when you don’t have access to the iPhone or iPad device. You can read more here, https://it-training.apple.com/tutorials/support/sup075

While analyzing sysdiagnose files, there are different tools that can help us break down the dump and extract interesting IOCs. Specifically,

  1. Manual exploration - Extract the dump & walk through each file
  2. Tools - MAC OS VM, VScode, Python scripts & timeketch for visualization,
  3. Prior Research & OSINT - Previous research from Amnesty International, Citizen Lab & European Commission
Content Analysis

Sysdiagnose is a compressed file. You can obtain one by pressing and holding both volume buttons and the side or top button on iPad for 1 to 1.5 seconds. When you release the buttons, sysdiagnose starts, and iPad takes a screenshot. On iPhone, you feel a short vibration when sysdiagnose starts. It may take up to 10 minutes to complete. You can head over to Settings, tap Privacy & Security > Analytics & Improvements > Analytics Data to view the generated file

Unzipping the compressed tar shows a list of interesting files. Given the directory structure & some of the files listed below, the sample is a sysdiagnose file taken from an iOS device.

Sysdiagnose Files - inspect

Device

The first attempt is to find what kind of device we are working with and what operating system it’s running. This will help us answer few interesting questions

  • What vulnerability exists on this specific device?
  • What processes are common on this device?

Inspecting /logs/SystemVersion/SystemVersion.plist, reveals the OS version, build id & system image id.

Operating System iPhone OS
Operating System Version 14.1
Build ID C01DDD74-0524-11EB-9D44-686DB42BF6CD
System Image ID ACE3B275-26F2-411F-9245-32779C5A8AAD
Build Version 18A8395
Device (Looking up 18A8395 on ipsw site reveals, the device is iPhone 6s) Hardware - iPhone 6s, Identifier - iPhone8,1

Device Language - de_DE (GERMANY - DE) - This was inferred from the file /Preferences/AppleLocale_CurrentUser.txt

Another important file that indicates the state of the device is shutdown.log. It’s located here, /system_logs.logarchive/Extra/shutdown.log. This file indicates how many times a device has been restarted along with the number of processes that were running during this process. Researchers from kaspersky found the following

  1. Compromised device typically take longer than usual to reboot
  2. Processes under /private/var/tmp, /private/var/db typically hold the operating system from rebooting

Shutdown Timing
High Res Image Link

From the above image, we can see that after 1.74 seconds, the device didn’t reboot because 8 processes were still running. Then, at the 2.24s mark, 1 process was still running. This is considered to be two delays which is typical. 3 or more delays is considered as suspicious and the process under it should be inspected.

Observation

  1. Device rebooted 48 times
  2. 16 of them are delayed (3 or more waits)
  3. No suspicious process holds these delays, hence, might be considered as false positives. Or potentially, suspicious process was not running during these restarts
Apps

There are couple of interesting logs

  1. Mobile Installation Logs- This looks like it’s generated when apps are installed or uninstalled. Files are located under /logs/MobileInstallation/mobile_installation.log.x
  2. Mobile Activation Logs - It’s not clear what this log is about but interesting nonetheless. Files are located under /logs/MobileActivation/mobileactivationd.log.x

Analyzing mobile installation Logs, we can safely conclude how many applications were installed/uninstalled somewhere between Fri May 26 17:35:57 2023 & Fri Dec 1 15:32:29 2023 (approximately 6 months)

App Install Logs
High Res Image Link

The above screenshot shows the app, com.avast.ios.security being installed. See mobile_installation.log.1 file ; Line 1224 - 1232. By the same token, we can look for “uninstall” string and the associated bundle identifier to come up with a list of applications that were uninstalled. The table below summarizes the observation

App Count Summary (Fri May 26 17:35:57 2023 & Fri Dec 1 15:32:29 2023)

Apps Count
Total Apps 24
Total Installed Apps 17
Total Uninstalled Apps 7

Apps Installed (Fri May 26 17:35:57 2023 & Fri Dec 1 15:32:29 2023)

Bundle ID / App Name ~ Install Date
Reaper - com.mist.reaper.enterprise & Extensions - com.mist.reaper.enterprise.home-widget, com.mist.reaper.enterprise.content-blocker, com.mist.reaper.enterprise.dns-over-https, com.mist.reaper.enterprise.ivy-notifications-content, com.mist.reaper.enterprise.remove-metadata-extension Nov 2023
GTA Car Tracker - com.icraze.gtatracker Oct 4, 2023
WhatsApp - net.whatsapp.WhatsApp & Extensions - net.whatsapp.WhatsApp.BroadcastUploadExtension, net.whatsapp.WhatsApp.NotificationExtension, net.whatsapp.WhatsApp.Intents, net.whatsapp.WhatsApp.ServiceExtension, net.whatsapp.WhatsApp.ShareExtension, net.whatsapp.WhatsApp.TodayExtension Nov 15 & Oct 5 2023
Avast - com.avast.ios.security & Extension - com.avast.ios.security.PacketTunnelExtension Nov 3, 2023
en.mf.hose-analysis Nov 23, 2023

Observation

  1. Reaper app also has multiple extensions. Interesting ones are Content Blocker & Dns-Over-Https. The first is probably a Safari extension that can be used to block phishing URLs while the latter is a full fledged dns over https extension which can allow Reaper to monitor the device’s DNS traffic & not just Safari’s
  2. Given the above point, Reaper might be doing the following
    • Anti-Phishing Capability or
    • Monitor the device traffic (Via DNS requests) for a prolonged period. Either to block suspicious IOCs (domains) inline or retrospectively analyze the network offline.

Apps Uninstalled (Fri May 26 17:35:57 2023 & Fri Dec 1 15:32:29 2023)

Bundle ID / App Name ~ Uninstall Date
Reaper Test - com.mist.reaper.test & Extensions - com.mist.reaper.test.home-widget, com.mist.reaper.test.content-blocker, com.mist.reaper.test.dns-over-https, com.mist.reaper.test.ivy-notifications-content June 5, 2023
Reaper - com.mist.reaper.enterprise & Extensions - com.mist.reaper.enterprise.home-widget, com.mist.reaper.enterprise.content-blocker, com.mist.reaper.enterprise.dns-over-https, com.mist.reaper.enterprise.ivy-notifications-content, com.mist.reaper.enterprise.remove-metadata-extension June 18, 2023
en.mf.hose-analysis Dec 1, 2023

Observation

  1. Given the above apps are entirely Reaper’s own applications (except en.mf.hose-analysis) and were uninstalled & installed at different points, we can reasonably conclude this might be a test device for one of the developers/testers.
  2. These apps are mostly likely side-loaded. Especially com.mist.reaper.test, which might be a test/debug version of the enterprise Reaper app. More on this later

Finally, we can inspect the sqlite db file located under /logs/itunesstored/downloads.28.sqlitedb to understand which applications were installed via itunes. Here is this file opened via sqlite browser

Sqlite App Download DB
High Res Image Link

Notable Tables - application_id, application_workspace_state, asset, client, download, purchase, trnsaction

Observation

  1. The application_id table contains 5 entries. com.apple.AppStore, com.apple.iBooks, com.apple.MobileStore, com.apple.Music & com.applevideos. Looks like these applications are internal/preloaded.
  2. Tables download & purchase are empty suggesting no application was installed from itunes store (Free & Paid). Time frame specified above.
  3. Given point #2, the above applications mentioned under “App Installed Section” are indeed sideloaded.

Now that we have listed the applications, we can go ahead and see where they are installed (file system location) and along with their UUID. This will help us to build app metadata. i.e. Bundle ID, Source (Installed From), UUID, Path

The file /logs/tailspindb/UUIDToBinaryLocations is of type plist which contains a list of UUIDs and the corresponding paths. This file will also help us enumerate all apps that were installed (Apps under /private/var/)

We can write a simple python script that transforms binary plist files to csv so that it’s more digestible and more importantly sortable. This way we can clearly see which apps are from the system, store or side-loaded.

See output here,

UUID App Path Mapping
High Res Image Link

Observation (See excel sheet here,)

  1. Row #1 shows Cydia is installed. Cydia is an application used for jailbreaking iOS devices. There is a chance the device might be jailbroken
  2. Row #9 shows a very suspicious executable named payload. This is not something that is observed in other uncompromised iOS devices. Therefore, this is most likely a foreign executable ; and potentially malicious. We can also see the process was running by inspecting taskinfo.txt & spindump-nosymbols.txt files. See screenshot below

Suspicious Payload

Network

There seems to be three log directories associated with network

  1. /WiFi/com.apple.wifi.known-networks.plist - This seems to be binary plist file that contains list of past wifi routers the device connected to
  2. /WiFi/com.apple.wifi.recent-networks.json - Similar to #1 but for the last recent WiFi router connection
  3. Inspect log archive file to filter out network events. /system_logs.logarchive
  4. /logs/networking/com.apple.networkextension.plist & /logs/networking/com.apple.networkextension.uuidcache.plist - Binary plist files contain network activity of applications & system executables
SSID BSSID (Mac Address) Joined Date Location Manufacturer
SECRT 33 88:89:2f:58:58:c4 2023-06-03 15:33:32 Not Determined Huawei Technologies Co.,Ltd
The River ac:4c:a5:fb:56:e 2023-06-19 03:30:45 Not Determined Vantiva Usa Llc
Tank dc:39:6f:71:e3:60 2023-05-26 15:36:36 ~ Germany Avm Audiovisuelles Marketing Und Computersysteme Gmbh
5G Netzwerk de:39:6f:71:e3:61 2023-05-09 10:36:29 ~ Germany Not Determined

Observation

  1. It’s possible to get the location of the device by reverse searching the mac address on websites like https://wigle.net. They have an API but we used their web console since the lookup is only for 4 SSIDs. This is why apps require location permission when they are retrieving sensitive details such as SSID & BSSID
  2. Looks like the user lives/works in two different regions. Germany & US. Tankstelle & 5G Gast Netzwerk are located in Germany and the companies that made the routers are based in Germany.
  3. All of the connections were captive portal wifis, which indicate, these places might not be public places such as hotels, cafe, etc
  4. Open system_logs.logarchive with the console app on mac and search for network events. E.g. Search for <->IPv4. The IP address 10.0.10.107 is local which indicates there is some kind of local VPN or tunnel (See screenshot below)
  5. There is a good indication that the DNS requests are resolved by Cloudflare. 1.1.1.1
  6. There is also a good indication that the device uses DOH (DNS Over HTTPS) which forces the device to encrypt its DNS requests. This will hide important DNS details from Routers, Telecom providers. Good for privacy. This conclusion is made by parsing the binary plist file /logs/networking/com.apple.networkextension.plist

System Logs Archive