Looking at Two free iOS Forensic Tools
We're going to look at a few free resources available for iOS examinations. While there are a lot of heavy hitters out there with the commercial tools that provide excellent support for iOS devices, it's always recommended and beneficial to try additional tools to verify data you get from those commercial tools. A couple of tools we'll take a look at are Artifact Examiner (ArtEx) and the iOS Logs, Events, And Plists Parser (iLEAPP).
ArtEx is a great tool to both acquire an image of your iOS device AND to also look at a live device. We’ll look at getting both methods working here.
We’ve mentioned this before, but it’s always recommended to use a jailbroken iDevice to obtain the most data possible and ArtEx will require it for extraction and connecting live devices.
Installing and Configuring
The first step is to search for and install OpenSSH on your jailbroken iDevice from Cydia. Once you find the correct package, you’ll just need to install it. You’ll see here that it’s installed.
Once we have OpenSSH installed on your iDevice, ArtEx recommends using 3uTools to establish an SSH Tunnel to communicate directly with the iDevice. It can be downloaded here. Once installed, you’ll see your iDevice located connected:
From here, you’ll click on “Toolbox” tab at the top and you’ll see numerous options to interact with your iDevice. The one we’re interested in is “Open SSH Tunnel”.
If you’ve installed OpenSSH correctly in the previous step, you’ll see an established connection. The information provided for IP, port, default ID, and password are all default values.
We can now turn back to ArtEx and test the connection. Notice that all the default values are already entered for us. Once we have a verified connection, the “Connected!” button will turn green.
For this part, we’re going to acquire an image of our device. We can click on “Full Extraction” and tell ArtEx where to save our image. You will see start the extraction.
Once complete, you’ll see information about your acquisition and the data will be saved in a tar file.
ArtEx has another very useful feature when it comes to testing and verifying iDevice behavior. It has a live connection feature meaning that you can navigate the live file system as it’s connected to your computer. To begin, you can click on “Live Connection”, and it will connect to your device.
Since you’re now connected live, you can look at the file system on the device.
The highlight of this feature is that you’ll be able to see the files on the device, make a change in an app or on the device (send a message, take a picture, or navigate somewhere in a browser), and then ‘remap’ the live connection and it will show you a refreshed look and the new files/artifacts associated with the changes you just made. So instead of the old way of testing which took hours where you had to acquire a device, make changes to the apps, and then reacquire the entire device again, you can now do the whole process in minutes.
Another excellent tool aimed at iDevices is iLEAPP. It provides fast support for parsing out iDevice artifacts. Since we acquired an iOS device image with ArtEx in the previous step, we can use that image and run it through iLEAPP to process the data.
We downloaded the “iLEAPP-windows.zip” version since we’re running on Windows. But this tool is built on Python which means we can also run it on Linux, or macOS if needed. For the Windows version, all we need to do is open the “ileappGUI.exe”. We can then browse to the tar file, select the modules we want to run, and hit “Process”.
Your image will now be processed based on the modules you selected, and you’ll see a log of what is being parsed out and the number of artifacts.
Looking at iLEAPP Output
Upon completion of the process, you’ll be presented with your output in an easy-to-read HTML format.
Here, you’ll see parsed out information for Bluetooth, Call History, and Bookmarks. But that’s just scratching the surface as there’s support for so many more artifacts.
Easy to Use iDevice Tools
We’ve just looked at two different tools, how to set them up and how to run them to help you in your examinations and testing by parsing out iOS data. These tools are free and readily available for helping examinations and testing. Additionally, these tools can help validate findings from other commercial tools you may have.