Successfully reported this slideshow.
Your SlideShare is downloading. ×

Forensicating the Apple TV

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 75 Ad

Forensicating the Apple TV

Download to read offline

IoT devices are an emerging field in IT in general and of course in Digital Forensics. It is more and more common to read about news on investigation made also by means of analysing data stored on IoT devices. As any other smart device, Smart TVs can be connected to Internet and interact with other devices in home or business contexts, becoming a potentially target of criminal activity and a source of information during digital investigations related to the reconstruction of user’s activity. However the lack of documentations, the uses of proprietary and closed-­‐source operating systems and the risk to damage the devices during experiments make researches about Smart TVs challenging in cyber security and digital forensics fields.

This presentation offers an overview on how to deal with an Apple TV from the point of view of digital forensics analyst: what kind of information we can obtain and how to analyze it.

IoT devices are an emerging field in IT in general and of course in Digital Forensics. It is more and more common to read about news on investigation made also by means of analysing data stored on IoT devices. As any other smart device, Smart TVs can be connected to Internet and interact with other devices in home or business contexts, becoming a potentially target of criminal activity and a source of information during digital investigations related to the reconstruction of user’s activity. However the lack of documentations, the uses of proprietary and closed-­‐source operating systems and the risk to damage the devices during experiments make researches about Smart TVs challenging in cyber security and digital forensics fields.

This presentation offers an overview on how to deal with an Apple TV from the point of view of digital forensics analyst: what kind of information we can obtain and how to analyze it.

Advertisement
Advertisement

More Related Content

Similar to Forensicating the Apple TV (20)

Advertisement

Recently uploaded (20)

Advertisement

Forensicating the Apple TV

  1. 1. FORENSICATINGTHE APPLETV MATTIA EPIFANI – CLAUDIA MEDA SANS DIGITAL FORENSICS INCIDENT RESPONSE SUMMIT PRAGUE, 8 OCTOBER 2017
  2. 2. AGENDA  Apple TV history and models  Identification  Acquisition challenges and techniques  Data analysis  Proposed methodology
  3. 3. APPLE TV  The Apple TV is a digital media player manufactured by Apple  It can receive digital data from a number of sources and stream it to a TV  As of October 2017, 6 models were produced
  4. 4. APPLE TV – 1° GENERATION  Released in 2007  It contains a traditional hard drive (40 or 160 GB)  The OS is based on Mac OS X  Connectivity  Wi-Fi  Ethernet 10/100  USB 2.0  HDMI
  5. 5. APPLE TV – II° GENERATION  Released in 2010  It contains a NAND flash memory (8 GB)  The OS is based on iOS  Connectivity  Wi-Fi  Ethernet 10/100  Micro USB  HDMI
  6. 6. APPLE TV – III° GENERATION / III° GENERATION REV.A  Released in 2012  It contains a NAND flash memory (8 GB)  The OS is based on iOS  Connectivity  Wi-Fi  Ethernet 10/100  Micro USB  HDMI
  7. 7. APPLE TV – IV° GENERATION  Released in 2015  It contains a NAND flash memory (32 or 64 GB)  The OS (tvOS) is based on iOS  Connectivity  Wi-Fi  Ethernet 10/100  Bluetooth  USB-C  HDMI
  8. 8. APPLE TV – 4K (V° GENERATION)  Released in September 2017  It contains a NAND flash memory (32 or 64 GB)  The OS (tvOS) is based on iOS  Connectivity  Wi-Fi  Gigabit Ethernet  Bluetooth  HDMI
  9. 9. APPLE TV – IDENTIFICATION  Observe device appearance  Check the label under the device  Verify through device settings menu Model number Generation A1218 I A1378 II A1427 III A1469 III Rev.A A1625 IV A1842 4K
  10. 10. APPLE TV – IDENTIFICATION HTTPS://SUPPORT.APPLE.COM/EN-US/HT200008
  11. 11. APPLE TV – I° GENERATION – ACQUISITION AND ANALYSIS  It contains a traditional Hard Drive that can be extracted and imaged!  Traditional approach!  “Hacking the Apple TV and Where Your Forensic Data Lives”, Kevin Estis and Randy Robbins, Def Con 2009  https://www.defcon.org/images/defcon-17/dc-17- presentations/defcon-17-kevin_estis-apple_tv.pdf  https://www.youtube.com/watch?v=z-WCy3Bdzkc
  12. 12. APPLE TV – II° – IV° GENERATION – ACQUISITION  Good news  NO Passcode protection!  Bad news  USB Port used only for “service and support”  No forensic tool supporting Apple TV acquisition!  Cellebrite 4PC/Physical Analyzer  Oxygen Forensics  Magnet Acquire/AXIOM  FTK Imager
  13. 13. APPLE TV – II° – IV° GENERATION ITUNES CONNECTION
  14. 14. APPLE TV – II° – IV° GENERATION ITUNES CONNECTION
  15. 15. APPLE TV – II° – IV° GENERATION ITUNES CONNECTION
  16. 16. APPLE TV – II° – IV° GENERATION USB ACQUISITION  Not completely true that USB port is only for service and support…  Apple File Conduit (AFC) service is active!  We can access:  Basic device information  Real Time Log (Syslog)  Part of the file system («Media» folder)  Crash Logs
  17. 17. APPLE TV – II° – IV° GENERATION – DEVICE INFORMATION IDEVICEINFO (HTTP://WWW.LIBIMOBILEDEVICE.ORG/)
  18. 18. APPLE TV – II° – IV° GENERATION – REALTIME LOG IDEVICESYSLOG (HTTP://WWW.LIBIMOBILEDEVICE.ORG/)
  19. 19. APPLE TV – II° – IV° GENERATION IBACKUPBOT (HTTP://WWW.ICOPYBOT.COM)
  20. 20. APPLE TV – II° – IV° GENERATION IBACKUPBOT (HTTP://WWW.ICOPYBOT.COM)
  21. 21. APPLE TV – II° – IV° GENERATION IBACKUPBOT (HTTP://WWW.ICOPYBOT.COM)
  22. 22. APPLE TV – II° – IV° GENERATION IBACKUPBOT (HTTP://WWW.ICOPYBOT.COM)
  23. 23. APPLE TV – II° – IV° GENERATION IBACKUPBOT (HTTP://WWW.ICOPYBOT.COM)
  24. 24. APPLE TV – II° – IV° GENERATION IBACKUPBOT (HTTP://WWW.ICOPYBOT.COM)
  25. 25. APPLE TV – II° – IV° GENERATION MANUAL ACQUISITION
  26. 26. APPLE TV III° GENERATION III-generation AppleTV Model A1469 General Information Network Information AirPlay Information Remote Control Information Name Wi-Fi MAC address Devices used iPhone Model number Bluetooth MAC Address Type iPad Serial Number IP configuration Name Telecontrol OS version Signal power Keyboard Time-zone Network used Date and time
  27. 27. APPLE TV III° GENERATION III-generation AppleTV Model A1469 Information Artifacts iCloud Account Name RealTime Log iCloud ID RealTime Log Wi-Fi networks used Crash Log Shopping database MediaLibrary.sqlitedb Device usage timeline Crash Log
  28. 28. APPLE TV III° GENERATION III-generation AppleTV Model A1469
  29. 29. APPLE TV III° GENERATION III-generation AppleTV Model A1469 iTunes_ControliTunes PATH MediaLibrary.sqlitedb FILE 36 table
  30. 30. APPLE TV MEDIA LIBRARY III-generation AppleTV Model A1469 item_extra media_kind 0 Book 1 Music (mp3 format) 2 Film 33 Music (m4v format) MediaLibrary.sqlitedb FILE 36 table _MLDatabaseProperties Item_extra _MLDatabaseProperties iCloud Account ID Synchronized with iTunes account
  31. 31. APPLE TV MEDIA LIBRARY – ITEM_EXTRA TABLE
  32. 32. APPLE TV MEDIA LIBRARY III-generation AppleTV Model A1469 MediaLibrary.sqlitedb FILE 36 table _MLDatabaseProperties Item_extra SQL query
  33. 33. APPLE TV MEDIA LIBRARY
  34. 34. APPLE TV – II° GENERATION – JAILBREAKING HTTPS://WWW.THEIPHONEWIKI.COM/WIKI/JAILBREAK
  35. 35. APPLE TV –II° GENERATION – JAILBREAKING HTTPS://WWW.THEIPHONEWIKI.COM/WIKI/JAILBREAK
  36. 36. APPLE TV – II° GENERATION – JAILBREAKING HTTPS://WWW.THEIPHONEWIKI.COM/WIKI/JAILBREAK
  37. 37. APPLE TV – IV° GENERATION – JAILBREAKING HTTPS://WWW.THEIPHONEWIKI.COM/WIKI/JAILBREAK
  38. 38. METHODOLOGY  https://twitter.com/imarcusthompson/status/715941070543126528 APPLE TV JAILBREAKING (IV GENERATION)
  39. 39. APPLE TV – IV° GENERATION – ANALYSIS Thanks to Sarah Edwards for providing us a jailbroken AppleTV - IV° Generation for testing and research!!
  40. 40. ACQUISITION METHODS WiFi • ssh root@192.168.#.# 'tar -cpf - /' > ATV4.tar USB-C • iproxy 4242 22 • From libimobiledevice (libimobiledevice.org) • ssh root@127.0.0.1 -p 4242 'tar -cpf - /' > ATV4.tar Ethernet • On Mac: Internet Sharing –WiFi to Ethernet • ssh root@192.168.#.# 'tar -cpf - /' > ATV4.tar 40
  41. 41. APPLE TV FILE SYSTEM LAYOUT - /
  42. 42. APPLE TV FILE SYSTEM LAYOUT - /PRIVATE/VAR
  43. 43. TIMEZONE /PRIVATE/VAR/DB/TIMEZONE/LOCALTIME
  44. 44. NETWORK TCP/IP LEASE /PRIVATE/VAR/DB/DHCPCLIENT/LEASES/
  45. 45. NETWORK WI-FI HISTORY /PRIVATE/VAR/PREFERENCES/COM.APPLE.WIFI.PLIST
  46. 46. NETWORK WI-FI HISTORY /PRIVATE/VAR/PREFERENCES/COM.APPLE.WIFI.PLIST c c c c c
  47. 47. KEYBOARD DICTIONARY /PRIVATE/VAR/MOBILE/LIBRARY/KEYBOARD/DYNAMIC-TEXT.DAT
  48. 48. ACCOUNTS /PRIVATE/VAR/MOBILE/LIBRARY/ACCOUNTS/
  49. 49. ACCOUNTS /PRIVATE/VAR/MOBILE/LIBRARY/PREFERENCES/COM.APPLE.IDS.SERVICE.COM
  50. 50. ICLOUD “SYNCED PREFERENCES” /var/mobile/Library/SyncedPreferences/ Wi-Fi Access Points • com.apple.wifid.plist Weather Cities • com.apple.nanoweatherprefsd.plist
  51. 51. WI-FI ACCESS POINTS /PRIVATE/VAR/MOBILE/LIBRARY/SYNCEDPREFERENCES/COM.APPLE.WIFID.PLIST
  52. 52. WI-FI ACCESS POINTS /PRIVATE/VAR/MOBILE/LIBRARY/SYNCEDPREFERENCES/COM.APPLE.WIFID.PLIST
  53. 53. WEATHER CITIES /PRIVATE/VAR/MOBILE/LIBRARY/SYNCEDPREFERENCES/COM.APPLE.NANOWEATHERPREFSD.PLIST
  54. 54. HEADBOARD /PRIVATE/VAR/MOBILE/LIBRARY/COM.APPLE.HEADBOARD/APPORDER.PLIST
  55. 55. HEADBOARD /PRIVATE/VAR/MOBILE/LIBRARY/COM.APPLE.HEADBOARD/APPORDER.PLIST
  56. 56. HEADBOARD /PRIVATE/VAR/MOBILE/LIBRARY/CACHES/COM.APPLE.TVICONSCACHE/COM.APPLE.HEADBOARD
  57. 57. HEADBOARD /PRIVATE/VAR/MOBILE/LIBRARY/CACHES/COM.APPLE.HEADBOARD/FSCACHEDDATA
  58. 58. APP SNAPSHOTS /PRIVATE/VAR/MOBILE/LIBRARY/CACHES/COM.APPLE.PINEBOARD/ASSETLIBRARY/SNAPSHOTS/ 58
  59. 59. HEADBOARD SNAPSHOTS 59
  60. 60. TVMOVIES SNAPSHOTS 60
  61. 61. CACHEDVIDEO /PRIVATE/VAR/MOBILE/LIBRARY/CACHES/APPLETV/VIDEO/ 61
  62. 62. CACHEDVIDEO /PRIVATE/VAR/MOBILE/LIBRARY/CACHES/APPLETV/VIDEO/ 62
  63. 63. INSTALLED APPLICATIONS /PRIVATE/VAR/DB/LSD/COM.APPLE.LSDIDENTIFIERS.PLIST
  64. 64. INSTALLED APPLICATIONS /PRIVATE/VAR/MOBILE/CONTAINERS/BUNDLE/
  65. 65. INSTALLED APPLICATIONS /PRIVATE/VAR/MOBILE/CONTAINERS/DATA/APPLICATION/
  66. 66. INSTALLED APPLICATIONS YOUTUBE
  67. 67. INSTALLED APPLICATIONS YOUTUBE
  68. 68. APP SNAPSHOTS YOUTUBE
  69. 69. INSTALLED APPLICATIONS YOUTUBE
  70. 70. INSTALLED APPLICATIONS NETFLIX
  71. 71. INSTALLED APPLICATIONS NETFLIX
  72. 72. APPLE TV FORENSICS GUIDELINES 1. Identify the model 2. Apple TV I Gen  Acquire the hard drive and analyze it 3. Apple TV II - IV Gen 1. Acquire Real Time Logs 2. Acquire Crash Logs 3. Acquire File System via AFC 4. Acquire information via Manual Acquisition 5. Verify if jailibreaking is applicable (type and OS version) 1. Jailbreak and acquire the whole file system
  73. 73. APPLE TV USEFUL TOOLS  Libimobiledevice  http://www.libimobiledevice.org/  iMobileDevice  http://docs.quamotion.mobi/en/latest/imobiledevice/download.html  iBackupBot  http://www.icopybot.com/itunes-backup-manager.htm  iExplorer  https://macroplant.com/iexplorer  iFunBox  http://www.i-funbox.com/  iOSLogInfo  http://support.blackberry.com/kb/articleDetail?articleNumber=000036986  iTools  Pangu Jailbreak (tvOS 9.0/9.1)  http://dl.pangu.25pp.com/jb/Pangu9_ATV_v1.0.zip  LiberTV Jailbreak (tvOS 10.0/10.0.1/10.1)  http://newosxbook.com/forum/viewtopic.php?f=12&t=16823
  74. 74. LEARNING iOS FORENSICS SECOND EDITION https://www.packtpub.com/networking-and- servers/learning-ios-forensics-second-edition
  75. 75. Q&A? Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions  GCFA, GCFE, GASF, GMOB, GNFA, GREM, GCWN Claudia Meda  Digital Forensics Analyst @ REALITY NET – System Solutions mattia.epifani@realitynet.it @mattiaep http://www.linkedin.com/in/mattiaepifani http://www.realitynet.it http://blog.digital-forensics.it claudia.meda@realitynet.it @KlodiaMaida https://www.linkedin.com/in/claudia-meda/ http://www.realitynet.it http://blog.digital-forensics.it

×