Saturday, September 5, 2020

iOS Forensics: Data hidden within Map Cache Files

This exams the artifact found from my earlier post Examining Maptiles from iOS. This is part of my thesis for my master's of Digital Forensics Sciences at Champlain College. You can download the complete thesis: PDF

Background

SQLite Databases

SQL, or Structured Query Language, was standardized in 1986 and 1987 by American National Standards (ANSI) and International Organization for Standardization (ISO) respectively [8]. SQL provides the language to retrieve and store data inside of databases. SQLite uses SQL (as well as many other database software) to provide “an in-process library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine” [1]. SQLite databases are everywhere in Android devices, iOS devices, and web applications. Nemetz et al. [11] examined six different software packages with 77 different database files and found widely different parsing between each software and database pair. For example, Nemetz et al. found nearly every program contained errors if the database contained special encapsulation characters in some situations and failed to display certain types of text encodings [11, sec. Keywords& Identifiers, sec. Encodings]. In addition, most forensic software today has trouble parsing SQLite databases requiring special programming scripts to parse them.

BLOBs

Blobs are binary large objects which can be stored both in a database and in the file system. Developers can store just about any kind of object within a blob such as jpegs, pngs, iOS plists, XML, json, or other objects. Generally, most software parsing databases with embedded blobs do not parse because of the different types of blobs. Similarly to SQLite databases, blobs need to be handled on a case by case within the application.

Apple Maps

Steve Job reveals the iPhone 1 at MacWorld 2007 showing it to be a multi-usable device--an iPod, a Phone, and an Internet Communications device; "It’s the internet in your pocket, for the first time ever, " stated Steven Jobs at the MacWorld 2007 where he had no idea how his simple device would be used today [12, para. 14]. Five years later at WWDC 2012, Apple released Apple Maps replacing Google Maps and similar services on iPhones [12; 16, para. 1]. Mobile phones continue to expand around the world with a growing number of features and applications being used on them.

With every iOS version released and every version, software updates change where information is stored. Heather Mahalik, senior SANS instructor for FOR585 (Advanced Smartphone Forensics), explains changes between iOS 10 to iOS 11 for Apple Maps. She noticed changes between the location of the basic history file, GeoHistory.mapsdata, for Apple Maps where it is generally no longer stored on the device; she notes, “the user must sync to iCloud or you will not find it” in the sync data pulled with Elcomsoft Phone Breaker [10, para. 20]. Apple Maps will also cache directions even if a user is not requesting them for future use and keep all the data for years within iCloud according to Mahalik’s research [10, para. 23].

Similarly, Core Location caching changed between iOS7 and iOS 13. Apple decided to store more data on the phone near each other in the cache directories in iOS 13. The Core Location daemon has been around since iOS 2.0 and supports geographic location and orientation of an Apple device [2]. This research only examines the Core Location without correlating it to Apple Maps history files or other sqlite database files.

Caching

Caching web applications may provide up to a 20% or more reduction of traffic by removing redundant data transfers when caching is properly implemented [13, sec. Abstract]. Qian et al. [13, sec. Web caching in cellular networks, para. 2] further explain the benefits of caching as lower monthly plans, better user experience, and better handset battery life. These three factors provide incentive for mobile applications developers to use caching for their applications. Since there is a high incentive for using caching, investigators need to always look for the data when the data is of likely value and is easy to acquire per NIST 800-86 [9]. Caching data is not as volatile as memory where losing power to a computerized device will cause the information to be lost; however the longer the data sits on a device, the software on the device will delete the data during routine storage cleanup routines.

Technical Details

Images used during this examination are from three different iPhones:

  • Josh Hickman’s iOS images from an iPhone SE running iOS 13.4.1 [7, sec. Description]
  • Champlain College DFS-550 iOS image from an iPhone 4 running iOS 7.1
  • iPhone 6s running iOS 13.6
Each of the images were manually examined using a Windows 10 Professional (2004) virtual machine running DB Browser for Sqlite (https://sqlitebrowser.org/).

Forensic Acquisition

The iPhone 6 was factory reset; then, bootra1n, a LiveCD running Void Linux providing a shell to run checka1n (https://checkra.in/), was used to jailbreak the iPhone 6 [6]. Jailbreaking the phone is required to gain access to the iOS file system and perform the extractions. Checka1n was used to install Cydia, a 3rd party application store, on the phone. Cydia provides the packages for OpenSSH server which was used for manual extraction of the database files.

Method 1 - DB Browser for SQLite

Acquisition of each of the databases was accomplished manually through copying the database files from each different image to the Windows analysis virtual machine using Filezilla (https://filezilla-project.org/), a free FTP solution. For iOS 7.1, the database files are located at Data\mobile\Library\Caches\MapTiles with only MapTiles.sqlitedb database being at this location [14, para. 3]. iOS 13.4.1 and 13.6 contain the same database with other files in Data\mobile\Library\Caches\com.apple.geod\.

Method 2 - iLEAPP

iLEAPP written by Alexis Brignoni provides a complete toolkit written in Python 3 to parse iOS data such as Mobile Installation Logs, notifications, build info, wireless, cellular service info, screen icons, application state information, KnowledgeC, Powerlog, and more [5, sec. Features]. iLEAPP does not parse map tile cached information and other data within this research. iOS Forensics: iLEAPP Updates post explains the changes to iLEAPP which mentioned in my thesis Appendix A.

Forensic Examination

The MapTiles.sqlite contains cache data which keeps a limited set of data for a limited amount of time. Analysing cache data requires capturing the files before their expiration date and time which can be days, minutes, or seconds depending on the cache’s application. MapTiles.sqlite and other files in newer iOS versions provide geolocation during an investigation even when applications are reset or removed. iOS 7.1 image retained only information within the MapTiles.sqlite database file and no other files created around with file; in contrast, iOS 13.X versions contain several different databases which will be examined below.

Generation of Cached Data

Due to the complexity of mapping caching, several different acquisitions of the database files were performed on the iPhone 6 (iOS 13.6) after performing different sets of tasks. The list below lists the tasks performed before each acquisition:

  • Task 1 -- Jailbroke phone using checkra1n
  • Task 2 -- Opened Apple Maps to examine a location with satellite images on and off. Closed Apple Maps.
  • Task 3 -- Opened Apple Maps without satellite images enabled. Examined two businesses: Lyfja and Orange Cafe: Espresso Bar in Reykjavik, Iceland.
  • Task 4 -- Opened Apple Maps without satellite images enabled. Searched for New York City. Examined Glendale Pharmacy in New York City. Closed Apple Maps.
  • Task 5 -- Installed Yelp. Examined Iceland, but no locations on map. Searched for New York City and Examined Da Claudio and Hole in the Wall businesses. Closed Apple Maps.
After each task above, the Data\mobile\Library\Caches\com.apple.geod folder was copied and compared.

Database Files

iOS 7.1 contains only the MapTiles.sqlitedb; whereas, iOS 13.X contains several databases with different location information. The following sections explain what information is contained within each database; differences, if any, between iOS versions are noted in the sections. iOS 13.4 and 13.6 contain the same databases and structure while iOS 7.1 contains structure changes in the MapTitles.sqlitedb file.

AP.db. The database appears to list different applications using the Core Location API. After each of tasks, com.apple.maps gets added to the mkcount table multiple times. Yelp is added to the mkcount table when it is run for Task 5.

GeoConfigStore.db. This database lists each application which accesses location and mapping information. Included with the name of the application, the database lists four fields per entry: current count, type, expires, and last.

MapTitles.sqlitedb. This database contains the map tiles information which includes the vector images and satellite. Figure 1 and Figure 2 show the differences between iOS 7 and iOS 13.X table structure. The columns ‘a’, ‘b,’, ‘c’, and ‘d’ or ‘key_a’, ‘key_b’, ‘key_c’, and ‘key_d’ in either database seem to contain longitude, latitude, zoom, and other information. The data in these fields appear to be encoded in a non-standard format. Yogesh Khatri (personal communication, August 10, 2020), Champlain College professor and author of Swift Forensics blog, came to the same conclusion when examining the database from iOS 13.4.1.

 

 

Figure 1: iOS 7.1: MapTiles.sqlitedb - image table - Magnet AXIOM [14, para. 3] Figure 2: iOS 13.X: MapTiles.sqlitedb - image table - DB Browser for SQLite

The titleset column references some number in relation location in the application; rows which have the same titleset numbers are adjacent or near each other. The data column contains at least four different types of blobs:

  • NULL -- blob is exactly 28 bytes in length and starts with “VMP4” 


  • VMP4 -- blob containing vector map data


    JPEG -- blob containing a jpeg image and appears when using the satellite view in Apple Maps. 


    Unknown -- blob that starts with 0x40 first byte with the second byte equal to 0x38, 0x34, 0x24, 0xb4, or 0x2c. 

VMP4 blobs also contain location street and place names within the area of the map viewed (Figure 3).
VMP4 blobs with location information
Figure 3. VMP4 blobs with location information

Task 5 shows that Yelp does update the map tiles database similarly to Apple Maps. However, Yelp does not have a satellite view option so there are no embedded images within the database rows.

PDPlaces.db. This database holds the list of places viewed from some applications. Apple Maps viewed locations from Task 3 and Task 4 show up on this database as shown in Figure 4. Yelp does not update this list when viewing locations within the application. On the pdplaces table, blobs contain text with location information which is reflected on the location cards in Apple Maps.

PDPlaces.db -- location list/history.
Figure 4. PDPlaces.db -- location list/history.

Stitching Map Tiles Together

JPEG Map tiles are 256 x 256 pixels in size. Each of these tiles can be processed to show a small section of a map. There are several methods that may be used to stitch these tiles into a single image which are explained below.

Manually Stitching. Manually matching up the image sides and generating a single image can be quickly accomplished due to the size and number of tiles an examiner would extract. Exporting the JPEG images from the MapTitles.sqlite database’s image provides a list of tiles shown in Figure 5. Using any application to match the tiles up such as Microsoft PowerPoint, Adobe Photoshop, or GIMP provides the end result in Figure 6. The exporting and stitching of the images is the same for iOS 7.1 and iOS 13.X.

 
Map tiles recovered from iOS 7

 

Figure 5. Map tiles recovered from iOS 7 [14, para. 4] Figure 6. Map tiles manually stitched together [14, , para. 7]

Automatic Stitching. Each titleset represents a single area of the map. As shown above, stitching the images together provides more context per tileset. OpenCV, or Open Source Computer Vision Library, is “an open-source library that includes several hundreds of computer vision algorithms” for image processing, video analysis, camera calibration, 3d reconstruction, object detections and other features [8, paras. 1 & 2]. Rokas Balsys [3; 4] explains how to use version 3.4.2.16 of the open-contrib-python library to stitch together two images. Opencv-contrib-python, at the time of this writing, is version 4.4.0.42 contains major improvements over the previous 3.x versions. OpenCV provides the python bindings that may help in automating the process of stitching the images together and providing better context for investigators.

Conclusion

Volatile data continues to give insight to computerized devices even when users of those devices attempt to hide or modify the stored data. The life span of this data remains short and needs to be captured as soon as possible. In this research, the com.apple.geod application was examined which stores map cache data for a short period. This data reveals pieces of satellite imagery when viewing Apple’s own map application, Apple Maps, and location information hidden with the binary data inside the MapTitles.sqlitedb file. Yelp, a business review application, also stores cache data in the same location as Apple Maps.

Further research may reveal the connection between these applications and the application data and how long these applications store data within the cache. Deletion of applications may leave traces behind which was the case with Yelp, but other applications would need to be reviewed to see if the same observation is held.

References

  • [1] About SQLite. (n.d.). SQLite. Retrieved August 25, 2020, from https://www.sqlite.org/about.html
  • [2] Apple, Inc. (n.d.). Core Location. Apple Developer Documentation. Retrieved August 20, 2020, from https://developer.apple.com/documentation/corelocation
  • [3] Balsys, R. (2019, February 14). OpenCV image Stitching (Part 1). Learn Python Programming. https://pylessons.com/OpenCV-image-stiching/
  • [4] Balsys, R. (2019, February 19). OpenCV image Stitching (Part 2). Learn Python Programming. https://pylessons.com/OpenCV-image-stiching-continue/
  • [5] Brignoni, A. (2020). Abrignoni/iLEAPP [Python]. https://github.com/abrignoni/iLEAPP (Original work published 2019)
  • [6] Foxlet. (2020). Foxlet/bootra1n. https://github.com/foxlet/bootra1n
  • [7] Hickman, J. (2020). IOS 13.4.1 Image. http://downloads.digitalcorpora.org/corpora/cell-phones/ios_13_4_1/iOS%2013.4.1%20Extraction/iOS13-4-1-ImageCreation.pdf
  • [8] Introduction. (2020, August 22). [Wiki]. OpenCV. https://docs.opencv.org/master/d1/dfb/intro.html
  • [9] Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to integrating forensic techniques into incident response (NIST SP 800-86; p. NIST SP 800-86). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-86
  • [10] Mahalik, H. (2018, March 30). First the Grinch and Now the Easter Bunny! Where is Apple Maps Hiding? [Blog]. Smarter Forensics. https://smarterforensics.com/tag/apple-maps/
  • [11] Nemetz, S., Schmitt, S., & Freiling, F. (2018). A standardized corpus for SQLite database forensics. Digital Investigation, 24, S121–S130. https://doi.org/10.1016/j.diin.2018.01.015
  • [12] Pierce, D. (2018, December 7). The Complete History of the iPhone—And What’s Coming Next. Wired: Illustrations by Radio. https://www.wired.com/story/guide-iphone/
  • [13] Qian, F., Quah, K. S., Huang, J., Erman, J., Gerber, A., Mao, Z., Sen, S., & Spatscheck, O. (2012). Web caching on smartphones: Ideal vs. reality. Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services - MobiSys ’12, 127. https://doi.org/10/ggcc45
  • [14] Spangenberger, J. (2020, August 2). Examining Map Tiles from iOS [Blog]. Cyber F?nix Tech. https://cyberfenixtech.blogspot.com/2019/10/examining-maptiles-from-ios.html
  • [15] SQL Introduction. (n.d.). W3 Schools. Retrieved August 25, 2020, from https://www.w3schools.com/sql/sql_intro.asp
  • [16] Vroegop, B. (2012, June 11). WWDC 2012: Apple kondigt eigen kaartendienst Maps met volledige navigatie aan. iCulture. https://www.iculture.nl/nieuws/wwdc-apple-kondigt-eigen-kaartendienst-maps-met-volledige-navigatie-aan-wwdc/

No comments:

Post a Comment