Sunday, September 13, 2020

iOS Forensics: VMP4 File format

 This is a continuation of new information posted from my thesis--iOS Forensics: Data hidden within Map Cache Files. Yogesh Khatri (@SwiftForensics) who extended my additions to iLEAPP (#71) with his modifications (#74). 

I decoded his change to break down the VMP4 file format from the great work by Yogesh. In my thesis, I have the following information (screenshot from the blog post):


I haven't confirmed 100% of the data in the format. Here is what I have decoded from Yogesh's additional code.

The format for VMP4 is in little-endian (as noted by Yogesh's usage of the "<H" for struct. The numbers in the section headers (shown in blue below) are in unsigned short int (noted by the usage of the "I" in Yogesh's code. You can watch Computefile's Endianness Explained With an Egg to understand how endianness works. Also, to understand C variable sizes for decoding the struct data, you can watch Programming in C: Lesson 11 - Short, long, int, unsigned, char variables and sizeof()

The following image is color coded and numbered.
  • Yellow: data header = VMP4
  • Red: Number of sections in the file
  • Blue: Each section's information (10 bytes) which contains a 2 bytes type field, 4 byte offset location, and 4 byte size.
  • Green: Each section listed in the blue section. I am only showing part of the file in this screenshot.

Type fields for each section header are as follows:
  • 1
  • 10 = places (zlib if more then 1)
  • 11 = locale
  • 13 
  • 20
Yogesh's additions decoded type 11 fields. Type 11 seems to show the locale. The other types are unknown at the moment.

For the type 11 field (Field #2 above is type 11), I have blocked it out in the screenshot below:
The first byte marks if there is compressed data. If this byte is "1" (meaning compressed data) then starting at the fifth byte to the end of the field, there is compressed data. Zlib data is marked with the header 0x789C (See. https://isc.sans.edu/forums/diary/Recognizing+ZLIB+Compression/25182/).

Decompressing the data gives a list of locations. As shown below, I have decoded a complete tileset (or related rows from the database.

From my dataset, this is tileset 87293900. Interestingly, I have both Greenland and Iceland shown in this tileset. The lower half (Iceland) is expected since this was the area I was looking at. 

For Field #3 (above), there are both "en" and "es-419" listed in the field. These are locale settings where "en" is English and "es-419" is Spanish. I did not use Spanish on the phone so unsure why these show up. 

The other fields are a mystery and need more type to figure them out.

No comments:

Post a Comment