Login  |  Register


Directory Tap - Submit Free Links, Get Traffic  - Article Details
PROMOTE:

STATISTICS
  • Active Links: 4668
  • Pending Links: 0
  • Todays Links: 0
  • Total Articles: 3536
  • Total Categories: 13
  • Sub Categories: 687

The iOS File System: TAR and Aggregated Locations Analysis

Date Added: July 26, 2018 07:40:45 AM
Author: Vladimir Katalov
Category: Computers & Internet: Software: Software Testing
What Are These TAR Files? While TAR is just an uncompressed archive used in UNIX-based OS'es, this speaks little of its importance for the mobile forensic specialist. Since the introduction of the iPhone 5s, physical acquisition has never been the same. For all iPhones and iPads with Apple's 64-bit processors, physical acquisition is exclusively available via file system extraction because of full-disk encryption. Even with a jailbreak, you must run the tarball command on the device itself to bypass the encryption. Since the file system image is captured and packed by iOS, you'll get exactly the same TAR file regardless of the tool performing physical acquisition. What Can We Do With That TAR File? Until now, most tools available for analysing information inside these TAR files were integral parts of fully-featured forensic toolkits. Your options would be limited to either time-consuming manual analysis or a highly sophisticated forensic suite. This is where Elcomsoft Phone Viewer 3.70 comes. It offers a perfect alternative to both the manual analysis and the use of complex forensic packages. With Elcomsoft Phone Viewer, you can access call logs, contacts, messages, notifications, browsing history and location data. Why TAR Files Are Important? Compared to logical acquisition, physical offers tangible benefits. You get the following in addition to what you'd see in a backup: 1. Notifications. Undismissed notifications used to be part of a backup, yet iOS 11 got rid of them. Today, you can only extract notifications from a TAR file. Notifications may contain critical evidence that would be otherwise unavailable, such as notifications from email accounts, social networks, banking, travel and taxi apps, etc. 2. Applications. In iOS, developers have control over what information gets backed up. Even if they opt to allow a backup, the developer may choose to make the data available to same device only - meaning it'll be encrypted with a hardware key that would be impossible to crack even with a jailbreak. The TAR file solves this problem by allowing unrestricted access to apps' sandboxed data. Elcomsoft Phone Viewer displays the list of installed packages and shows the exact location of each app's data. 3. Locations. You can see a lot more location data in a TAR file compared to a backup. EPV 3.70 can extract locations from multiple sources: Significant locations Locations cache Apple Maps Google Maps EXIF in media files Calendar events The UBER app By accessing location data gathered from such a wide range of sources, you are no longer limited to evidence from just the location logs. Some sources are only available with physical extraction and some data may be limited when analyzing backups. When Locations Can Lie When analysing location data, do note that you can't blindly trust everything reported by the tool. For example, locations are extracted from all images on the device and not just those captured by the device. Calendar events could be automatically added without the user ever attending. Locations cache lists approximate coordinates of the nearest base station, while Wi-Fi coordinates are retrieved with a third-party service based on the access point's MAC address; this data should generally be questioned as hard evidence. Finally, Significant Locations are derived with a closed-source algorithm. However, they are among the more reliable indicators of the user's actual location, albeit without a time stamp. Analyzing TAR Files with Elcomsoft Phone Viewer First, make sure you are using the Forensic edition, which can be purchased separately. The Standard edition can't open TAR files. You'll also need a TAR file obtained with Elcomsoft iOS Forensic Toolkit or GrayKey. Launch EPV. You'll see a new icon - "iOS device image". Click on it to open a TAR file. Select the TAR file. Once it opens, you'll see a prompt asking whether to scan locations other than the Camera Roll for media files that may contain location data. The archive will be unpacked. The file will be processed to discover and index evidence. Finally, you'll be able to access evidence! Due to background processing of the data you may be concerned with one or more question marks instead of the number of items. EPV resolves the number of entries once you open the corresponding category. So what's inside? First, the list of installed apps. If your computer has Internet access, you'll be prompted to allow matching package names against iTunes database. This allows seeing the actual app's name rather than the name of the package. Locations. Click on the coordinates to open the map. In addition, you can analyze Safari bookmarks, browsing history, notifications, call logs, messages and more.

Ratings:

Rate the article:  
 
  Average rating: ( votes)

Comments:

No Comments Yet.

You must be logged in to leave a comment.

ARTICLES
How to find the Most appropriate Catering Linen Rental
Catering linen in Long Island is a major part of a wedding ceremony.
Steps In Shortlisting Painting Contractors
Whenever your family is in need of Edmonton house painting contractors, how would you get the best contractor in the industry? Short listing contractor is not an easy task.
Steps In Shortlisting Painting Contractors
Whenever your family is in need of Edmonton house painting contractors, how would you get the best contractor in the industry? Short listing contractor is not an easy task.
Choosing An Affordable Painting Contractor
You can have lots of challenges when selecting house painters in Edmonton. A professional and reliable painting contractor in Edmonton can make this experience a pleasant one.
Knowing The Practicalities Of On Line Marketing - Is It For You?
The industry phase is flooded with theories and best practices on the on the internet internet marketing principles. On the web promoting is not a little something new but absolutely most people are not knowledgeable of it.