Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Performing iPhone Forensics > Misuse of an iPhone - Pg. 314

314 Chapter9·ForensicAnalysisofMobileMalware The tool provides this protection by using public and private signature keys. It does this by using asymmetric cryptography to validate the authenticity of the request. Furthermore, the signing tool allows developers to exchange API information in a secure manner and environment. Performing iPhone Forensics The book iPhone Forensics by Jonathan Zdziarski (O'Reilly, 2008) is an excellent resource on the specifics of the iPhone. The iPhone is based on the ARM (advanced RISC machine) processor architecture. It has a signed UNIX kernel that has been designed to thwart tamper- ing. This has not, however, stopped the iPhone kernel from being exploited. Both jailbreaking and unlocking techniques exist. On bootup, the kernel is mapped into the file system. The iPhone currently maintains the following data/information: Keyboard cache (can contain usernames and passwords, search terms, and the remains of typed exchanges). The iPhone's keyboard stores each character that is typed in a keyboard cache. This can be recovered like any deleted file. Deleted address-book items, contacts, calendar entries. Deleted images from the photo library, camera roll, and browsing cache. These may be obtained through data-carving. The system maintains screenshots of running applications. These are taken when the "home button" is selected and when an application exits. An iPhone can main- tain a good number of snapshots profiling a user's actions. Call history. The iPhone maintains a list of about the last 100 calls in the call data- base. These can be recovered using a desktop SQLite client. String dumps of miscellaneous files and information. Map images from the Google Maps application. The direction lookups and coordinates of location and direction searches (with the longitude and latitude) are obtainable. Browser cache and browser objects. This is useful in constructing a browse history. E-mail, SMS, and other communications. Deleted voicemail recordings, which can be recovered and played using QuickTime (these are stored with the AMR codec). Pairing records may be used to establish the existence of a trusted relationship con- necting the mobile device and a host computer. Misuse of an iPhone The iPhone is a small UNIX system. Like all UNIX systems, an attacker can generally find ways to bypass the controls that have been implemented on a system. Malicious code is