Mobile Imaging
Last updated
Last updated
This exercise will be done using ileApp and aleApp found on GitHub by brigs abrignoni. He has made some amazing tools for mobile imaging for both IOS and Android. For this scenario, I will be using images from Josh Hickman; they can be found on his site.
I will be using IOS for this first because there are plent of immages on the binary hick site. The one I will be using for this exercise is the IOS 17 image.
Once you have I ileapp open it should look something like this
You will need to select the compressed file that contains the image, and then you will select the output file. For this exercise, I have all the available modules selected to pull as much data as possible.
Once processing has started, it should look like this; it may take a while due to this being a 30 GB file. Once finished, you can press the open report and close.
This will pull up a report page that looks like this.
Once you have this pulled up, everything on the left will be the results from the image along with all the modules you have selected. Some of my personal favorite thing that are able to be seen are the call history.
This allows you to see numbers that have been called, the time left, and why the call ended. You can also see contacts and much more.
Ileapp uses modules that are created in Python to look for data in the phone's file system. I look for a path that is already defined. Since all iPhone operating systems are set up the same and they all save data to the same spot. As you see in the image below, you can see wear the module looks to find the data.
Then, the Python script outputs it into an HTML file for the user to view. You can do this manually by looking in the stored files of the phone. To find the path for the stored files, you can look at the SANS pdf I have linked below; it has the path for stored files for iPhone and Andriod. All ileapp does is automate this process. Most apps that are installed are SLQ databases, so if you do not have SQL knowlage, this might be difficult.
If you want, you can image your iPhone using an unencrypted iTunes backup. The only issue with this is that Apple gatekeeps, so you will not be able to see as many images from the exercise above. This is because the images from the binary hick are decrypted.
