This guide will help you setup your iDevice with two binaries that can greatly assist with targeted testing and analysis. My goal is to equip you to do your own research and testing to confidently answer the questions you will surely have as you learn this beautiful dance we call DFIR. If you currently rely on a commercial tool to extract your iDevice data and then parse the data for you, that is totally normal and this article is absolutely for YOU! Years ago, @iamevltwin broke my thought process on how to address mobile devices. My training and education up to that point was great, and I knew a LOT about mobile devices and strategies for finding the evidence I was looking for. But….I relied on data extraction methods by commercial tools and mostly parsing by commercial tools as well. While that is acceptable and perfectly fine to do, it can be very time consuming. Trust me when I say, if @iamevltwin asked me a question, and my response was “I’ll let you know in a few hours”…she would probably throw a steak and cheese egg roll at my head. [*Editors Note: I would never waste a delicious steak and cheese egg roll, instead I would deeply judge and give him the side eye.—S] So for the sake of never wanting to waste a good egg roll, I learned how to target just the data I want and address it in a very specific way.
To summarize what we are about to do:
-
1. Install and run “fsmon” and “cda” binaries that already have proper entitlements, so you don’t have to make the files.
-
2. Very basically learn what they do and how to run them.
-
3. Use them to target a specific piece of data on the iPhone.
-
4. Extract that specific piece of data to my desktop so I can “GET SHIT DONE”
**If you are reading this, please make sure you have read and followed the instructions for Part 1 and Part 2 . If you are jumping in here and trying to follow along, I assume your Mac and iDevice are the same as mine from the end of Part 2. It is strongly advised that you do this on a secondary, test / research device and not your primary use device. Nothing we are doing here should break anything, but things happen when you are in a root shell into your device and you have been warned!.**
Download iOS Binaries
I have both binaries you will need already made and entitled, trying to make this process as easy as possible to get you setup for testing! The link below will take you to a .zip file containing ‘cda’ and ‘fsmon’, which are both Mach-O 64-bit ARM executables.
The ‘cda’ binary helps locate where an app is storing it’s data! iOS stores most app data behind randomly generated GUID’s in the file system, so finding where a certain app is storing its user data can be a real pain. This binary makes quick work of telling us exactly the directories we need to pay attention to, and does so in seconds.
The ‘fsmon’ binary is a file system monitor. Plain and simple, it prints to your screen the changes occurring in the file system. For research purposes, this is priceless. If you need to know what happens when you take a photo, send an SMS, install an app, etc. you can run ‘fsmon’ while pressing the buttons on your device and watch your screen light up with what changed!
1. Click this link and download the .zip file. (Not (knowingly) malware, I promise!)
If you want to do it yourself, or are simply curious about what you’re downloading – here are the links to the GitHub repo’s where I got them:
-
cda – “A simple iOS command line tool to search for installed apps and list container folders (bundle, data, group). Thank you, Andreas Kurtz!!
-
fsmon – A file system monitor. Thank you, Sergi Àlvarez & Nowsecure!!
2. Now that you have the binaries, we will put them into a folder on your Desktop for simplicity. Create a folder on your Desktop named ‘binaries’ and move the .zip file there. Unzip it so the two binaries are in the ‘binaries’ folder. It should look like this:
