Jonathan Zdziarski Releases Waterboard: An Open Source Forensic Acquisition Tool for iOS Devices
Posted June 12, 2013 at 7:04pm by iClarified
Jonathan Zdziarski has released Waterboard, an open source advanced forensic logical acquisition tool for iOS devices.
Waterboard is an open source iOS forensic imaging tool, capable of performing an advanced logical acquisition of iOS devices by utilizing extended services and back doors in Apple’s built-in lockdown services. These service can bypass Apple’s mobile backup encryption and other encryption to deliver a clear text copy of much of the file system to any machine that can or has previously paired with the device. Acquisition can be performed via usb, or across any wireless network where the device can be reached. Additionally, if you’re a federal law enforcement agency, you may also have the technical ability to skirt around a mobile carrier’s firewall, and acquire your target over cellular, possibly without their knowledge. (NOTE: device pairing must still first be performed via usb, so there is not a widespread security risk, however could be used for ill through malicious juice jacking and such).
Waterboard can be compiled as a command line utility for OS X or as a full GUI application for OS X or iPad. Acquisition can be performed via an Apple dongle such as the Lightning to USB adapter.
What Information Does Waterboard Recover?
- The entire file system of a jailbroken device, in many cases (via afc2)
- The entire “Media” jail of a non-jailbroken device (via afc)
- Photos, iTunes library, iBooks, and other media files
- All application data for App Store applications (Documents, Library, and tmp)
- A manifest of all installed App Store applications and their properties
- Extended device identity information including:
- IMEI, UUID, MEID, IMSI, UCID, device and baseband serial number, and so on
- Phone Number, SIM status, and so on
- Carrier bundle name, version, ICCID, MCC, MNC
- Current time zone configured
- Hardware addresses of WiFi and BT interfaces, chipset model, other such markers
- Device name, model, firmware version, iBoot version, and model color
- PRL (preferred roaming list) version and carrier bundle version
- iCloud conflict information and sync peers (e.g other desktop and mobile devices)
- Battery diagnostics (cycle count, design capacity, and so on)
- NVRAM flags (boot flags and other data)
- The current device time (in seconds since 1970)
- Networking diagnostics showing how much data was used daily on per-app basis
- MobileSync data dumping Notes, Address Book, Calendar, and Safari Bookmarks
- Captures all accounts being synchronized with desktop
- Does not capture iCloud sync accounts, but those do get captured elsewhere
- A cpio.gz (OSX version auto-extracts) archive of the following file system components:
-- Apple support data and system crash logs
-- User “Cache” folder
-- Screenshots of suspended applications
-- Cached web data stored by various applications
-- Pasteboard (clipboard) data
-- Icon cache
-- Safari reading list archives, recent searches, and activity thumbnails
-- What appears to be a video conference cache of local IP + date of call
-- Map tile database (of stored / viewed map tiles)
-- Apple TV playback logs, if acquiring an Apple TV with normal lockdown
-- Storage proxy logs
-- Bluetooth diagnostic information
-- The application installation log
-- Some PPP and VPN data
-- A complete dump of all activation and pairing records
-- Core Location cache
-- Keyboard (typing) caches
-- System Configuration information (WiFi AP join history / auto-join info)
-- A dump of the SMS database, SMS attachments, and SMS drafts (unsent SMS)
-- A dump of various user databases (Address Book, Calendar, etc)
-- A dump of the user’s voicemail stored on the device (including unread)
-- The user’s entire photo album, music collection, and media
-- System configuration data, such as accounts and wifi pairing history
-- iCloud local cache and control files
-- Lists of artifacts stored in iCloud
-- Lists of other devices (and computer names) synced with same iCloud
-- The tmp directory, which often contains useful data
-- A directory structure containing information about all files on /var
- The recent syslog backlog, and can perform a syslog capture of new events
- Packet header data captured by the live packet capture tool
- If backup encryption is NOT active, a full backup from the mobile backup
service, acquirable in either file system format or iTunes backup format
Zdziarski notes that Waterboard is an extremely useful tool for law enforcement and can provide important evidence in a criminal case. He suggests it could also be used by corporations for conducting internal investigations and to determine what information company devices might be leaking. He also notes that individuals can use it to determine what data can be scraped from their device to better protect their own privacy.
"Given a few seconds with an unlocked device (or even a pass protected device that has been shut off, but whose passcode is not required immediately), anyone can establish a pairing which will grant them carte blanche access to the information Waterboard delivers, which they can pull at any time over either usb or wireless."
Jonathan Zdziarski, also known as "NerveGas", wrote the "iPhone Open Application Development" book and the "iPhone Forensics" book. He has also written an iPhone forensics manual distributed exclusively to law enforcement, and has assisted many forensic examiners in their investigations.
Read More
Waterboard is an open source iOS forensic imaging tool, capable of performing an advanced logical acquisition of iOS devices by utilizing extended services and back doors in Apple’s built-in lockdown services. These service can bypass Apple’s mobile backup encryption and other encryption to deliver a clear text copy of much of the file system to any machine that can or has previously paired with the device. Acquisition can be performed via usb, or across any wireless network where the device can be reached. Additionally, if you’re a federal law enforcement agency, you may also have the technical ability to skirt around a mobile carrier’s firewall, and acquire your target over cellular, possibly without their knowledge. (NOTE: device pairing must still first be performed via usb, so there is not a widespread security risk, however could be used for ill through malicious juice jacking and such).
Waterboard can be compiled as a command line utility for OS X or as a full GUI application for OS X or iPad. Acquisition can be performed via an Apple dongle such as the Lightning to USB adapter.
What Information Does Waterboard Recover?
- The entire file system of a jailbroken device, in many cases (via afc2)
- The entire “Media” jail of a non-jailbroken device (via afc)
- Photos, iTunes library, iBooks, and other media files
- All application data for App Store applications (Documents, Library, and tmp)
- A manifest of all installed App Store applications and their properties
- Extended device identity information including:
- IMEI, UUID, MEID, IMSI, UCID, device and baseband serial number, and so on
- Phone Number, SIM status, and so on
- Carrier bundle name, version, ICCID, MCC, MNC
- Current time zone configured
- Hardware addresses of WiFi and BT interfaces, chipset model, other such markers
- Device name, model, firmware version, iBoot version, and model color
- PRL (preferred roaming list) version and carrier bundle version
- iCloud conflict information and sync peers (e.g other desktop and mobile devices)
- Battery diagnostics (cycle count, design capacity, and so on)
- NVRAM flags (boot flags and other data)
- The current device time (in seconds since 1970)
- Networking diagnostics showing how much data was used daily on per-app basis
- MobileSync data dumping Notes, Address Book, Calendar, and Safari Bookmarks
- Captures all accounts being synchronized with desktop
- Does not capture iCloud sync accounts, but those do get captured elsewhere
- A cpio.gz (OSX version auto-extracts) archive of the following file system components:
-- Apple support data and system crash logs
-- User “Cache” folder
-- Screenshots of suspended applications
-- Cached web data stored by various applications
-- Pasteboard (clipboard) data
-- Icon cache
-- Safari reading list archives, recent searches, and activity thumbnails
-- What appears to be a video conference cache of local IP + date of call
-- Map tile database (of stored / viewed map tiles)
-- Apple TV playback logs, if acquiring an Apple TV with normal lockdown
-- Storage proxy logs
-- Bluetooth diagnostic information
-- The application installation log
-- Some PPP and VPN data
-- A complete dump of all activation and pairing records
-- Core Location cache
-- Keyboard (typing) caches
-- System Configuration information (WiFi AP join history / auto-join info)
-- A dump of the SMS database, SMS attachments, and SMS drafts (unsent SMS)
-- A dump of various user databases (Address Book, Calendar, etc)
-- A dump of the user’s voicemail stored on the device (including unread)
-- The user’s entire photo album, music collection, and media
-- System configuration data, such as accounts and wifi pairing history
-- iCloud local cache and control files
-- Lists of artifacts stored in iCloud
-- Lists of other devices (and computer names) synced with same iCloud
-- The tmp directory, which often contains useful data
-- A directory structure containing information about all files on /var
- The recent syslog backlog, and can perform a syslog capture of new events
- Packet header data captured by the live packet capture tool
- If backup encryption is NOT active, a full backup from the mobile backup
service, acquirable in either file system format or iTunes backup format
Zdziarski notes that Waterboard is an extremely useful tool for law enforcement and can provide important evidence in a criminal case. He suggests it could also be used by corporations for conducting internal investigations and to determine what information company devices might be leaking. He also notes that individuals can use it to determine what data can be scraped from their device to better protect their own privacy.
"Given a few seconds with an unlocked device (or even a pass protected device that has been shut off, but whose passcode is not required immediately), anyone can establish a pairing which will grant them carte blanche access to the information Waterboard delivers, which they can pull at any time over either usb or wireless."
Jonathan Zdziarski, also known as "NerveGas", wrote the "iPhone Open Application Development" book and the "iPhone Forensics" book. He has also written an iPhone forensics manual distributed exclusively to law enforcement, and has assisted many forensic examiners in their investigations.
Read More