Blog

Poisoned Apples – How Do We Find Them?

By Matthias Frielingsdorf

Nov 29, 2023

Excerpts from a talk by Matthias Frielingsdorf, VP of Research, presented at Objective by the Sea v6.0

‍Every year it gets harder and harder to exploit iOS, and yet every year a record number of vulnerabilities are discovered that were exploited in the wild. As the first mobile threat hunting company, we’re enthusiastic supporters of the iOS research community, frequent contributors to the Mac security conference Objective by the Sea (OBTS), and supporters of the foundation behind it.  

‍We’re also supporters of existing MDM solutions that already give organizations the ability to look for malicious applications and profiles. What if you want to find known or unknown spyware? What kind of forensics data should you be looking for and do you know how to ensure that your device is actually creating it? 

‍At this year’s OBTS conference, in addition to his annual update on the state of mobile malware research, our VP of Research, Matthias Frielingsdorf shared several easy-to-do methods for creating forensic artifacts on iOS to aid in future investigations for detecting spyware. 

‍Below is a brief summary of the methods covered in Matthias’ presentation.

Detection Capabilities - Backups

Backups are invaluable for increasing an investigator’s detection capabilities because they include crash logs, files, processes, and network data (such as IP and URLs). To get access to a process list you need a sysdiagnose or a backup. It’s not possible via a network or companion app.   

‍Checking your iPhone with your Mac over Apple diagnostic protocol allows you to extract sysdiagnose, backup data, and crash logs.  

‍Crash logs are automatically created when an app, system process, or the operating system itself crashes, meaning an error occurred that the app can't handle. When exploits fail, they also usually create crash logs, which forensic investigators can use to detect whether a device was attacked. 

‍Backup data provides information about the apps, processes, file metadata, and network data over a long period of time, so we can learn more about the history of the device. Sysdiagnose provides a snap-shot in time of the process list, OS Logs, application list, and different log files. 

‍However, looking at backups provides even more data, so this is where most of the traditional spyware detection is done. With a backup and sysdiagnose files, you get a list of all the applications as well as interesting information about files, logs, databases, network information, and processes. This makes backups a really helpful resource for investigators. 

Forensic Analysis Using an iTunes Backup

Here are four simple steps for creating forensic artifacts using iTunes backups:‍

  1. Connect your iPhone to a trusted computer.

  1. Open Finder and select your iPhone. 

  1. Turn on Encryption for your local backup. This is a really important step because it will create more interesting databases for malware investigators in your backup. You can still do iCloud backups if you want to. Please note, if you forget or lose your encryption password, you can’t recover it and you won’t get access to that data later on.

  1. Take a Backup. This can take a while depending on the quantity and size of your files. A forensics expert can use this to investigate the history of your device with the types of data we discussed above. 

Forensic Analysis Using Sysdiagnose

Now, we’ll take a look at how to create forensics artifacts using Apple’s sysdiagnose on your iPhone. 

  1. Run sysdiagnose on your iPhone. Apple published an excellent guide on how to do this at: https://it-training.apple.com/tutorials/support/sup075.

  1. Wait until it’s finished. It usually takes a few minutes.

  1. Connect your iPhone to a trusted computer.

  1. Use Finder to sync your iPhone. This also takes a few minutes.

  1. Locate the files stored in: ~/Library/Logs/CrashReporter/MobileDevice/. A forensics expert can use these to conduct their analysis.  

Challenges with Forensic Analysis

Alas, there are downsides to each of these methods, which make them difficult to scale for organizations with fleets of iOS devices: 

  • Running and copying sysdiagnose takes 10-15 minutes and the sysdiagnose process does not provide visible feedback to the user.

  • iTunes Backups may take hours depending on the size of the files on your device. This happens both when you’re creating the backup and when you decrypt it. 

  • Both need user interaction.

  • Both need experts to analyze for unknown bugs.

  • Public analysis tools require some knowledge of IT, including Python.

  • Most forensic training doesn't include iOS malware analysis, let alone show you how to look for spyware like Pegasus. You can still sign up for Matthias’ BlackHat virtual workshop on iOS forensics until December 2! 

  • Forensic experts or organizations (like iVerify) that can do the analysis are scarce. 

You can watch the full length recording of Matthias talk at: https://youtu.be/m_RTWaBkEwk?si=t53reK5Vasv-cPYv. Slides for this year’s talks are also available from OBTS at: https://objectivebythesea.org/v6/talks