First, I would like to thank Heather Mahalik for her help with this process and for allowing me to post something on her blog. It’s an honor! Additionally, thanks to Jared Barnhart for his assistance with research and with testing.
During my last examination and analysis, I learned some interesting things and would like to share them with you. After the examination of an Apple iPhone 7, I discovered some photos were captured using the camera application (com.apple.camera.CameraMessagesApp) from within the native iPhone messaging application (com.apple.MobileSMS). As a result of photos being captured, several files were created that I haven’t observed during my past examinations and I had a few questions.
Was this because I was examining a full file system extraction?
or
Was it because I haven’t been paying close enough attention during my exams?
Either way, I set out to test and validate what I discovered.
Suspect’s Device: Test Device:
Apple iPhone 7 (A1778) Apple iPhone XS (A1920)
iOS 13.4.1 (17E262) 13.5.1 (17F80)
During testing, I did not find any significant changes between 13.4.1 and 13.5.1 that would make the testing invalid. I did notice when looking an iOS 12.*.* FFS extraction there were some differences.
Acquisitions:
After Fist Unlock (AFU) Full File System (FFS) (Suspect’s device and test device).
Cellebrite UFED 4PC Advanced Logical and Logical extraction (Suspect’s device only).
Tools Used:
Cellebrite UFED 4PC (7.34.0.116)
Cellebrite Physical Analyzer (PA) (7.35.00.33 – 7.36.0.35)
Magnet AXIOM (4.3.1.20814)
Artifact Examiner (1.3.6.1) https://www.doubleblak.com/
Mushy Plist Viewer (1.2.7.0)
iLEAPP (1.2) https://github.com/abrignoni/iLEAPP
APOLLO (1.1) https://github.com/mac4n6/APOLLO
Zimmerman Hasher (1.9.2.0)
Navicat for SQLite (15.0.1)
DB Browser (3.12.0)
Testing and Validation:
While examining the suspect’s device and analyzing the data, I had a few questions about the data being displayed and how it was created. I formulated a few scenarios that might help demonstrate and explain what happened:
Scenario #1 – What happens when a photo is captured (com.apple.camera.CameraMessagesApp) within the native iOS messenger (com.apple.MobileSMS) and sent as an attachment?
Scenario #2 – What happens when a photo is captured from within native iOS messenger, sent as an attachment message and the message that contained the attachment is later deleted from the conversation thread (/private/var/mobile/Library/SMS/Attachments/)?
Scenario #3 – What happens when a photo is captured within native iOS messenger, sent as an attachment message and the photo sent as an attachment is later deleted from the Photos Application (/private/var/mobile/Media/DCIM/)?
Scenario #1 – What happens when a photo / live photo is captured using the camera application within native iOS messenger and sent as an attachment:
During the testing I followed the steps below to capture both photos and live photos:
- Launched the native iOS messenger application (Figure 1.1) and entered a conversation thread (Figure 1.2).
- From the conversation thread clicked the camera icon (Figure 1.3), a photo was captured (Figure 1.4) and clicked done (Figure 1.5). Note: Figure 1.5 this is a preview of the photo that can be sent. But wasn’t this a photo that was captured?? Thanks to Jared Barnhart’s help, I learned this photo is in fact saved to the device even if the user chooses to “Retake” the photo. This photo will be stored in the /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/ folder.
- A preview then appeared (Figure 1.6) and clicked the up arrow to send the photo to its recipient without any text (Figure 1.7).
Now let’s take a look at what happens within the device when these actions occurred.
The application usage and applications in focus was recorded within the KnowledgeC database. There are several resources and published research about the KnowledgeC database and what can be found within it. I would encourage you to take the time to review the list of references and other sources at the end of this blog.
8:21:22 PM – 8:22:54 PM the application (com.apple.MobileSMS) was launched and in use.
During that time:
8:22:01 PM – the back camera was turned on
8:22:03 PM – the application (com.apple.camera.CameraMessagesApp) was launched and several cached locations were created and stored in Cache.sqlite – ZRTCLLOCLATIONMO table. These locations were accurate for where the device was located during testing. If you have additional questions about location data please see Ian Whiffin’s presentation in the list of resources.
8:22:03 PM – Miscellaneous file path locations were opened, modified and created related to \private\var\db\uuidtext\. I haven’t researched or decoded any of these but wanted to mention it.
Figure 1, Figure 2, Figure 2.1 Figure 3 and Figure 4 are examples of how different tools represented the launched applications and what was decoded.
8:22:03 PM – a property list (plist) was created:
private\var\mobile\Library\SMS\PluginMetaDataCache\BB6846A9-F53A-4DDA-9FA9-75B5E4FDF94E\com.apple.messages.MSMessageExtensionBalloonPlugin:0000000000:com.apple.camera.CameraMessagesApp.plist
In Figure 4 we can see this plist can be viewed within AXIOM and could also be viewed within PA. I saved, exported and opened the plist using Ian Whiffin’s Mushy plist viewer. See Figure 4.1. The plist contained the phone number and the associated UUID’s for the device the attachment message was sent to.
This plist was also in the suspects device and contained a list of phone numbers and their associated UUID’s. There appears to be different property lists for different types of messages sent:
At 8:22:20 PM a live photo of my friend Dexter was captured, which resulted in several files being created on the device to include the following:
Each tool used to examine the test data, put these files in a different order in the timeline, but they all had the same capture and created time of 8:22:20 PM. See Figure 5.
Figure 5.1 within AXIOM – Timeline, there is an event for an entry being made into the Photos.sqlite database. See Figure 5.2 and Figure 5.3 for more details.
Photos.sqlite information
In Figure 5.3 we are looking within PA SQLite Viewer and looking at the Photos.sqlite database ZGENERICASSET table. Notice that all of the PK values are in sequential order and there are no missing values, indicating that the list is complete. I just stated when I took a photo of Dexter there were multiple files created to include IMG_0012.MOV. Where is the information about the additional files? More on this is to come in this blog.
Notice in Figure 5.3 there’s indication that an entry was also made in Photos.sqlite ZADDITIONALASSETATTRIBUTES table. Notice AXIOM is indicating that both the Z_PK value and the ZADDITIONALASSETATTRIBUTES value are the same. More about this later in the blog. Got to give a big shout out to Ian Whiffin here. I first noticed these values when viewing the full file system dump from within his tool Artifact Examiner (ArtEx). I reached out to him with a few questions, which he answered right away. It helped so much while examining the suspect’s device…Thanks Ian!! See Figure 6.
In Figure 7 we can see the ZADDITIONALASSETATTRIBUTES table and some key information about IMG_0012.JPG.
I wanted to take a minute and discuss some of the items I discovered while examining at the ZADDITIONALASSETATTRIBUTES table. First notice, that Z_PK entries 1-6 do not have a date in the ZEXIFTIMESTAMPSTRING column. These images were not captured with the test device. They were sent to the test device as MMS from an android device. These photos were then saved to the photos application via the native iOS messenger application. Notice the ZCREATORBUNDLEID indicates com.apple.MobileSMS. See Figure 7.1.
Z_PK entries 7-11 and 17-22 were captured with the test device native camera application, launched from the springboard. Notice there isn’t an entry for ZCREATORBUNDLEID, but there is a value for ZIMPORTEDBY. Using the suspect data and the test data, I believe I’ve decoded some of the values. These are preliminary and require additional testing:
0 = Is related to .MOV files.
1 = Captured via native Back facing camera
2 = Captured via native Front facing camera
3 = Third Party Application – Snapchat
6 = Third Party Application – Facebook
8 = Captured via native Back facing Camera
9 = Saved from outside source (SMS, Safari)
Notice there is a binary property list located in the ZREVERSELOCATIONDATA column for each one of these entries. Location services was active for the camera application when the photos were captured. Notice that entries 21 and 22 do not have binary property lists. These photos were captured minutes before the device data was extracted. I believe data did not have time to populate this field prior to the device being acquired. I will discuss the contents of this bplist later in this blog. See Figure 7.2 and Figure 7.3.
Figure 7.2, Figure 7.2.1 and Figure 7.2.2 Screenshots of test device location services settings
Z_PK entries 12-16 were captured via the Camera Application from within iOS Messenger. See Figure 7.4.
Something to notice here…ZORIGINALFILENAME column. All of the photos captured using the CameraMessagesApp have an UUID as the original file name. If you remember when I was discussing the Photos.sqlite – ZGENERICASSET table, these files are not listed in the ZFILENAME column. Another note, only the JPG files that were created are listed. Remember there were several files created as the result of me capturing a live photo of Dexter using the CameraMessagesApp:
Date, Times and Time Zone:
Notice in the ZADDITIONALASSETATTRIBUTES table ZEXIFTIMESTAMPSSTRING column and the ZGENERICASSET table ZDATECREATED column the dates and time values are being stored in different formats. The values in the ZDATECREATED are natively stored as unix epoch and require conversion, but the values in ZEXIFTIMESTAMPSSTRING column are being stored according to the device time settings when the files were captured. In the test device, the date and time settings were set to auto and the time zone was set to Cupertino also known as Pacific Time (UTC -8 or -7…damn DST). There are other columns within the database that record the time zone setting at the time the files are created ZADDITIONALASSETATTRIBUTES table ZTIMEZONEOFFSET, ZINFERREDTIMEZONEOFFSET and ZTIMESONENAME columns.
Orientation:
In ZGENERICASSET table there is a column ZORIENTATION. Using the test device data, I determined 1 = Horizontal and 6 = Vertical. The photos I sent from an android to the test device had both horizontal and vertical original orientations. When they were saved to the test device, all of the photos were saved with a horizontal orientation.
Locations:
In Figure 5 from Physical Analyzer, there is no location data being parsed for the photos that were captured using the CameraMessagesApp. After closer analysis, I could not locate any location data that was recorded within the EXIF data or database metadata for any of the items that were created with com.apple.camera.CameraMessagesApp application. During testing, location services was tuned on and the location was recorded for the files captured with the native camera (com.apple.camera), just not the files captured with com.apple.camera.CameraMessagesApp. Not sure if this is a security feature to conceal the location because the files are being sent via messenger. Note: I did a brief overview of the file at the hexadecimal level and did not find any location data. Additional analysis and research might be required to for a definitive conclusion.
In Figure 8 I have highlighted the columns related to the ZREVERSELOCATIONDATA column. Notice the ZREVERSELOCATIONDATAISVALID column and the values are 1 and 0. I believe based on the test data the values indicate 1 = If available has been populated and 0 = If available has not populated. This also appears to be related to ZGENERICASSET – ZANALYSISSTATEMODIFICATIONDATE. The items with a value of 0 in the ZREVERSELOCATIONDATAISVALID were also missing an Analysis State Modification Date. Additional testing and acquisitions are required for further analysis.
Let’s take a look at ZREVERSELOCATIONDATA bplist. This plist can be viewed from both Cellebrite PA SQLite Viewer and Magnet AXIOM SQLite Viewer, but like I stated earlier I used Ian Whiffins tool Mushy Plist Viewer. The locations discovered within this bplist were accurate as to where the device was located at the time the photos were captured. See Figure 8.1 and Figure 8.2.
There is a significant amount of data being stored within the Photos.sqlite database and there has been recent research and publications about this database by researchers far more advanced than I. I would strongly encourage you to review the reference material list at the end of this blog for additional details and links to the other research.
As a result of my research, I created a SQLite query that can be used to parse out some of the data from the Photos.sqlite. Please test and validate prior to using within your cases. Some of the column headers have long names that should allow you to decipher where the data is coming from. This should also allow others to improve upon it so it can be used within open source tools. Here is a link to a google drive for the script:
https://drive.google.com/file/d/1EiZWfahyKShkIo3LPA3T_r4U5LGsFV6Q/view?usp=sharing
Original file name & /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/:
After running the SQLite script in Navicat (paid) and DB Browser (free), I exported the output into a CSV. For this portion, I will again focus on the live photo that was created at the start of this presentation (IMG_0012.JPG). Figure 9 is a portion of the output to show how the files are related:
Notice the original file name for IMG_0012.JPG is 61777214080__90B95980-BB3C-4A7A-B74E-82C62C923CC2.JPG.
The file 61777214080__90B95980-BB3C-4A7A-B74E-82C62C923CC2.JPG is being stored at: /private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/
During the examination of the suspect device, some of the files created during this testing process were located, but the more obvious files that should have been present appeared to be deleted. What does that mean??
In the suspect’s device, I located files being stored in the /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/ file location. Notice that I removed the UUID and replaced it with <UUID>. In the suspect’s device the UUID for this temporary file location was different than the one listed in my test device. Here are the two file paths:
Suspect Device:
/private/var/mobile/Containers/Data/PluginKitPlugin/6E9D5BDD-2BF6-4203-9608-BAEF8CAAD00A/tmp/
Test Device:
/private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/
When this was discovered in the test device, I believed there had to be documentation which indicated a relationship between the temporary file location and an associated application. Figure 10 is a screenshot from Physical Analyzer that shows the temporary file and a view of the file system. Notice in the file system there is a plist in the root of the “45AAD7D6-8C36-411A-B311-04EAE0B5C470 folder.
In Figure 11 I exported the plist (.com.apple.mobile_container_manager.metadata.plist) and when viewed with Mushy Plist Viewer, I discovered a “MCMMetadataIdentifier: AsciiString = com.apple.CameraMessagesApp.” This appears to be the application associated with the folder path UUID.
Based on the testing and what was observed in the suspect’s device, I came to the conclusion that if a file was stored in this file path, it was captured/created via the CameraMessagesApp.
Note: This was not the only application that was storing data at /private/var/mobile/Containers/Data/PluginKitPlugin. There are several other applications storing data at this location, to include SnapChat. I haven’t gone into detail about the other data contained here, but it would be very beneficial to analyze this file location to see if any evidence you are looking for could be found here.
Scenario #2 What happens when a photo is captured from within native iOS messenger, sent as an attachment message and the message that contained the attachment is later deleted from the conversation thread:
In Figure 12 we can see within PA a file, IMG_0014.JPG, that was captured using Camera Messenger Application. When this photo was captured Live Photos was turned OFF. The photo was captured, attached to a message and then sent to another device. At a later time, the sent message with the attachment was deleted from messenger. In this instance the files that remained on the test device were stored at:
/private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/61777243558__254929A7-4814-450F-A490-956A86DDEC80.JPG
/private/var/mobile/Media/DCIM/100APPLE/IMG_0014.JPG
Note: In this example there wasn’t any text in the message only the attachment.
I thought this might be a great time to change my PA Duplicates settings. I entered the setting and changed “Multiple Extraction” settings from not merging similar items to merge similar items. I then closed the case and reprocessed the extraction.
After reprocessing the data, I noticed all of the similar files were merged based on their hash. I then filtered the merged photos based on the temporary file location /private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470. See Figure 13.
In Figure 13, all of the duplicates and similar items are merged with each other, hence the layered squares icon on the bottom left of each photo. When examining the icon notifications within Physical Analyzer, I noticed two icons were missing from the highlighted photo. One was the outgoing message icon that indicates a message was sent and the other was the paperclip icon used to indicate attachment. These icons are missing because the message and the attachment were deleted from the message thread. When the message and the attachment were deleted, the associated file being stored at /private/var/mobile/Library/SMS/Attachments/ was deleted. I could not locate the file and it appeared to be removed from the device as soon as the message was deleted.
In Figure 12 the other files being displayed were created via the same method as the one highlighted.
NOTE: It was not this easy when I was examining the suspects device!! There were thousands of photos and I had no idea what I was looking for or what I was looking at once these were found.
Scenario #3 What happens when a photo is captured within native iOS messenger, sent as an attachment message and the photo sent as an attachment is later deleted from the Photos Application:
In Figure 14 we can see within PA a file, IMG_0013.JPG, that was captured using Camera Messenger Application. When this photo was captured Live Photos was turned OFF. The photo was captured, attached to a message and then sent to another device. At a later time, the photo being stored at /private/var/mobile/Media/DCIM/100APPLE was deleted. Luckily, I was able to extract the device data before it the photo was removed from “Recently Deleted.” In this instance the files that remained on the test device were stored at:
/private/var/mobile/Library/SMS/Attachments/43/03/042886A9-EF88-4ADE-9AE7-013078A63B1F/61777224175__CCFF7725-BFDC-4CAA-84BA-DB045C7EAB28.JPG
/private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/61777224175__CCFF7725-BFDC-4CAA-84BA-DB045C7EAB28.JPG
/private/var/mobile/Media/DCIM/100APPLE/IMG_0013.JPG – “Recently Deleted”
Notice in Figure 14 there is an indication that IMG_0013.JPG was deleted or is in the trash/recently deleted. Unfortunately, at the time this blog was published, the amount of time necessary for the recently deleted photo to permanently delete hasn’t passed. I will complete a follow up blog posting to let everyone knows which files remain after the photos application (/private/var/mobile/Media/DCIM/100APPLE/IMG_0013.JPG) photo gets permanently deleted. Additional testing and device acquisitions to be completed in the near future.
Let’s take a look at what this looks like in via the SQLite query that was written for the Photos.sqlite database. See Figure 15. Notice that there is a status column for File Trash State and another column File Trash Date.
Magnet AXIOM File Relationship using Connections:
After my research and testing it’s been determined the files created with com.apple.camera.CameraMessagesApp are related and wanted to see if AXIOM connections feature would relate these files. The only connection that was displayed was through the matching file hashes. See Figure 16.
Summary:
During this blog we discussed some additional file locations that should be analyzed if you have a iOS Full File System extraction.
You should check the Photos.sqlite database and review the original file names. This could indicate the existence of additional files to analyze and if a full file system extraction would be beneficial to your investigation.
The /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp file location can hold vital data that might not be present in other extractions. It can also contain files that were deleted by the user and may not exist elsewhere.
You should also check Photos.sqlite creator bundle ID which could indicate which application was being used to capture the photo. Using this information, you can locate the appropriate /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp file location that can be examined for additional files.
I couldn’t have completed this research without help from the other outstanding and knowledgeable professionals who have been doing this type of work long before I even acquired my first cell phone. I would like to take this time to say thanks to everyone who shares their experiences with the community and list some resources that I have used during my forensic examinations and hope it can help you as much as it helped me.
Thanks, for going on this journey with me and please feel free to contact me if you have any questions about this research blog. As always, please test and validate your findings and take time to share!
Heather Mahalik Blog: https://smarterforensics.com Twitter @HeatherMahalik
Sarah Edwards Blog: https://www.mac4n6.com Twitter @iamevltwin GitHub: https://github.com/mac4n6
Alexis Brignoni Blog: https://abrignoni.blogspot.com Twitter @AlexisBrignoni GitHub: https://github.com/abrignoni
Ian Whiffin Blog: https://www.doubleblak.com Twitter @BlakDouble
Ed Michael Twitter @EdXlg123 GitHub: https://github.com/edmichael
Jared Barnhart Blogs hosted at: https://www.mac4n6.com Twitter @bizzybarney
Mike Williamson Blog: https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics Twitter @forensicmike1
and many others!