Forensic Analysis of the Apple TV CCF Project

Transcription

Forensic Analysis of the Apple TV CCF Project
Forensic Analysis of the Apple TV
CCF Project Proposal
Daniel Rom˜ao and Nikolaos Petros Triantafyllidis
April 17, 2015
1
Introduction
Embedded devices are always of huge interest in the forensics world. These mini computers often
store and provide information that is often overlooked by criminals and can be a game changer
in court. In this project, we will perform a deep forensic analysis of the latest Apple TV. The
Apple TV is a popular TV content streamer box, found in many homes and offices. Though
the latest Apple TV cannot be used to store user material, it is a heavily networked device.
Information extracted from network traffic can provide an investigator with information on the
usage of the device, ultimately mapping the presence of a user to a place during a certain time
frame. Besides this, the Apple TV has a USB service port that might also be usable to obtain
relevant information.
Also interesting, is the network services the Apple TV provides. Besides streaming content, the
Apple TV provides features such as AirPlay, which allows a iOS device or a Mac to use the screen
connected to the Apple TV as a second display, and Bonjour, Apple’s zeroconf implementation,
which is used to discover devices an services on the local network.
As mentioned before Apple TV is an iOS device. Therefore, there is ongoing effort to try and
’jailbreak’ the device, i.e. circumvent the restrictions posed by Apple inc. on the device, and
be able, for example, to access the filesystem. However, no solid jailbreak solution has been
presented yet. Hence, the aim of this research will be to find ways to extract forensic evidence
from a device that is not jailbroken.
2
Problem statement
The main research question is:
How much and what kind of forensic evidence can be extracted from an Apple TV
device?
This question leads to the following sub-questions:
1. Is is possible to extract enough information from an Apple TV to map a certain person to
a location at a certain time?
2. How relevant is the traffic from an Apple TV gathered on a network?
3. Is it possible to extract relevant information from the USB service port?
4. Is is possible to hide information in the storage of the device?
5. Can we perform the investigation without having to damage the device?
1
3
Related work
The Apple TV has been a target of the hacker community since its introduction. Numerous
resources can be found on the Internet on how to jailbreak the Apple TV v1 and v2. A good
example can be found on the Mac World website [1].
There is a comprehensive project around Apple TV hacking and forensics presented At DefCon
17 in 2011. This demonstration however focuses on Apple TV generation 1, which ran OS X and
not iOS and these techniques cannot be applied to the latest Apple TV version [2].
Since the introduction of the latest major version, version 3, there are no available exploits to
jailbreak the Apple TV. The main reason of this, is the USB port on the device, is limited in
functionally, not allowing the operations available on other iOS devices.
4
Scope
In this project, we will focus on the information that can be gathered by accessing the USB port
of the Apple TV, and from the network communication. For the network communication, we
will attempt to perform a man-in-the-middle attack and correlate the traffic with the usage of
the device. We will also attempt to inspect the encrypted traffic by running a SSL proxy.
We do not know yet if there are any tools currently that can grant us full access to the filesystem
of the device. One of our goals is to try and develop a new software component, based on existing
libraries, that can help us browse the filesystem and collect interesting data. We cannot know
for sure, however, this attempt is feasible or inside the scope of the current project.
We will not perform any test that require opening the device (i.e. breaking the casing and
accessing the internal hardware).
5
Approach
As written before, we will focus on two main components: the service USB port and network
traffic. Developing new modules will be explored in a later phase.
5.1
USB port
The main tools we will be using for this approach will be the libimobiledevice library and Santoku
Linux.
• libimobiledevice
This software library is a cross-platform implementation that provides communication to
Apple devices (iPhones, iPads, AppleTVs, etc.). It does not depend on proprietary software
nor does it require jailbreaking. It allows other software to easily access the device’s
filesystem, retrieve information about the device and it’s internals, backup/restore the
device, etc [3].
The API documentation clearly mentions methods that provide that sort of access.
We will try to review existing tools based on that library and see if the fit our needs,
otherwise we will explore the feasibility of creating new software that will allow us to
access the filesystem.
Libimobiledevice is a C libary that also exposes Python extensions.
• Santoku Linux
Santoku is a Lubuntu based Linux distribution aimed towards Mobile Forensics, Mobile
Malware Analysis and Mobile Security Testing. It ships with pre-installed SDKs, drivers
and utilities for various platforms as well as tools that help with forensic investigation of
various mobile devices [4].
2
5.2
Network traffic
Apple TV communicates with the Apple servers frequently. This communication is mostly composed by diagnostic information used to improve the quality of the product and traffic related
to the usage of the device. Besides this, traffic to web services offered by the Apple TV can also
be observed. Most of this traffic is, however, usually encrypted with TLS. Our aim is to try and
communicate with the device, faking the Apple server by feeding the device with fake certificates
and see how it reacts. That way we will try to see if we can gather forensic evidence from the
network traffic.
Moreover, Apple TV might monitor neighboring devices via Apple’s ZeroConf implementation,
Bonjour. Capturing the network traffic can give us valuable information about the presence of
certain device in a space where an Apple TV is installed.
6
Requirements
For this project, we will need an Apple TV. This requirement is already met as the SNE research
group kindly provided us one of these devices.
7
Ethical considerations
Our tests will be performed on a wiped Apple TV. No user data will be accessed or exposed
during this project.
8
Planning
• Week 1 - Write proposal, initial feasibility tests
• Week 2 - Find which information can be retrieved via the USB interface
• Week 4 - Find relevant network services and traffic. Gather any existing forensic evidence.
• Week 5 - Development of demonstration
• Week 6 - Write Report
• Week 7 - Presentation
References
[1] Hattersley, L. (2015). Here’s how to jailbreak an Apple TV. [online] Macworld UK. Available
at: http://www.macworld.co.uk/how-to/apple/how-jailbreak-apple-tv-3594437/
[2] Estis, K. and Robbins, R. (2009). Hacking the Apple TV and Where your Forensic Data Lives. https://www.defcon.org/images/defcon-17/dc-17-presentations/
defcon-17-kevin_estis-apple_tv.pdf
[3] Libimobiledevice.org, (2015). libimobiledevice - A cross-platform software library and
tools to communicate with iOS devices natively. [online] Available at: http://www.
libimobiledevice.org
[4] Santoku-linux.com, (2015). Santoku-Linux. [online] Available at: https://santoku-linux.
com
3