Forensic Analysis of the Apple TV CCF Project
Transcription
Forensic Analysis of the Apple TV CCF Project
Forensic Analysis of the Apple TV CCF Project Proposal Daniel Rom˜ao and Nikolaos Petros Triantafyllidis April 17, 2015 1 Introduction Embedded devices are always of huge interest in the forensics world. These mini computers often store and provide information that is often overlooked by criminals and can be a game changer in court. In this project, we will perform a deep forensic analysis of the latest Apple TV. The Apple TV is a popular TV content streamer box, found in many homes and offices. Though the latest Apple TV cannot be used to store user material, it is a heavily networked device. Information extracted from network traffic can provide an investigator with information on the usage of the device, ultimately mapping the presence of a user to a place during a certain time frame. Besides this, the Apple TV has a USB service port that might also be usable to obtain relevant information. Also interesting, is the network services the Apple TV provides. Besides streaming content, the Apple TV provides features such as AirPlay, which allows a iOS device or a Mac to use the screen connected to the Apple TV as a second display, and Bonjour, Apple’s zeroconf implementation, which is used to discover devices an services on the local network. As mentioned before Apple TV is an iOS device. Therefore, there is ongoing effort to try and ’jailbreak’ the device, i.e. circumvent the restrictions posed by Apple inc. on the device, and be able, for example, to access the filesystem. However, no solid jailbreak solution has been presented yet. Hence, the aim of this research will be to find ways to extract forensic evidence from a device that is not jailbroken. 2 Problem statement The main research question is: How much and what kind of forensic evidence can be extracted from an Apple TV device? This question leads to the following sub-questions: 1. Is is possible to extract enough information from an Apple TV to map a certain person to a location at a certain time? 2. How relevant is the traffic from an Apple TV gathered on a network? 3. Is it possible to extract relevant information from the USB service port? 4. Is is possible to hide information in the storage of the device? 5. Can we perform the investigation without having to damage the device? 1 3 Related work The Apple TV has been a target of the hacker community since its introduction. Numerous resources can be found on the Internet on how to jailbreak the Apple TV v1 and v2. A good example can be found on the Mac World website [1]. There is a comprehensive project around Apple TV hacking and forensics presented At DefCon 17 in 2011. This demonstration however focuses on Apple TV generation 1, which ran OS X and not iOS and these techniques cannot be applied to the latest Apple TV version [2]. Since the introduction of the latest major version, version 3, there are no available exploits to jailbreak the Apple TV. The main reason of this, is the USB port on the device, is limited in functionally, not allowing the operations available on other iOS devices. 4 Scope In this project, we will focus on the information that can be gathered by accessing the USB port of the Apple TV, and from the network communication. For the network communication, we will attempt to perform a man-in-the-middle attack and correlate the traffic with the usage of the device. We will also attempt to inspect the encrypted traffic by running a SSL proxy. We do not know yet if there are any tools currently that can grant us full access to the filesystem of the device. One of our goals is to try and develop a new software component, based on existing libraries, that can help us browse the filesystem and collect interesting data. We cannot know for sure, however, this attempt is feasible or inside the scope of the current project. We will not perform any test that require opening the device (i.e. breaking the casing and accessing the internal hardware). 5 Approach As written before, we will focus on two main components: the service USB port and network traffic. Developing new modules will be explored in a later phase. 5.1 USB port The main tools we will be using for this approach will be the libimobiledevice library and Santoku Linux. • libimobiledevice This software library is a cross-platform implementation that provides communication to Apple devices (iPhones, iPads, AppleTVs, etc.). It does not depend on proprietary software nor does it require jailbreaking. It allows other software to easily access the device’s filesystem, retrieve information about the device and it’s internals, backup/restore the device, etc [3]. The API documentation clearly mentions methods that provide that sort of access. We will try to review existing tools based on that library and see if the fit our needs, otherwise we will explore the feasibility of creating new software that will allow us to access the filesystem. Libimobiledevice is a C libary that also exposes Python extensions. • Santoku Linux Santoku is a Lubuntu based Linux distribution aimed towards Mobile Forensics, Mobile Malware Analysis and Mobile Security Testing. It ships with pre-installed SDKs, drivers and utilities for various platforms as well as tools that help with forensic investigation of various mobile devices [4]. 2 5.2 Network traffic Apple TV communicates with the Apple servers frequently. This communication is mostly composed by diagnostic information used to improve the quality of the product and traffic related to the usage of the device. Besides this, traffic to web services offered by the Apple TV can also be observed. Most of this traffic is, however, usually encrypted with TLS. Our aim is to try and communicate with the device, faking the Apple server by feeding the device with fake certificates and see how it reacts. That way we will try to see if we can gather forensic evidence from the network traffic. Moreover, Apple TV might monitor neighboring devices via Apple’s ZeroConf implementation, Bonjour. Capturing the network traffic can give us valuable information about the presence of certain device in a space where an Apple TV is installed. 6 Requirements For this project, we will need an Apple TV. This requirement is already met as the SNE research group kindly provided us one of these devices. 7 Ethical considerations Our tests will be performed on a wiped Apple TV. No user data will be accessed or exposed during this project. 8 Planning • Week 1 - Write proposal, initial feasibility tests • Week 2 - Find which information can be retrieved via the USB interface • Week 4 - Find relevant network services and traffic. Gather any existing forensic evidence. • Week 5 - Development of demonstration • Week 6 - Write Report • Week 7 - Presentation References [1] Hattersley, L. (2015). Here’s how to jailbreak an Apple TV. [online] Macworld UK. Available at: http://www.macworld.co.uk/how-to/apple/how-jailbreak-apple-tv-3594437/ [2] Estis, K. and Robbins, R. (2009). Hacking the Apple TV and Where your Forensic Data Lives. https://www.defcon.org/images/defcon-17/dc-17-presentations/ defcon-17-kevin_estis-apple_tv.pdf [3] Libimobiledevice.org, (2015). libimobiledevice - A cross-platform software library and tools to communicate with iOS devices natively. [online] Available at: http://www. libimobiledevice.org [4] Santoku-linux.com, (2015). Santoku-Linux. [online] Available at: https://santoku-linux. com 3