Working with Wickr Part 3

wickr1

The physical acquisition of our iPhone 3GS was acquired through the UFED Physical Analyzer previously, and we have begun analyzing the data.  Due to the nature of this project, we are creating scenarios to understand the types of data being stored on the device, location of the data within the directory of the phone, and the way in which information is stored.

The search details for this project are known files and file types previously generated. These preliminary findings can allow us to determine which files to look for and provide the user the location of the data on the device.

The File system data of the iPhone 3GS was extracted using the Cellebrite UFED Touch Pro and then opened in the UFED Physical Analyzer.

After the image was acquired with the UFED Physical Analyzer, the UFED parsed the data from the device and categorized the data found on the device. In the Password section (see image below) within the UFED Physical Analyzer, we were able to view some of the credentials used on the iPhone 3GS in Wickr.

dftgyhuj        

The following is the data found in the Password tab of the physical extraction from the UFED Physical Analyzer:

The username that we used for Box (cloud storage) was lcdi@champlain.edu, which was acquired by the UFED Physical Analyzer from the Wickr app, un-encrypted, as seen in the image below. 1

T Google Drive username that we used, champforensics@gmail.com, was also acquired from the Wickr app, un-encrypted, as seen below. 2

For further analysis of the iPhone 3GS extraction, we dumped the filesystems (Data and System) from the UFED Physical Analyzer onto our desktop and then acquired them using FTK 4.1.0.

While other options were used throughout the analysis in FTK 4.1.0, the Live Search feature was used to search for specific data strings found on the device. Live search is one of two main features of FTK used to search the acquired data. Live Search allows an investigator to conduct a bit by bit comparison of the data found on the device. Index Search is another search feature, which allows the user to acquire the results quickly by indexing all of the words in the case. Live Search is time-consuming when compared to an Index Search but searches the device thoroughly and accurately. Live Search is also the best option if the user wants to find non-alphanumeric data.

From most of the keyword searches, we were able to see the data that was sent through Box, such as the name, date, and timestamp data for the file, which is stored in the BoxCoreDataStore.sqlite under rows _(generic numbers).html. The following keyword search examples show the files we sent and the data we found:

  1. A pdf labeled “LCDI_Shirts.pdf” was sent from our iPhone 5 to the iPhone 3GS. The information about the PDF was found under: Data\Mobile\Applications\Documents\BoxcoreDataStore.sqlite33333

Under BoxCore data, the rows_0000000_0000005.html shows basic information of the LCDI_Shirts.pdf file.  This file is also part of the BoxCoreData found under Data\Mobile\Applications\Documents\BoxcoreDataStore.sqlite. 4444444

The row _0000000_0000005.html also has information about other files that were uploaded to Box. Not all of these files were sent to the iPhone 3GS via Wickr (the Mobile Forensics Phone’s List.xlsx was not sent), but the information about the files could be viewed without any encryption on the device.   

5555155552 

The above picture taken from the rows html file also states the creation time, or uploaded time, of the files onto Box. Using Dcode, the times can be converted to show the time a file was uploaded onto Box.

  • LCDI_Shirt.pdf’s creation time is Mon, 09 September 2013 16:38:00 -0400.

6666

  • Mobile Forensics Phone’s List.xlsx’s creation time is Mon, 09 September 2013 16:37:19 -0400.

7777

  • IMG_2564’s creation time is Mon, 09 September 2013 16:38:13 -0400.

8888

The times we collected through DCode match the times we uploaded the documents to Box.

Data from other cloud storage services such as Google Drive and Dropbox were not found, as they were most likely encrypted (the username for Google Drive mentioned earlier was the one exception).

Upon further analysis, a .jpg image from the LCDI_Shirts.pdf sent through Box was carved by FTK. This image was found under: Data\mobile\Applications\Library\Caches\com.mywickr.wickr\Cache.db-wal\Carved [591743].jpeg.

9999

 

-Megh Shah

 

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education