Blog view point security technology department. 2015/08/21 14:08

Think of an ordinary file system as a large notebook. When a file was deleted, many assumed that the page had been completely blacked out with a Sanfuku marker, like the classified documents about Area 51. But in fact, what’s going on behind the scenes is more like drawing a giant X on the top of the page with a very thin red pen. The file is marked as deleted, but the contents are actually still on the laptop. Anyone who wants to know what it looks like can still easily read its contents, regardless of a red X marking it as deleted. This is how trial lawyers (both in Boston Legal and in real life) retrieve large amounts of deleted files from a suspect’s computer. Apple knows this, and in iOS 4 began using special, elaborate file system encryption to prevent deleted files from being restored. However, this technique isn’t perfect, and sometimes files can still be stolen.

As we saw earlier, iOS 4 and iOS 5 use an encrypted file system in which all files are encrypted using a unique key. In the file system, this key is stored in a property called CProtect, and it is actually encrypted by what is called aes-wrap, encrypting either the Dkey stored in the NAND erasable area, or one of the protection level keys. When a file is deleted, its cprotect property is discarded. Without access to the encryption key in this property, the file cannot be uncovered, and there is no point in restoring it.

Imagine having a secretary follow you everywhere you go, and we’ll call this secretary Iris. Now imagine Iris remembering everything you did for the past month or two by keeping a record of everything you said, with your permission. Well, that really helps, because you tend to forget things sometimes, especially if you drink too much coffee and have frequent emotional breakdowns. You can tell Iris what to say to a particular customer on a particular day, so she can repeat it back to you at the time.

But Iris (aside from being a constant source of embarrassment in your morning shower) has a downside because she remembers everything you’ve ever said and, unbeknown, takes down the passwords you hand over to clients to access files on your website. You have adopted very strict security mechanisms to ensure that your passwords will not be exposed. But Iris is with you all the time, and if someone can take her down, they can have access to all of your client’s files.

Apple’s HFS log is the electronic version of Iris for iOS. HSF logs all file system writes, changes, and deletions so that the file system does not lose data if the device is corrupted or the power fails. HFS logs are encrypted using an EMF key, which, as we learned earlier, is stored in the erasable storage area of NAND. The EMF key is not encrypted with the required password, so anyone who knows what to do can easily decrypt the HFS log without requiring the user’s password. The Sogeti brute force tool introduced in Chapter 5 has this additional capability in addition to extracting all other encryption keys from the device. When a file’s encryption key is written to the disk’s Cprotect property, the HFS log automatically logs a copy of it to disk.

If a file has been deleted, the encryption key written to disk is erased, but the copy written to the HFS log is not. This is probably because HFS logging predates HFS+ encrypted volumes and therefore operates independently of encryption and other additional features of the file system. Unless Apple locates and purses the encryption key of a deleted file from the logs, it can steal a copy of the key and restore the original file.

0x00 Scrape HFS logs

Sogeti’s suite of free data protection tools, introduced in Chapter 5, contains a set of tools for decrypting iOS files and keychain data. Another tool in the suite called emf_undelete is used to scrape out the CProtect property in the HFS log that contains the file encryption key. The tool will attempt to use these keys to decrypt the remaining files on the disk. Just like Iris, HFS logs store information for a limited period of time until it is rotated out as older data. Depending on how active the device is, this period can be as short as a day or as long as several weeks. The more frequently the device is used, the faster the HFS log rotates out old data.

To get the contents of the log, we go to the python_scripts directory of the Sogeti toolset, execute the emf_undelete.py script, and enter the raw disk image retrieved with the RawTheft payload. In addition, you need to obtain a copy of the device’s encryption key using the KeyTheft payload in Chapter 4.

$ python emf_undelete.py rdisk0s1s2.dmg
Keybag: SIGN check OK
Keybag unlocked with passcode key
cprotect version : 2
Found deleted file record 109296 lto2.dat
Found deleted file record 111607 NetworkInterfaces.plist
Found deleted file record 111939 com.apple.AutoWake.plist
Found deleted file record 111571 com.apple.PowerManagement.plist
Found deleted file record 109294 com.apple.network.identification.plist
Found deleted file record 111874 com.apple.wifi.plist
Found deleted file record 111871 preferences.plist
...
Copy the code

When the script runs, it scans the logs for deleted files and encryption keys, and then it performs a second scan, extracting the data into two directories named JUNK and undelete. The undelete directory contains files that the script can verify have been successfully decrypted; The JUNK directory contains things that it cannot verify, but may still be valid.

The EMF anti-delete script prewrites some basic file headers (called magic values) that it uses to determine whether a file is valid. Check the isDecryptedCorrectly function in the HFS /journal.py file to see them.

magics=["SQLite", "bplist", "<?xml", "\xFF\xD8\xFF", "\xCE\xFA\xED\xFE"]
"""
HAX: should do something better like compute entropy or something
"""
def isDecryptedCorrectly(data):
for m in magics:
if data.startswith(m):
return True
return False
Copy the code

In fact, we should make some improvements to it to get better results. The above implementation limits the types of files that the anti-delete script can validate. To improve this functionality and reduce the number of valid files that are moved to the JUNK folder, replace this function with the following:

def isDecryptedCorrectly(data, filekey):
filename = "/tmp/%s.bin" % (filekey.encode("hex")[:8])
write_file(filename,data)
filetype = commands.getoutput("/usr/bin/file -b %s" % filename)
os.unlink(filename)
print "file type for %s: %s" %(filename, filetype)
if filetype == "data":
return False
return True
Copy the code

The above code calls an external program called file. The program is a UNIX tool included with Mac OS X for determining file types. It can identify a large number of valid files, determine whether a successfully decrypted file is valid, readable, and give more accurate results. When the File tool cannot determine what type of file it is viewing, it simply returns a generic data type.

Although the File tool is more accurate, it does not recognize proprietary types of files. If your application uses custom formats for certain files, you may have to look in the JUNK folder because the anti-delete tool doesn’t recognize them.

0x01 Restoring Idle Space

A thorough scan of unallocated space is the last way to attempt to recover deleted data. This feature is disabled by default in the anti-delete tool, because scraping unallocated memory takes quite a long time and usually doesn’t work very well.

You can activate this feature by editing the HFS /journal.py script. Near the bottom of the file, there is a call to carveEMFemptySpace, but it is disabled by an if False statement:

if False:
fks = set(reduce(lambda x,y: x+y, filekeys.values()))
print "%d file keys left, try carving empty space (slow) ? CTRL-C to
exit" % len(fks)
raw_input()
carveEMFemptySpace(volume, fks, carveokdir)
Copy the code

Change this statement to if True, and then save the change. This way, after the original logging operation is complete, you will be prompted to start the restore.

0x02 Often restored data

Many different files can be restored by scraping the HFS log. In fact, anything that once existed on the file system can be restored, especially smaller files like property lists, images, and so on. Due to the limited size of HFS logs, small files are more likely to be restored.

Screen shot of application software

When an application hangs in the background, a screenshot is captured and written to disk. This is so that the next time the user returns to the application, the window zooms back to the screen, as if the application is immediately loaded in the background. In fact, it takes some time for the application to load back up and become active again, and this animation gives the application some time.

Each time an application is suspended, the screenshot of the application is repeated and deleted or overwritten at a later time. Screenshots also occur when a phone call comes in, or when other events occur that could cause an application to hang. These deleted app screenshots can often be found in HFS logs, giving away your app

The contents of even the most secure encrypted data in the software (see Figure 6-1).

Figure 6-1. Mail software is a very useful tool in forensics

In addition to app screenshots, secure websites also face this problem. Whether it’s Google (see Figure 6-2) or a confidential email you see inside a corporate VPN, a leak of screenshots can make your best-protected data insecure.

Figure 6-2. A screenshot recovered from a Safari browsing session

List of deleted properties

Old property lists and other configuration files can often be recovered from the logs. If the files contained confidential data, encryption keys or other sensitive data from the site and were then deleted, the data could still be recovered. Some applications write a list of plain-text attributes and then use encryption functions to encrypt the data. Even if the plaintext copy has been deleted, it can still be recovered, thus exposing the original plaintext.

In one such case, a secure mail client stores a copy of the messages it is currently processing into a temporary SQLite database. This database file is used to copy data back and forth between different components of the application and is deleted when the operation is complete. Although the application securely stores messages in its main database, any messages that have ever been selected and processed in it are stored temporarily in this temporary database. Therefore, it can be easily disclosed to the attacker.

Deleted voice mails and recordings

Voicemails are pushed directly to the iPhone connected to the visual voicemail, allowing users to access and listen to them offline at random. These files are pushed down before the user even listens to the message, so unread voicemails can even be found on the device. Voice mail files use the AMR encoding format, an audio encoding method designed specifically for sound recordings. The same audio format is used for the recording files. Deleted recordings may also be found on the device.

Deleted keyboard cache

As discussed in Chapter 4, the keyboard cache contains the cache of data entered through the keyboard anywhere in the application, unless the text box in the application is specifically disabled for auto-correction or set to a secure password box. Copies of deleted keyboard cache files can be found in the HFS logs, which even contain copies of cached data entered through the keyboard very early.

Photos and other personal information

Similarly, deleted photos and other personal information stored in deleted files can be restored from HFS logs. An online banking app, for example, stores a photo of a check taken with the device’s camera. When the picture of the check is erased, it is actually deleted, not erased, so that an attacker can get hold of residual data.

0 x03 summary

Any files that have just been deleted may exist in the log. Don’t rely on the assumption that the device will safely erase files after they are deleted. It’s better to assume that the file system has no encryption protection at all underneath it. If the data contains sensitive information that you do not want an attacker to recover, do not write a clear-text copy of the data to disk. In chapter 11, you’ll learn a series of anti-forensics techniques. Using these tricks, you can safely erase data when deleting files and keep your application from saving screenshots when it hangs.