Professional Documents
Culture Documents
Iphone - Malware Detection SOP
Iphone - Malware Detection SOP
Introduction
1. In this document, we will conduct malware findings in Android and iPhone
smartphones. There are four ways for identification of malware in smartphones. Details
are as follow: -
(a) Forensic Image Acquisition
(b) Anti-Malware Scanning using Application
(c) Memory Capture
(d) Traffic Analysis
2. Different tools are used for Malware Identification. Details about installation and
usage of these tools are described in Appendix 1 and Appendix 2.
Category Android iPhone
devices. It has a user-friendly interface and can extract data from a variety of
sources, including device memory, SIM cards, and cloud services.
d) XRY: XRY is a mobile forensic tool that supports physical imaging of
iPhone 14 devices. It has a wide range of features, including advanced analysis
and decryption capabilities.
e) GrayKey: GrayKey is a forensic tool developed by Grayshift that can
perform physical imaging of iPhone 14 devices. It has a simple interface and can
extract data quickly.
2. Identify potential malware indicators: Look for any unusual activity, such as
unexpected network connections, suspicious files or folders, or abnormal battery
usage. Check system logs, application logs, network logs, and security logs for any
anomalies. Here are some of the commonly analyzed log files and their locations:
a) System logs: System logs are located in the /var/log directory. The
main system log file is called system.log, and it contains information about
system events, crashes, and errors.
b) Application logs: Application logs are located in the
/var/mobile/Library/Logs directory. Each application has its own log file, which
may contain information about app crashes, errors, and user activity.
c) Network logs: Network logs are located in the /private/var/log/ directory.
The main network log file is called ppp.log, and it contains information about
network activity, including IP addresses, DNS requests, and network
connections.
d) Security logs: Security logs are located in the /private/var/log/ directory.
The main security log file is called auth.log, and it contains information about
authentication events, such as login attempts and password changes.
3. Analyze the network traffic: Check the device's network traffic for any
suspicious activity, such as connections to known malicious domains or
communication with unfamiliar IP addresses.
4. Analyze installed apps: Check the installed apps for any suspicious behavior or
permissions that may indicate malware. Pay attention to any apps that are not
from the official App Store or that have been side-loaded onto the device.
5. Check for jailbreaking or rooting: Check if the iPhone 14 has been jailbroken
or rooted, as this may increase the risk of malware infection. Look for any signs
of a jailbreak, such as Cydia app, unauthorized system changes, or
installation of third-party apps outside of the App Store.
6. Use anti-malware tools: Use anti-malware software to scan the device's storage
image for known malware signatures or behaviors.
7. Analyze the data: Analyze the data obtained from the above steps to identify
any patterns, traces or artifacts that may indicate the presence of malware.
ROs Maryam Ahmad Dated: Dec, 2022
It's important to note that the above steps may not apply to every case and may vary
depending on the specific circumstances of the investigation
Limitations / Challenges
4. Accessing system logs, application logs, network logs, and security logs in
iPhone 14 without jailbreaking is not possible. Apple does not provide a built-in tool to
access these logs on non-jailbroken devices. However, there are some alternate ways
that may be helpful in some scenarios:
Logical / Advance Logical Acquisition
If the iPhone 14 is not jailbroken, then still able to create a logical image of the
device's data using forensic tools that support logical acquisition. Details are as follows:
-
a. Connect the iPhone 14 to a forensic workstation using a USB cable.
b. Launch Oxygen Forensic Detective 14 on the forensic workstation.
c. In the main window of Oxygen Forensic Detective 14, click on the "Acquire" tab
at the top of the screen.
d. From the dropdown menu, select "iOS Logical."
e. Follow the on-screen instructions to establish a connection between Oxygen
Forensic Detective 14 and the iPhone 14. You may need to enter the passcode of
the device to unlock it.
f. Once the connection is established, select the data categories that you want to
include in the logical acquisition. Oxygen Forensic Detective 14 allows you to select
from a wide range of data categories, including calls, messages, contacts,
calendars, photos, and app data.
g. Click on the "Start Acquisition" button to begin the logical acquisition process.
h. Wait for Oxygen Forensic Detective 14 to complete the acquisition process. The
time required to complete the acquisition will depend on the amount of data selected
for acquisition.
i. You can then use the data acquired by Oxygen Forensic Detective 14 to analyze
and investigate the iPhone 14 for any evidence of malware or other suspicious
activity. Different files of iOS Smartphone are analyzed. Details are as follows: -
File system: The file system of the iPhone is located in
/private/var/mobile/ and contains important data and files related to installed
applications, user data, and system settings.
System logs: The system logs are located in /private/var/log/ and can
provide valuable information on system events, errors, and other activity on
the device.
Application data: The application data for each installed application is
located in /private/var/mobile/Containers/Bundle/Application/ and can
provide information on user activities, contacts, and communications.
ROs Maryam Ahmad Dated: Dec, 2022
Memory Capture
ROs Maryam Ahmad Dated: Dec, 2022
Traffic Analysis
iOS Smartphone – Traffic Analysis
9. For the iPhone traffic analysis, we need a macOS Catalina, XCode and
Wireshark tools. For this purpose, they recorded all incoming and outgoing network
packets to and from the iOS device for specific duration of time. Details are as follows:
-
a) Connect the iPhone to the macOS Catalina computer: Use a lightning
cable to connect the iPhone to the computer running macOS Catalina.
b) Install Xcode: Xcode is a development tool that allows you to create and
manage iOS apps. Install Xcode on the macOS Catalina computer by
downloading it from the App Store.
c) Enable USB tethering: To allow the computer to capture network traffic
from the iPhone, enable USB tethering on the iPhone. Go to Settings >
Personal Hotspot > and turn on the "Allow Others to Join" option.
d) Open Xcode: Open Xcode on the macOS Catalina computer and go to
Window > Devices and Simulators.
e) Select the iPhone: Select the iPhone from the list of available devices in
the Devices and Simulators window.
f) Enable network traffic capture: Click on the "Open Console" button in
the Devices and Simulators window. This opens the Console window, which
displays logs and messages from the iPhone.
g) In the Console window, enter the following command:
h) bash
i) Copy code
j) sudo /usr/local/bin/iproxy 2222 22
k) This command forwards traffic from port 2222 on the macOS Catalina
computer to port 22 on the iPhone.
l) Capture network traffic using Wireshark: Open Wireshark on the
macOS Catalina computer and select the loopback interface from the list of
available interfaces.
m) Start capturing traffic: Click on the "Start" button in Wireshark to start
capturing network traffic from the iPhone. Perform actions on the iPhone that you
want to capture traffic for, such as browsing the web, using apps, or
sending/receiving messages.
n) Stop capturing traffic: Once you have captured enough traffic, click on
the "Stop" button in Wireshark to stop capturing network traffic from the iPhone.
o) Analyze captured traffic: You can now analyze the captured network
traffic using the Wireshark tool. This may involve decoding the traffic, extracting
metadata and artifacts, and identifying any suspicious or malicious activity.
It's important to note that capturing network traffic from an iPhone without proper authorization may
violate privacy and security laws and expose you to legal and ethical consequences. Therefore, it's
ROs Maryam Ahmad Dated: Dec, 2022
recommended to consult with a legal expert and follow the proper procedures and guidelines before
attempting to capture network traffic on an iPhone.