top of page
Mario Merendon

iOS Password Encrypted Notes in Plaintext Located Within Biome file

Notes are frequently used by iPhone users and despite the best efforts of experts to sway users from using Notes to store sensitive data such as usernames and passwords, users often find themselves finding it convenient. Apple enabled the user an ability to encrypt Notes with a passcode in order to better secure them. To an examiner, Apple stores its notes within NoteStore.sqlite. I conducted research of an iOS device and various data loaded within in it to determine the extent of popular commercial tools such as Cellebrite and Oxygen could decode this data. This device was loaded with multiple notes and some specifically encrypted with a passcode to make it inaccessible. As expected, with an Advanced Logical and a Full File System (FFS) extraction, the notes remain encrypted (Fig. 1) or with no indication within Cellebrite the note is encrypted (Fig. 2).


Figure 1 - Advanced Logical NoteStore.sqlite displayed in Oxygen Forensics

 

Figure 2 - Notes displayed in Cellebrite with no indication it was encrypted


However, as we have recognized with FFS extractions, there is a lot more in store for the examiner and options to explore to find relevant evidence and information. In this particular case, there is a path which exists within /private/var/mobile/Library/Biome/streams/public/AppIntent/local contains troves of information. Within this file, it was revealed encrypted notes were also stored here in unencrypted form within a protobuf file. The known data for this particular note was loaded with the note, “The answer is ST1300.” In Fig. 3, the encrypted note “The answer is ST1300” is wholly revealed and previously only viewed as a partial title, “The answer is” as seen in Fig. 1 to the examiner within both forensic tools. The examined file was located at /private/var/mobile/Library/Biome/streams/public/AppIntent/local/633472233609180.


The filename is known as a cocoa core timestamp which is actually readable by timestamp converters such as DCODE by inserting a period (.) between the 9th and 10th digit [1]. According to [1], this file is an INInteraction object serialized with the Protobuf format. Throughout the file, binary plists (bplist) can be found which contain additional information. Protobuf, known as Protocol Buffers is a format used to compile data and serialize it by converting it into bytes in decimal value which make it fast to transmit and was located in this file [2].


Figure 3 - encrypted note unencrypted within Biome/streams/public/Appintent/local


Within this research, it was important to dissect the file in order to parse out the notes effectively using a python script targeted at Apple notes. The program Mushy was used to further dive into the protobuf files within the Biome and AppIntent folders (Fig. 4). As you recall, the file contains a signature within the header known as “SEGB”. This provided an easily identifiable and consistent signature to pull data from in addition to zeroing in on the known iOS bundle ID for notes, com.apple.mobilenotes. When examining the protobuf, as explained by [1], I located a binary plist file embedded in the protobuf with the known encrypted data, which was observably not parsed out by the forensic tools (Fig. 5.).


Figure 4 - Mushy expanded view of protobuf file 633472233609180 showing bundle ID com.apple.mobilenotes


Figure 5 – Binary plist/string data containing unencrypted note


With this information, I was able to target the python script to those fields including the deserialized data within the embedded bplist which contained the actual original information the forensic tool recognized as encrypted (Fig. 6).


Figure 6- excerpt of python script


When extracting this artifact alone and running it against the python script, the Intent Action “CreateNote” provides the ability for an examiner to view the note contents when it was created and prior to it being encrypted. This trace artifact becomes invaluable to certain investigations. The exported results were viewed within LibreOffice Calc (Fig. 7). Multiple timestamps are also associated with this activity and extracted from the file which are embedded and not exact to the creation data found on the note file. However, the SEGB timestamps and start and end times in the embedded plist are within 20 seconds of the iOS filesystem created time for the note file saved in NoteStore.sqlite which further allow an examiner to validate one file with another (Biome file).


Figure 7 - Output data with extracted Apple Notes data from Biome file


Moreover, this file also contained previously deleted text messages Fig. 8 and Fig. 9.

Figure 8 - Known deleted messages within Biome/streams/public/Appintent/local in ASCII


Figure 9 - FFS sms.db with write-ahead-log (WAL) within Oxygen Forensics


So Why is This Important?


Recommendations to examiners to explore beyond a forensic tool’s parsing and supported applications capabilities are urged as troves of data remain uncovered and will continue to be buried unless the few trained personnel are willing to explore and step out of the push-button forensics mentality. Most people in their roles are specialized throughout the criminal justice system, from patrol officers, detectives, judges, prosecuting attorneys, defense attorneys and so on. All are not always in-tune to the type of data available that could be mitigating to one side. Trained examiners can make a profound difference with the right methodologies and policies within their organizations to ensure all data is available and analyzed to the best of their ability.


Future work for this type of research will depend on the digital forensic community and open-source tools to discover and keep up with changes in artifacts. Such research is necessary to further support examiners while supplementing the work of well-known forensic tools. While examiners cannot rely solely on a forensic tool, the peace of mind of being able to rely on other examiners and their research will continue to take forensics to another level, all the while influencing popular tools what is important to their customers.


Excerpt of research conducted by Mario Merendon of VX Digital Defense, LLC, as presented at the 12th International Symposium on Digital Forensics and Security (ISDFS) in San Antonio, TX 2024 and published whitepaper, "iOS Mobile Forensics Methodologies, Extracting Biome Artifacts, and Overlooked Artifacts Needed to Improve Investigations".


References:

[1]     J. Hyla, “Analyzing IOS biome AppIntent files - blue crew forensics,” Blue Crew Forensics -, 25-Mar-2022. [Online]. Available: https://bluecrewforensics.com/2022/03/07/ios-app-intents/. [Accessed: 24-Nov-2022]

[2]     C. Currier, “Chapter 9 protocol Buffers ,” 01-May-2022. [Online]. Available: https://link.springer.com/content/pdf/10.1007/978-3-030-98467-0_9.pdf. [Accessed: 26-Nov-2022]

49 views0 comments

コメント


bottom of page