ahoog42 / ios-triage Goto Github PK

View Code? Open in Web Editor NEW

49.0 49.0 7.0 361 KB

incident response tool for iOS devices

License: MIT License

JavaScript 75.84% HTML 24.16%

cli incident-response ios ios-triage libimobiledevice nodejs triage

ios-triage's People

Contributors

Stargazers

Watchers

Forkers

cys3c azeemnow yarochewsky 5l1v3r1 hartl3y94 joon-y

ios-triage's Issues

Look into how npm plist module is parsing data fields in plists

When converting a plist into a json object, the npm module plist appears to base64 decode data fields and convert into a array of bytes. This is problematic for our data and needs to be looked into. Below are a few examples:

plist file
-------
<key>SKeyHash</key>
                <data>
                7MQEUyvzG4gjjZc7KsNNAVTS8g4=
                </data>

json data as converted by plist module
-------
        "SKeyHash": {
          "type": "Buffer",
          "data": [
            236,
            196,
            4,
            83,
            43,
            243,
            27,
            136,
            35,
            141,
            151,
            59,
            42,
            195,
            77,
            1,
            84,
            210,
            242,
            14
          ]

and one more example"

plist file
-------
        <key>DevicePublicKey</key>
        <data>
        LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXhwc0s4V0Nx
        bGczemljdE94cDNHSHFub1oxUUYuZnl1QWdGT3RWZ3I5blJlZVhSMC9kcEcKV1VsS1ZE
        MEVKSmFvWWtXOFJqTEdMeW5Ma1JDd0iUWjlJb2JybXlTU2F1NWFrRFMvSklOK1FmUTFk
        OXRPMlYxSgpVQ2RtbnZGNVpYYjZuM1pZb0RmMG5PTDZ0ZWVpOGdvNlpQM3F0TjVkWEpo
        kEJDMGF2SWh1dGpMU0dqLzFaUEhHCjNwV2w4dFhXdE9CYk5yRUpsMk1aa3E5VGdhTHVx
        Nm41M0h4TmVoODE4UGx5QUQ0NVJxd0RtMjh2RSsxNVBBMmwKSDlMZXB0SVFSS1dtMkR4
        U2sYPOc4ckVCT2RnMTBmY0pIZk9WTXNDbzhac3o3V2NNNFEwbTArdDFVM1lGdHNKaQpx
        Znl4ZjlXMm8zazlxUTBqS3RZSDFOWU1JN0poWVVUc0t3SURBUUFCCi0tLS0tRU5EIFJT
        QSBQVUJMSUMgS0VZLS0tkosl
        </data>

json data as converted by plist module
-------
      "DevicePublicKey": {
        "type": "Buffer",
        "data": [
          45,
          45,
          45,
          45,
          45,
          66,
          69,
          71,
          73,
          78,
          32,
<snip>

track these additional app properties

UIRequiresPersistentWiFi: true/false
"Entitlements": { keys only }
UIBackgroundModes: []
??? ExternalAccessoryProtocols: []

NSAppleMusicUsageDescription
NSBluetoothPeripheralUsageDescription
NSCalendarsUsageDescription
NSCameraUsageDescription
NSContactsUsageDescription
NSHealthShareUsageDescription
NSHealthUpdateUsageDescription
NSHomeKitUsageDescription
NSLocationAlwaysUsageDescription
NSLocationUsageDescription
NSLocationWhenInUseUsageDescription
NSMicrophoneUsageDescription
NSMotionUsageDescription
NSPersistentStoreTypeKey
NSPhotoLibraryUsageDescription
NSRemindersUsageDescription
NSSiriUsageDescription
NSSpeechRecognitionUsageDescription
NSVideoSubscriberAccountUsageDescription


    "NSAppTransportSecurity": {
      "NSAllowsArbitraryLoads": true
    },

  "NSAppTransportSecurity": {
    "NSExceptionDomains": {
      "sonos.com": {
        "NSExceptionAllowsInsecureHTTPLoads": true,
        "NSExceptionRequiresForwardSecrecy": false,
        "NSIncludesSubdomains": true,
        "NSExceptionMinimumTLSVersion": "TLSv1.2"
      },
      "google-analytics.com": {
        "NSIncludesSubdomains": true,
        "NSThirdPartyExceptionAllowsInsecureHTTPLoads": true
      },
      "thebrighttag.com": {
        "NSIncludesSubdomains": true,
        "NSThirdPartyExceptionAllowsInsecureHTTPLoads": true
      },
      "btstatic.com": {
        "NSIncludesSubdomains": true,
        "NSThirdPartyExceptionAllowsInsecureHTTPLoads": true
      }
    }
  },

   "NSAppTransportSecurity": {
        "NSExceptionDomains": {
            "southwest.com": {
                "NSTemporaryExceptionAllowsInsecureHTTPLoads": true,
                "NSExceptionRequiresForwardSecrecy": false,
                "NSIncludesSubdomains": true
            },
            "mbp.southwest.com": {
                "NSExceptionAllowsInsecureHTTPLoads": true,
                "NSExceptionRequiresForwardSecrecy": false
            },
            "stage.wap.ncrwebhost.mobi": {
                "NSExceptionAllowsInsecureHTTPLoads": true,
                "NSExceptionRequiresForwardSecrecy": "NO"
            },
            "http://southwest-airlines-mkt-prod1-t.campaign.adobe.com": {
                "NSExceptionAllowsInsecureHTTPLoads": true,
                "NSExceptionRequiresForwardSecrecy": false
            },
            "prod.wap.ncrwebhost.mobi": {
                "NSExceptionAllowsInsecureHTTPLoads": true,
                "NSExceptionRequiresForwardSecrecy": false
            },
            "http://southwest-airlines-mkt-stage1-t.campaign.adobe.com": {
                "NSExceptionAllowsInsecureHTTPLoads": true,
                "NSExceptionRequiresForwardSecrecy": false
            },
            "swacorp.com": {
                "NSTemporaryExceptionAllowsInsecureHTTPLoads": true,
                "NSExceptionRequiresForwardSecrecy": false,
                "NSIncludesSubdomains": true
            }
        }
    },

consider integrating calls to TSS api to determine latest ios version avail?

https://api.ineal.me/tss/docs

run ideviceinfo with all domains

Looks like idevice info supports some other domains to query...test these and decide which to run:

e.g.: ideviceinfo --xml --domain com.apple.disk_usage

Known domains are:

com.apple.disk_usage
com.apple.disk_usage.factory
com.apple.mobile.battery
com.apple.iqagent
com.apple.purplebuddy
com.apple.PurpleBuddy
com.apple.mobile.chaperone
com.apple.mobile.third_party_termination
com.apple.mobile.lockdownd
com.apple.mobile.lockdown_cache
com.apple.xcode.developerdomain
com.apple.international
com.apple.mobile.data_sync
com.apple.mobile.tethered_sync
com.apple.mobile.mobile_application_usage
com.apple.mobile.backup
com.apple.mobile.nikita
com.apple.mobile.restriction
com.apple.mobile.user_preferences
com.apple.mobile.sync_data_class
com.apple.mobile.software_behavior
com.apple.mobile.iTunes.SQLMusicLibraryPostProcessCommands
com.apple.mobile.iTunes.accessories
com.apple.mobile.internal
com.apple.mobile.wireless_lockdown
com.apple.fairplay
com.apple.iTunes
com.apple.mobile.iTunes.store
com.apple.mobile.iTunes

doesn't handle no directory for output well

hiro@metaverse-oss:~/git/ios-triage$ ios-triage collect
in getUDID, retval = 993aa52471a3e6ea117eb619927d74f3aa7511bf

calling deviceinfo for udid 993aa52471a3e6ea117eb619927d74f3aa7511bf

events.js:160
throw er; // Unhandled 'error' event
^

Error: ENOENT: no such file or directory, open '/Users/hiro/Desktop/ios-triage/993aa52471a3e6ea117eb619927d74f3aa7511bf//artifacts/ideviceinfo.txt'

No such file error during processing

We were using a jailbroken iPhone 6 with iOS 8.4. The extraction completed successfully, but the process step produced the following error:

`xadmin@ubuntu:~$ ios-triage process /home/xadmin/Documents/af0c4c26a9c3d26093ef58922823749a02d1eaf0/1508941979989/
7:34:25 AM - info: executing processArtifacts now
7:34:25 AM - info: Backup dir not found, skipping processing
7:34:25 AM - info: wrote app data to disk
7:34:25 AM - info: wrote device info and domains to disk
7:34:25 AM - info: wrote pprofile data to disk
7:34:25 AM - info: wrote parsed backup data to disk
7:34:25 AM - info: wrote syslog data to disk
fs.js:844
return binding.stat(pathModule._makeLong(path));
^

Error: ENOENT: no such file or directory, stat '/home/xadmin/Documents/af0c4c26a9c3d26093ef58922823749a02d1eaf0/1508941979989/artifacts/crash_reports/ExcResource_FlightApp'
at Error (native)
at Object.fs.statSync (fs.js:844:18)
at Stream. (/home/xadmin/ios-triage/index.js:944:30)
at emitNone (events.js:72:20)
at Stream.emit (events.js:166:7)
at drain (/home/xadmin/ios-triage/node_modules/through/index.js:34:23)
at Stream.stream.queue.stream.push (/home/xadmin/ios-triage/node_modules/through/index.js:45:5)
at Stream. (/home/xadmin/ios-triage/node_modules/split/index.js:61:10)
at _end (/home/xadmin/ios-triage/node_modules/through/index.js:65:9)
at Stream.stream.end (/home/xadmin/ios-triage/node_modules/through/index.js:74:5)`

That directory had the following files: ExcResource_FlightApp Phone FREE_2016-07-27-093907_iPhone.ips and ExcResource_FlightApp Phone FREE_2016-07-27-093907_iPhone.ips.

Catch ENOENT error when creating directory

Maybe use mkdirp package?)

⇒  ios-triage extract help
2:58:36 PM - info: Authorized iDevice found, UDID: dc9363415e5fbf18ea8277986f3b693cf52077da
fs.js:842
  return binding.mkdir(pathModule._makeLong(path),
                 ^

Error: ENOENT: no such file or directory, mkdir 'help/dc9363415e5fbf18ea8277986f3b693cf52077da'
    at Error (native)
    at Object.fs.mkdirSync (fs.js:842:18)
    at setWorkingDirectory (/Users/hiro/git/ios-triage/index.js:93:8)
    at /Users/hiro/git/ios-triage/index.js:118:16
    at ChildProcess.<anonymous> (/Users/hiro/git/ios-triage/index.js:181:7)
    at emitTwo (events.js:100:13)
    at ChildProcess.emit (events.js:185:7)
    at maybeClose (internal/child_process.js:850:16)
    at Socket.<anonymous> (internal/child_process.js:323:11)
    at emitOne (events.js:90:13)

PasswordProtected status not properly detected with alphanumeric password in 10.2

On an iPhone 6 running 10.2 with an alphanumeric password enable, ideviceinfo returns the follow:

        <key>PasswordProtected</key>
        <false/>

Should test this to see how ideviceinfo detect numeric and no password. Seems to be a bug in ideviceinfo but will post more here later.

Went through the install steps fine, but failing to extract on two different phones

please delete, problem solved

stacktrace on linux if no device connected

hiro@metaverse-oss:~/git/ios-triage$ ios-triage collect
in getUDID, retval =
Error: Please ensure an iDevice is connected via USB and authorized
at ChildProcess.udid.on.code (/home/hiro/git/ios-triage/index.js:74:18)
at emitTwo (events.js:106:13)
at ChildProcess.emit (events.js:191:7)
at maybeClose (internal/child_process.js:885:16)
at Socket. (internal/child_process.js:334:11)
at emitOne (events.js:96:13)
at Socket.emit (events.js:188:7)
at Pipe._handle.close [as _onclose] (net.js:501:12)

running extract with . dir saves into node package install dir

hiro@metaverse:~/Desktop/ios-triage|
⇒  ios-triage extract .
10:04:19 AM - info: Authorized iDevice found, UDID: dc9363415e5fbf18ea8277986f3b693cf52077da
10:04:19 AM - info: output directory set to /Users/hiro/git/ios-triage/dc9363415e5fbf18ea8277986f3b693cf52077da/1484928259870
10:04:19 AM - info: capturing device syslog...
10:04:19 AM - info: Skipping device backup
10:04:20 AM - info: Installed provisioning profiles saved
10:04:20 AM - info: iOS Device info saved
10:04:21 AM - info: iOS Device installed apps saved
10:04:21 AM - info: Crash reports and log saved
10:04:21 AM - info: completed all extraction functions so we'll now kill deviceSyslog
10:04:21 AM - info: iOS Device syslog saved

should should have saved artifacts in ~/Desktop/ios-triage

unhandled error when libimobiledevice tools not installed

Should handle this better, offer tip to user to check to make sure libimobiledevice tools are installed and in current path.

  ios-triage extract .
events.js:163
      throw er; // Unhandled 'error' event
      ^

Error: spawn idevice_id ENOENT
    at exports._errnoException (util.js:1050:11)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:193:32)
    at onErrorNT (internal/child_process.js:367:16)
    at _combinedTickCallback (internal/process/next_tick.js:80:11)
    at process._tickCallback (internal/process/next_tick.js:104:9)
    at Module.runMain (module.js:607:11)
    at run (bootstrap_node.js:427:7)
    at startup (bootstrap_node.js:151:9)
    at bootstrap_node.js:542:3```

check to see if directory exists, if not create it

hiro@metaverse:~/Desktop/ios-triage/993aa52471a3e6ea117eb619927d74f3aa7511bf/artifacts|
⇒ ios-triage collect
in getUDID, retval = dc9363415e5fbf18ea8277986f3b693cf52077da

calling deviceinfo for udid dc9363415e5fbf18ea8277986f3b693cf52077da

events.js:154
throw er; // Unhandled 'error' event
^

Error: ENOENT: no such file or directory, open '/Users/hiro/Desktop/ios-triage//dc9363415e5fbf18ea8277986f3b693cf52077da
/artifacts/ideviceinfo.txt'
at Error (native)

ahoog42 / ios-triage Goto Github PK

ios-triage's People

Contributors

Stargazers

Watchers

Forkers

ios-triage's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs