Jonathan Zdziarski Releases Waterboard: An Open Source Forensic Acquisition Tool for iOS Devices

Posted June 12, 2013 at 7:04pm by iClarified | Please help us and submit a translation by clicking here | 19473 views

Jonathan Zdziarski has released Waterboard, an open source advanced forensic logical acquisition tool for iOS devices.

Waterboard is an open source iOS forensic imaging tool, capable of performing an advanced logical acquisition of iOS devices by utilizing extended services and back doors in Apple’s built-in lockdown services. These service can bypass Apple’s mobile backup encryption and other encryption to deliver a clear text copy of much of the file system to any machine that can or has previously paired with the device. Acquisition can be performed via usb, or across any wireless network where the device can be reached. Additionally, if you’re a federal law enforcement agency, you may also have the technical ability to skirt around a mobile carrier’s firewall, and acquire your target over cellular, possibly without their knowledge. (NOTE: device pairing must still first be performed via usb, so there is not a widespread security risk, however could be used for ill through malicious juice jacking and such).

Waterboard can be compiled as a command line utility for OS X or as a full GUI application for OS X or iPad. Acquisition can be performed via an Apple dongle such as the Lightning to USB adapter.

What Information Does Waterboard Recover?
- The entire file system of a jailbroken device, in many cases (via afc2)
- The entire “Media” jail of a non-jailbroken device (via afc)
- Photos, iTunes library, iBooks, and other media files
- All application data for App Store applications (Documents, Library, and tmp)
- A manifest of all installed App Store applications and their properties
- Extended device identity information including:
- IMEI, UUID, MEID, IMSI, UCID, device and baseband serial number, and so on
- Phone Number, SIM status, and so on
- Carrier bundle name, version, ICCID, MCC, MNC
- Current time zone configured
- Hardware addresses of WiFi and BT interfaces, chipset model, other such markers
- Device name, model, firmware version, iBoot version, and model color
- PRL (preferred roaming list) version and carrier bundle version
- iCloud conflict information and sync peers (e.g other desktop and mobile devices)
- Battery diagnostics (cycle count, design capacity, and so on)
- NVRAM flags (boot flags and other data)
- The current device time (in seconds since 1970)
- Networking diagnostics showing how much data was used daily on per-app basis
- MobileSync data dumping Notes, Address Book, Calendar, and Safari Bookmarks
- Captures all accounts being synchronized with desktop
- Does not capture iCloud sync accounts, but those do get captured elsewhere
- A cpio.gz (OSX version auto-extracts) archive of the following file system components:
-- Apple support data and system crash logs
-- User “Cache” folder
-- Screenshots of suspended applications
-- Cached web data stored by various applications
-- Pasteboard (clipboard) data
-- Icon cache
-- Safari reading list archives, recent searches, and activity thumbnails
-- What appears to be a video conference cache of local IP + date of call
-- Map tile database (of stored / viewed map tiles)
-- Apple TV playback logs, if acquiring an Apple TV with normal lockdown
-- Storage proxy logs
-- Bluetooth diagnostic information
-- The application installation log
-- Some PPP and VPN data
-- A complete dump of all activation and pairing records
-- Core Location cache
-- Keyboard (typing) caches
-- System Configuration information (WiFi AP join history / auto-join info)
-- A dump of the SMS database, SMS attachments, and SMS drafts (unsent SMS)
-- A dump of various user databases (Address Book, Calendar, etc)
-- A dump of the user’s voicemail stored on the device (including unread)
-- The user’s entire photo album, music collection, and media
-- System configuration data, such as accounts and wifi pairing history
-- iCloud local cache and control files
-- Lists of artifacts stored in iCloud
-- Lists of other devices (and computer names) synced with same iCloud
-- The tmp directory, which often contains useful data
-- A directory structure containing information about all files on /var
- The recent syslog backlog, and can perform a syslog capture of new events
- Packet header data captured by the live packet capture tool
- If backup encryption is NOT active, a full backup from the mobile backup
service, acquirable in either file system format or iTunes backup format

Zdziarski notes that Waterboard is an extremely useful tool for law enforcement and can provide important evidence in a criminal case. He suggests it could also be used by corporations for conducting internal investigations and to determine what information company devices might be leaking. He also notes that individuals can use it to determine what data can be scraped from their device to better protect their own privacy.

"Given a few seconds with an unlocked device (or even a pass protected device that has been shut off, but whose passcode is not required immediately), anyone can establish a pairing which will grant them carte blanche access to the information Waterboard delivers, which they can pull at any time over either usb or wireless."

Jonathan Zdziarski, also known as "NerveGas", wrote the "iPhone Open Application Development" book and the "iPhone Forensics" book. He has also written an iPhone forensics manual distributed exclusively to law enforcement, and has assisted many forensic examiners in their investigations.

Read More


Share
Add Comment
enarki - June 22, 2013 at 9:04pm
it's gone ... everything wiped out from the web
LmAlInOfSkY - November 15, 2013 at 5:04pm
What has Jonathan got to say? If he's saying nothing then very likely he i under heavy government compulsion to make no disclosures. When a GREAT tool like this disappears SO COMPLETELY and SO FAST you just about KNOW it's been classified. It's not a big step from PGP is a munition to this is strong cryptography (although in this case breaking it, not distributing it.) I've seen this happen before, about 20 years ago when a West Coast researcher named Ross Adey got ahold of a microwave thought-control / brainwashing device called the Lida. One week later there was not a single reference to be found anywhere. Remember the tool exists because you sure as hell will never read about it again. Zdziarski will politely and vaguely say he's ended the project and that it "might not be responsible to distribute it". But you can bet your bottom dollar he's not in control anymore. Wonder what will happen to guys who have it already? Chances are they've already been "reached". I didn't use to believe this could happen in the usa but now at 60 years old I know better.
Your Mommy - June 13, 2013 at 6:04am
two words... holy shit...
basswow - June 12, 2013 at 9:49pm
selling it to the NSA?
El Compa - June 12, 2013 at 9:32pm
Looks like someone finally made an app to tirtue the iPhone and ifs user into giving up info about themselves. Do I hear Siri choking on water???
Jojozs - June 12, 2013 at 7:36pm
After reading this and going to his site and reading more. I dont feel so secure on IOS anymore. Pretty scary!!
0 More Comments
Follow iClarified
Amazon's Thanksgiving Day Deals on Apple Products and Tech
Here's a list of some of the deals Amazon is ...
MacMall's Massive Black Friday Sale Has Over 1000 Deals on Apple Products, Accessories
Pixelmator for Mac and iPad are 50% Off for Black Friday
Pixelmator has announced that its powerful im...
Best Buy's Black Friday Deals on Apple Products
Best Buy is offering some discounts on Apple ...
Walmart's Black Friday Deals on Apple Products
Check out Walmart's Black Friday deals and pr...