/carve

Carve out forensic data from an iPhone system image.

Primary LanguagePython

carve

This was my hack for the 2013 Cipher Tech Mobile Forensics Hackathon, sponsored by Cipher Tech Solutions, Inc and NU IEEE. It won first place.

the challenge

At the beginning of the hackathon, everyone was provided with an iPhone system image and it was our task to develop software to "carve out" (extract) as much information as we could from the image and output the data in an easily readable format.

overview

The script is designed to be run in the same directory as the iPhone image. Upon execution, it creates a carvings directory which contains directories for the piece(s) of information being carved, containing the relevant databases used in extraction, and the final product, typically a text file.

$ ls
Makefile                 carve.py                 	iOS4_logical_acquisition image_1.7z               
README.md                carvings
$ ls carvings/
AddressBook         Cookies             Logs                	Maps                Safari              Voicemail
Calendar            Keyboard            Mail                	SMS                 SystemConfiguration
$ ls carvings/SMS/
sms.db          sms_summary.txt

todo

Feel free to contribute, as there's plenty more data to carve (and the original code is sort of really messy). Just get in touch and I'll be happy to send you the image. Here is a list from the event of data up for grabs:

  • Address Book
  • Application List
  • Application Snapshots
  • Bluetooth
  • Calendar
  • Call History
  • Cell Towers (maybe complete?)
  • Clipboard Data
  • Cookies
  • Email
  • Favorite Numbers
  • Geolocation Data
  • iPod
  • Keyboard Data
  • Keychain
  • Messages
  • Notes
  • Pictures
  • Safari
  • Synced Pictures
  • System Info (partial)
  • Videos
  • Voice Memos
  • Voicemail
  • WiFi Access Points (maybe complete?)
  • WiFi Networks
  • Youtube