iOS Forensics Cookbook

4 (1 reviews total)
By Bhanu Birani , Mayank Birani
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
About this book

Mobile device forensics is a branch of digital forensics that involves the recovery of evidence or data in a digital format from a device without affecting its integrity. With the growing popularity of iOS-based Apple devices, iOS forensics has developed immense importance.

To cater to the need, this book deals with tasks such as the encryption and decryption of files, various ways to integrate techniques withsocial media, and ways to grab the user events and actions on the iOS app. Using practical examples, we’ll start with the analysis keychain and raw disk decryption, social media integration, and getting accustomed to analytics tools. You’ll also learn how to distribute the iOS apps without releasing them to Apple’s App Store. Moving on, the book covers test flights and hockey app integration, the crash reporting system, recovery tools, and their features. By the end of the book, using the aforementioned techniques, you will be able to successfully analyze iOS-based devices forensically.

Publication date:
January 2016
Publisher
Packt
Pages
184
ISBN
9781783988464

 

Chapter 1. Saving and Extracting Data

Since their launch, iOS devices have always attracted developers in ever-increasing numbers. There are numerous applications for iOS devices available in the market. While developing applications, we frequently need to save application data into the device's local memory.

In this chapter, you will learn various ways to read and write data to iOS device directory.

In this chapter, we will cover:

  • The Documents directory

  • Saving data using the RAW file

  • Saving data in the SQLite database

  • Learning about Core data

 

The Documents directory


Our app only runs in a "sandboxed" environment. This means that it can only access files and directories within its own contents, for example, Documents and Library. Every app has its own document directory from which it can read and write data as and when needed. This Documents directory allows you to store files and subdirectories created by your app. Now, we will create a sample project to understand the Document directories in much more depth.

Getting ready

Open Xcode and go to File | New | File and then navigate to iOS | Application | Single View Application. In the popup, provide the product name DocumentDirectoriesSample.

How to do it...

Perform the following steps to explore how to retrieve the path of document directories:

  1. First, we will find out where in simulators and iPhones our document directories are present. To find the path, we need to write some code in our viewDidLoad method. Add the following line of code in viewDidLoad:

    NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
    NSString *documentsDirectory = [paths objectAtIndex:0];
    NSLog(@"%@", documentsDirectory);

    In the preceding code, first we fetch the existing path in our path's array. Now, we will take the first object of our path array in a string that means our string contains one path for our directory. This code will print the path for document directory of the simulator or device wherever you are running the code.

  2. To create the folder in documentsDirectory, run the following code:

    NSString *dataPath = [documentsDirectory stringByAppendingPathComponent:@"/MyFolder"];
    if (![[NSFileManager defaultManager] fileExistsAtPath:dataPath])
      [[NSFileManager defaultManager] createDirectoryAtPath:dataPath withIntermediateDirectories:NO attributes:nil error:nil];

    In the preceding code snippet, the [documentsDirectory stringByAppendingPathComponent:@"/MyFolder"] line will create our folder in the Document directory and the last code of NSFileManager will check whether that dataPath exists or not; if it does not exist, then it will create a new path.

  3. Now, compile and run the project; you should be able to see the path of Document directories in your project console. This should look like the following screenshot:

  4. Now, go to Finder; from the options, select Go to Folder and paste the documentsDirectory path from the console. This will navigate you to the Documents directory of the simulator. The Documents directory will look like the following screenshot:

 

Saving data using the RAW file


In the previous section, you learned about the Document directories. Now, in this section we will explore this in more detail. You will learn about saving RAW files in our application's document directory.

Getting ready

We will use the preceding project for this section as well. So, open the project and follow the next section.

How to do it...

Perform the following steps to write data into your Documents directory:

  1. Now, we will create a .txt file in our folder (which we created in the document directory). Customize the code in viewDidLoad: as follows:

    dataPath = [[NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES) firstObject] stringByAppendingPathComponent:@"myfile.txt"];
    NSLog(@"%@", dataPath);

    The preceding code will create a .txt file of name myfile.txt.

  2. To write something into the file, add the following code:

    NSError *error;
    NSString *stringToWrite = @"1\n2\n3\n4";
    dataPath = [[NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES) firstObject] stringByAppendingPathComponent:@"myfile.txt"];
    [stringToWrite writeToFile:dataPath atomically:YES encoding:NSUTF8StringEncoding error:&error];

    The writeToFile method is used to write data in our file.

  3. Now, to read the data from the file, there's the stringWithContentsOfFile method. So add the following method inside the code:

    NSString *str = [NSString stringWithContentsOfFile:dataPath encoding:NSUTF8StringEncoding error:&error];
    NSLog(@"%@", str);
  4. To see the mayflies.txt file in the Documents directory, go to the GoToFolder finder and paste dataPath from the console. It will take you to mayflies.txt. The final file should look something like the following screenshot:

  5. In the screenshot, you can see the two files have been created. As per our code, we have created myfile.txt and myfile.pdf. We have also created MyFolder in the same Documents folder of the app.

 

Saving data in the SQLite database


When we come across iPhone app design at the enterprise level, it will become very important to save data internally in some storage system. Saving data in the Document directory will not serve the purpose where there is a huge amount of data to save and update. In order to provide such features in iOS devices, we can use the SQLite database to store our data inside the app. In this section of our chapter, our primary focus will be on ways to read and write data in our SQLite database. We will start by saving some data in the database and will then move forward by implementing some search-related queries in the database to enable the user to search the data saved in the database.

Getting ready

To develop a mini app using SQLite database, we need to start by creating a new project by performing the following steps:

  1. Open Xcode and go to File | New | File, and then, navigate to iOS | Application | Single View Application. In the popup, provide the product name SQLite Sample. It should look like the following screenshot:

  2. Click on Next and save the project. After creating the project, we need to add a SQLite library (libsqlite3.dylib). To add this library, make sure that the General tab is open. Then, scroll down to the Linked Frameworks and Libraries section and click on the + button and add the libsqlite3.dylib library to our project:

How to do it...

Now, our project is ready to save the SQLite data. For that, we need to write some code. Perform the following steps to update the project as per our requirements:

  1. Before we can create a database, we need to import the SQLite framework at the top of the screen. Now, declare a variable for sqlite3 and create a NSString property to store the database path. Within the main Xcode project navigator, select the DatabaseViewController.h file and modify it as follows:

    #import <UIKit/UIKit.h>
    #import <sqlite3.h>
    
    @interface DatabaseViewController : UIViewController
    
    @property (strong, nonatomic) NSString *pathDB;
    @property (nonatomic) sqlite3 *sqlDB;
    @end
  2. Now it's time to design our user interface for the SQLite iPhone application. Select the storyboard and then drag and drop the table view to the view along with the table view cell. For tableviewcell, select the Subtitle style from the attribute and give it an identifier (for example, cell); and add one button on the navigation bar (style -> add). Make an outlet connection of the table view and button to ViewController.h.

    The final screen should look like the following screenshot:

  3. Now we will have to connect the table view outlet with the code. For that, press Ctrl and drag the tableView object to the ViewController.h file. Once connected, you should be able to see the connection in the dialog box with an establish outlet connection named tableView. Repeat the steps to establish the action connections for all the other UI components in view.

    Once the connections are established for all, on completion of these steps, the ViewController.h file should read as follows:

    #import <UIKit/UIKit.h>
    #import <sqlite3.h>
    
    @interface ViewController: UIViewController <UITableViewDataSource, UITableViewDelegate>
    
    @property (strong, nonatomic) NSString *pathDB;
    @property (nonatomic) sqlite3 *sqlDB;
    @property (weak, nonatomic) IBOutlet UITableView *tableView;
    
    (IBAction)navigateToNextView:(id)sender;
    
    @end
  4. Now we need to check whether the database file already exists or not. If it is not there, then we need to create the database, path, and table. To accomplish this, we need to write some code in our viewDidLoad method. So go to the ViewController.m file and modify the viewDidLoad method as follows:

    - (void)viewDidLoad {
      [super viewDidLoad];
      NSString *directory;
      NSArray *dirPaths;
      dirPaths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
      NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
      NSString *documentsDirectory = [paths objectAtIndex:0];
      NSString *dataPath = [documentsDirectory stringByAppendingPathComponent:@"/MyFolder"];
      if (![[NSFileManager defaultManager] fileExistsAtPath:dataPath])
        [[NSFileManager defaultManager] createDirectoryAtPath:dataPath withIntermediateDirectories:NO attributes:nil error:nil];
      directory = dirPaths[0];
      _pathDB = [[NSString alloc]
      initWithString: [directory stringByAppendingPathComponent:@"employee.db"]];
      NSFileManager *filemgr = [NSFileManager defaultManager];
      if ([filemgr fileExistsAtPath: _pathDB] == NO)
      {
        const char *dbpath = [_pathDB UTF8String];
        if (sqlite3_open(dbpath, &_sqlDB) == SQLITE_OK)
        {
          char *errMsg;
          const char *sql_stmt =
            "CREATE TABLE IF NOT EXISTS EMPLOYEE (ID INTEGER PRIMARY KEY AUTOINCREMENT, NAME TEXT, DESIGNATION TEXT)";
    
          if (sqlite3_exec(_sqlDB, sql_stmt, NULL, NULL, &errMsg) != SQLITE_OK)
          {
            NSLog(@"Failed to create table");
          }
          sqlite3_close(_sqlDB);
        } else {
          NSLog(@"Failed to open/create table");
      }
    }

    The code in the preceding method performs the following tasks:

    First, we identify the paths available in our directory and store them in an array (dirPaths). Then, we create the instance of NSFileManager and use it to detect whether the database has been created or not. If the file has not been created, then we create the database via a call to the SQLite sqlite3_open() function and create the table as well. And at last, we close the database.

  5. Create a new class named SecondViewController. Go to the storyboard and drag one view controller to the canvas. Design the UI according to the following screenshot:

    Now make an outlet and action connection for this.

  6. Create some properties in SecondViewController.h:

    @property (strong, nonatomic) NSString *pathDB;
    @property (nonatomic) sqlite3 *sqlDB;
  7. In addition, to save the data first, we need to check whether the database is open or not; if it is open, then write a query to insert the data in our table. After writing the data in our table, clear the text present in the text fields. At last, close the database as well.

    In order to implement this behavior, we need to modify the save method:

    - (IBAction)saveButton:(id)sender {
      sqlite3_stmt *statement;
      const char *dbpath = [_pathDB UTF8String];
      if (sqlite3_open(dbpath, &_sqlDB) == SQLITE_OK)
      {
        NSString *sqlQuery = [NSString stringWithFormat: @"INSERT INTO EMPLOYEE (name, designation) VALUES (\"%@\",\"%@\")",self.nameTextField.text, self.designationTextField.text];
    
        const char *sqlSTMNT = [sqlQuery UTF8String];
        sqlite3_prepare_v2(_sqlDB, sqlSTMNT,
        -1, &statement, NULL);
            if (sqlite3_step(statement) == SQLITE_DONE)
            {
                self.nameTextField.text = @"";
                self.designationTextField.text = @"";
            } else {
                NSLog(@"Failed to add contact");
            }
            sqlite3_finalize(statement);
            sqlite3_close(_sqlDB);
        }
    }
  8. Now we want to populate this saved data in tableview. To achieve this task, go to ViewController.m and create one mutable array using the following line of code and initialize it in viewDidLoad. This array is used to save our SQLite data:

    NSMutableArray *dataFromSQL;
  9. In the same class, add the following code to the action button to push the view to new view:

    SecondViewController *secondView = [self.storyboard instantiateViewControllerWithIdentifier:@"SecondViewController"];
    secondView.pathDB = self.pathDB;
    secondView.sqlDB = self.sqlDB;
    [self.navigationController pushViewController:secondView animated:YES];
  10. Create the v iewWillAppear method in the ViewController class and modify it as in the following code:

    -(void)viewWillAppear:(BOOL)animated
    {
      [super viewWillAppear:animated];
      [dataFromSQL removeAllObjects];
      [self.tableView reloadData];
      const char *dbpath = [_pathDB UTF8String];
      sqlite3_stmt *statement;
    
      if (sqlite3_open(dbpath, &_sqlDB) == SQLITE_OK)
      {
        NSString *querySQL = [NSString stringWithFormat:
          @"SELECT name, designation FROM EMPLOYEE"];
    
        const char *query_stmt = [querySQL UTF8String];
    
        if (sqlite3_prepare_v2(_sqlDB, query_stmt, -1, &statement, NULL) == SQLITE_OK)
        {
          while (sqlite3_step(statement) == SQLITE_ROW)
          {
            NSString *name = [[NSString alloc] initWithUTF8String:
            (const char *) sqlite3_column_text(statement, 0)];
    
            NSString *designation = [[NSString alloc] initWithUTF8String:
            (const char *) sqlite3_column_text(statement, 1)];
            NSString *string = [NSString stringWithFormat:@"%@,%@", name,designation];
            [dataFromSQL addObject:string];
          }
          [self.tableView reloadData];
          sqlite3_finalize(statement);
        }
        sqlite3_close(_sqlDB);
      }
    }

    In the preceding code, first we open SQLite and then we fire a query SELECT name, designation FROM EMPLOYEE through which we can get all the values from the database. After that, we will make a loop to store the values one by one in our mutable array (dataFromSQL). After storing all the values, we will reload the tableview.

  11. Modify the tableview data source and the delegate method as follows, in ViewController.m:

    - (NSInteger)tableView:(UITableView *)tableView numberOfRowsInSection:(NSInteger)section {
        return dataFromSQL.count;
    }
    
    (UITableViewCell *)tableView:(UITableView *)tableView cellForRowAtIndexPath:(NSIndexPath *)indexPath
    {
    
      static NSString *CellIdentifier = @"GBInboxCell";
      UITableViewCell *cell = [tableView dequeueReusableCellWithIdentifier:CellIdentifier];
    
      if (cell == nil) {
        cell = [[UITableViewCell alloc] initWithStyle:UITableViewCellStyleSubtitle reuseIdentifier:CellIdentifier];
      }
    
      if (dataFromSQL.count>0) {
        NSString *string = [dataFromSQL objectAtIndex:indexPath.row];
        NSArray *array = [string componentsSeparatedByString:@","];
        cell.textLabel.text = array[0];
        cell.detailTextLabel.text =array[1];
    
      }
      return cell;
    }
  12. The final step is to build and run the application. Feed the contact details in the second page of the application:

  13. Now click on the Save button to save your contact details to the database.

  14. Now, when you go back to the Employee List view, you will see the newly saved data in your table view:

 

Learning about core data


Saving data is an important feature of almost all iOS apps. Apple has provided one more option for developers to save data using the native database, which is called Core data. This section will introduce us to the basics of core data with an example project. In the previous section, you learned about SQLite, and in this section, we will migrate from the same database to core data. The objectives will be to allow the user to save data in the database and fetch it.

Getting ready

In order to proceed with this exciting topic, we will create a new project. To create a new project, open Xcode and perform the following functions:

  1. From the File menu, select the option to create a new project.

  2. Then, select the Single View Application option. Make sure that while creating the project, the Use Core Data checkbox is checked.

  3. Then, click on Next and select a location to save your project. Now you will see that the Xcode has created a new project for us and will launch the project window.

While having a closer look at the project files on the right-hand panel, we will observe an additional file named CoreData.xcdatamodeld. This is the file that is going to hold all our entity-level descriptions for data models.

How to do it...

Perform the following steps to learn the implementation of core data in iOS applications:

  1. To use the core data in an application, first we will have to create the entity for the CoreData application. For this, select the CoreData.xcdatamodeld file and load it in the entity editor:

  2. In order to add new entities to the data model, click on the Add Entity button, which is located in the bottom bar. Once the entity is created, double-click on New Entity and change its name to Employee.

  3. Once the entity is created, we can now add attributes for it in order to represent the data for the model. Click on the Add Attribute button (+) to add attributes to the entity. For each attribute that is added, set the appropriate type of data. Similarly, add all the attributes one after another.

  4. Now we will create the user interface for the application and will connect all the UI components with their respective IBOutlets and actions. Here, we are following a design similar to our SQLite sample; over and above design, we will add one more class, which is SecondViewController:

  5. Check all the IBOutlet connections in the SecondViewController.h file, all the properties should have a dark circle indicator. Then we need to import the AppDelegate.h file at the top. After all the changes the class will look similar to following code:

    #import <UIKit/UIKit.h>
    #import "AppDelegate.h"
    
    @interface SecondViewController : UIViewController
    @property (weak, nonatomic) IBOutlet UITextField *nameTextField;
    @property (weak, nonatomic) IBOutlet UITextField *designationTextField;
    
    - (IBAction)saveButton:(id)sender;
    @end
  6. When the user touches the Save button, the save method is called. We need to implement the code to obtain the managed object context and create and store managed objects containing the data entered by the user. Select the ViewController.m file, scroll down and save the method, and implement the code as follows:

    - (IBAction)saveButton:(id)sender {
      AppDelegate *appDelegate = [[UIApplication sharedApplication] delegate];
    
      NSManagedObjectContext *context =
      [appDelegate managedObjectContext];
      NSManagedObject *newContact;
      newContact = [NSEntityDescription insertNewObjectForEntityForName:@"Employee" inManagedObjectContext:context];
    
        [newContact setValue: _nameTextField.text forKey:@"name"];
        [newContact setValue: _designationTextField.text forKey:@"designation"];
      _nameTextField.text = @"";
      _designationTextField.text = @"";
    }

    In the preceding code, we created a shared instance of [UIApplication sharedApplication]. This code snippet will always give the same instance every time. Afterwards, it will create nsmanagedobject with the entity we created in CoreData.xcdatamodel, and then it will set the values for the keys.

  7. Now we need to populate the same data in our tableview. To achieve that, go to ViewController.m, create one mutable array (for example, dataFromCore) to save our data from CoreData to local, and modify viewWillAppear:

    -(void)viewWillAppear:(BOOL)animated
    {
      [super viewWillAppear:animated];
    
      [dataFromCore removeAllObjects];
      [self.tableView reloadData];
      AppDelegate *appDelegate = [[UIApplication sharedApplication] delegate];
      NSManagedObject *matches = nil;
      NSManagedObjectContext *context = [appDelegate managedObjectContext];
    
      NSEntityDescription *entityDesc = [NSEntityDescription entityForName:@"Employee" inManagedObjectContext:context];
    
      NSFetchRequest *request = [[NSFetchRequest alloc] init];
      [request setEntity:entityDesc];
    
      NSError *error1 = nil;
      NSArray *results = [context executeFetchRequest:request error:&error1];
      if (error1 != nil) {
        NSLog(@"%@", error1);
      }
      else {
        for (matches in results) {
          NSLog(@"%@.....%@", [matches valueForKey:@"name"],[matches valueForKey:@"designation"]);
          NSString *string = [NSString stringWithFormat:@"%@,%@",[matches valueForKey:@"name"],[matches valueForKey:@"designation"]];
          [dataFromCore addObject:string];
    
        }
      }
      [self.tableView reloadData];
    }

    Again, it will create the shared instance of [UIApplication sharedApplication] and it will return the same instance as previously. Now, we are fetching the data from NSFetchRequest using NSEntityDescription and saving the result in one array. After that, we retrieve the values from the keys, one by one, and add them to our mutable array (dataFromCore), and at last, reload our tableview.

  8. Our tableview methods should look similar to the following code. If they do not, then modify the code:

    - (NSInteger)tableView:(UITableView *)tableView numberOfRowsInSection:(NSInteger)section {
      return dataFromCore.count;
    }
    
    - (UITableViewCell *)tableView:(UITableView *)tableView cellForRowAtIndexPath:(NSIndexPath *)indexPath
    {
      static NSString *CellIdentifier = @"GBInboxCell";
      UITableViewCell *cell = [tableView dequeueReusableCellWithIdentifier:CellIdentifier];
      if (cell == nil) {
        cell = [[UITableViewCell alloc] initWithStyle:UITableViewCellStyleSubtitle reuseIdentifier:CellIdentifier];
      }
      if (dataFromCore.count>0) {
        NSString *string = [dataFromCore objectAtIndex:indexPath.row];
        NSArray *array = [string componentsSeparatedByString:@","];
        cell.textLabel.text = array[0];
        cell.detailTextLabel.text =array[1];
    
      }
      return cell;
    }
  9. The final step is to build and run the application. Enter the text in the second view and hit Save to save your contact details in our database:

Now, when you go back to the Employee List view, you will see the newly saved data in your table view as shown in the following screenshot:

About the Authors
  • Bhanu Birani

    Bhanu Birani has more than 7 years of experience in the software industry. He is passionate about architecting, designing, and developing complicated applications. He specializes in creating web, backend as a service, and mobile products suitable for B2B and B2C context. He has expertise in end to end development to create innovative and engaging applications for mobile devices.

    After years of programming experience in different programming languages, he started developing applications for iOS devices. He started software development around the same time as his graduation and was really interested in learning about the new technologies emerging in the market. He then joined a game development company. After contributing to the gaming domain, he started working on content-based applications and radio applications. He also contributed to hyperlocal geo-targeting using BLE (iBeacons). Over the years, he has gained experience in all phases of software development as requirement gathering, feasibility analysis, architecture design, coding and debugging, quality improvement, deployment, and maintenance.

    Browse publications by this author
  • Mayank Birani

    Mayank Birani has more than 4 years of experience in the software industry. He was a star from the beginning of his career, and he worked with many start-ups. Soon after graduation, he started working on iOS/Mac technologies and is an R&D engineer for Apple Inc. India. He has an inherent passion for coding and developing applications to make the world a better place. He has contributed actively to many start-ups with revolutionary ideas.

    In the early stages of his career, he was the sole author of Learning iOS 8 for Enterprise by Packt Publishing.

    Browse publications by this author
Latest Reviews (1 reviews total)
iOS Forensics Cookbook
Unlock this book and the full library FREE for 7 days
Start now