3uTools for iOS Device Forensics
Introduction
Having multiple software and hardware
tools while conducting mobile device forensics can assist examiners in
overcoming any obstacles caused by operating systems updates, new data file
formats, unsupported applications/operating system/device modules, and other
issues that often arise while examining mobile devices. This research reviewed
and tested a tool named 3uTools to determine its advantages and disadvantages
for iOS device forensics. This research begins with reviewing the tool, which focuses
extensively on utilities within the tool that could be of use for forensic
examiners dealing with iOS devices. The testing phase of the research included utilizing
3uTools to extract data from iOS devices and other tests to determine the
capabilities of the tool. The last part of the research was centered around the
results of the data backups created by 3uTools and comparing them to a full
filesystem extraction conducted using Cellebrite UFED. Determining the format
of files and data provided by 3uTools is essential for examiners in order to
determine whether traditional forensic tools can ingest backups created by this
tool.
3uTools Overview
According to the 3uTools (n.d.), the 3uTools
is an all-in-one tool for iOS devices that can only be installed and utilized
in a Microsoft Windows environment. The referenced website mentioned that this
tool can be used to manage data on iOS devices through backup and restore
capabilities. The other functionality offered by the tool and highlighted on
the website is the jailbreaking capability for iOS devices. This feature allows
users of iOS devices to customize their devices beyond the restrictions imposed
by the operating system. The tool also provides information to the user about any
connected iOS device. The provided information includes the activation status
of the device and whether it was jailbroken. More features of this tool were investigated
further, and the results are detailed in the following section.
3uTools Forensic Features
iDevice
The iDevice tab, depicted in Figure 1, contains a list of subcategories of options offered to the users. The Info tab offers a great deal of information about the connected iOS device and its current status. The referenced figure shows one view of the information offered in the Info tab. The information provided in this view includes the jailbreak status, device model, storage capacity, serial number, International Mobile Equipment Identifier (IMEI), and other important information about the device. The second view provided by the tool for device information is located under UUID block, “View iDevice Details.” Figure 2 shows the iDevice Details window providing more information about the connected device. This page shows the phone number, card slot capacity, and other identifiable information about the device.
The second tab that could be highly
beneficial for forensic examiners is located under the iDevice is Files.
Clicking on Files would reveal a list of folders in the filesystem of the
connected device. This means that the user is getting access to the files that
contain data records and not only the records that are offered in data backups.
Having access to the files would provide an advantage in recovering deleted
records. Having an entire data file or database containing the data could lead
to remnants of deleted or older information being recovered. Figure 3 shows the
directory listing offered by the Files feature in 3uTools. A quick review of
the filesystem listing revealed that not all expected data files were visible in
the listing, which means that this method does not offer all the data found in
the connected iOS device.
Toolbox Tab
The review of the Toolbox tab revealed
multiple features that, without further testing, can be considered valuable during
forensic examinations of iOS devices. The first feature is the Backup/Restore,
which obviously can be used to extract user data from an iOS device, Figure 4.
It is worth noting that examiners can utilize only the backup part of this
feature, not the restore. Examiners perform data extractions with the least
possible changes occurring to the extracted device and should not be interested
in restoring any data back onto that device. However, examiners can use this
feature to restore a copy of the backup onto a non-evidence or test device to
observe and note the same information and data the data owner saw when they
used the device from which the backup was created.
Figure 4. The Backup/Restore feature in
3uTools. The second feature of note found under the
Toolbox tab was the Realtime Screen, which is a feature that can be used to
create screenshots of the phone screen. It is often that digital forensic
examiners are not able to extract data from mobile devices due to a lack of
forensic tools support for an application, phone model, operating system
version, or other issues that may arise during data extractions. One of the
examination methods noted by Bair (2018) in such situations is the manual
examination. In the event that relevant data is found during the review
process, screen capturing can be conducted to document the relevant data. The
Realtime Screen feature can play a significant role in these instances,
assuming that the 3uTools supports the iOS device and operating system version
being examined.
The last feature that is critical for iOS forensics
is the Jailbreak feature. Obtaining comprehensive extraction from an iOS device
can only be conducted using advanced and often costly commercial tools that are
not available in all digital forensic laboratories. One of the ways to conduct
comprehensive extractions from iOS devices is through the jailbreaking
technique. This technique eliminates restrictions placed by the operating system
and allows for more data to be accessed and extracted from an iOS device. Having
the 3uTools with a prebuilt jailbreaking capability would simplify the process
of gaining full access to the filesystem. This feature will be further
discussed in the testing section of this research.
Unlike many iOS forensic tools, 3uTools
does not require iTunes to be installed to interact with iOS devices. This
means that 3uTools have more control over the interaction with an iOS device,
unlike the tools that must utilize drivers provided with iTunes as a proxy to
be able to interact with iOS devices. It is worth noting that 3uTools has an
option provided in the bottom left corner of the user interface that can be
used to close iTunes.
Concerns for 3uTools
The main page title for 3uTools (n.d.) website
described this tool as “The Most Efficient iOS Files & Data Management Tool,”
which means that 3uTools has not been developed for forensic purposes. However,
that does not mean that it cannot be taken advantage of for the purpose of iOS forensic
examinations. There are many tools used by digital forensic examiners that were
not developed to perform forensics, but they still provide great functionalities
and offer excellent solutions for data extraction, processing, and examinations.
One of the most prominent software tools used by forensic examiners that was
not developed to perform digital forensics is iTunes. It is an excellent tool
that can be used to obtain data backups from iOS devices.
With all the benefits of using tools like 3uTools to conduct forensics, there are a few concerns that can be raised when employing this tool to conduct digital forensic examinations:
- Currently, there is no training that offers any kind of guidance to help new examiners in utilizing 3uTools carefully without causing any damage to digital evidence. As seen previously, this tool has a restore option, and using such functionality on actual digital evidence can be detrimental to the evidentiary value of that data.
- This
tool is not widely used by forensic examiners, which means that the results
obtained from this tool can be challenged in court proceedings.
- It
is unclear how soon this tool can be updated after major iOS releases that
could render it unusable for data extractions or any other functionality offered
by the tool.
- Like
other tools not developed for digital forensic purposes, 3uTools does not offer
data integrity. It does not support hash functionality for any data extracted from
iOS devices.
Testing Data Creation
The creation of the testing data focused
on data that are found in most iOS devices. An iPhone 5s was used to create the
test data, which included messaging via SMS/MMS, browsing, and voice
communication. Data creation spanned over a long period of time. At the conclusion
of data creation, iCloud backup was created of the test device to ensure it was
available for the two iOS devices that were used during this research. The two
devices had SIM cards that were deactivated by the service providers but
still have telephone numbers that can be observed using forensic tools.
As it was explained above, the testing devices
had deactivated SIM cards, which meant that they could not be used to conduct
audio calling using a cellular network. All calling data generation was conducted
via a Wi-Fi network. The messages were sent via Wi-Fi in the same way as the
calling data generation. The messages were exchanged with three different phone
numbers that are associated with iOS devices, which meant that all the messages
were iMessages. The testing data also included creating pictures and videos.
Furthermore, different web pages were visited to create web history.
3uTools Testing
Overview
The testing phase of this research was conducted
on a Windows 11 Home system. As explained previously, an iPhone 5s was used to
create test data. iCloud backup was then used to set up a second iPhone, the
same model, which was also used during testing. The first iPhone was then
jailbroken using the Checkm8 exploit. Data from both test devices was extracted
using 3uTools to determine if the tool behaved differently when the iOS device was
jailbroken. Following is a list of all hardware and software tools utilized
during the testing phase of this research:
- iPhone 5s, Model: A1533, iOS Version: 12.5.7 (Jailbroken Device)
- iPhone 5s, Model: A1533, iOS Version: 12.5.7 (Non-Jailbroken Device)
- 3uTools, Version 2.65.003
- Cellebrite UFED, Version 7.62.0.173
- Checkra1n, Version Beta 0.12.41
- Magnet AXIOM, Version 6.11.0.34807
Full Filesystem Extraction
Prior to conducting extractions or backups
using 3uTools, a full filesystem extraction was obtained from the jailbroken
iPhone. The full filesystem extraction was conducted using Cellebrite UFED. It
is worth mentioning that the Cellebrite tool utilized Checkm8 exploit to be
able to extract a full filesystem image. This extraction was conducted to
ensure the preservation of the testing data before starting the testing phase. The
full filesystem data was used to compare with the data resulting from the
backups created using the 3uTools. Figures 5 and 6 show Cellebrite UFED
before and after the extraction of the full filesystem image.
Jailbreaking iPhone 5s
At the conclusion of the extraction
process using Cellebrite UFED, the device rebooted, which caused the jailbreak
to be removed. However, to be able to accurately compare the results of the
data backup from the 3uTools and Cellebrite UFED, the device had to be
jailbroken again and remain in that state until the conclusion of the testing
phase. A bootable USB device was created using Checkra1n. After booting into
the bootable USB, an iPhone 5s was connected to the computer in recovery mode.
The device was then placed into Device Firmware Upgrade (DFU), and the
jailbreak was completed successfully. Figure 7 shows the completion of the
jailbreak process.
3uTools Data Backup
As explained previously, the Backup/Restore
option can be found under the Toolbox tab in the 3uTools dashboard. As the name
suggests, this feature can be used to create backups of an iOS device and flash
a backup back onto an iOS device. The restore option can be used when moving
data from one device to another. This feature could be beneficial if a digital
forensic examiner wanted to see how the evidence was presented in a device and the
layout of the device from which the data was extracted. However, in this
research, the focus is on data backups and would not be focusing on the restore
feature.
Two data backups were conducted during
this research using the Backup/Restore option. The first data backup was
obtained from the jailbroken iPhone 5s, and a second backup was conducted of
the second iPhone 5s that has not been jailbroken. These two backups played a significant
role in comparing the tool’s backup capability in dealing with regular and jailbroken
iOS devices. It is worth emphasizing that both iPhone 5s devices have the exact
same model, data set, and iOS version. The only difference was that one of them
was jailbroken.
The first backup was conducted of the
jailbroken device. After clicking the Backup/Restore option, the user is
presented with a window showing information about the device, the used storage
space, and the total storage of the device. This is a great feature that can
give the examiner an idea about how much data the iOS device was likely holding.
Prior to the beginning of the backup process, the user can change the directory
where the backup would be saved and then click “Back up Now” to complete the
backup process. Figure 8 shows the backup process of the jailbroken device.
The same procedure was then followed to
backup data from the non-jailbroken device. The procedure or the prompts did
not differ between the jailbroken and non-jailbroken devices. The only
noticeable difference in the backup process is the amount of data the 3uTools was
able to backup from each device. The 3uTools extracted 29.22 MB (megabytes)
from the non-jailbroken device versus 81.51 MB from the jailbroken device. This
was a significant difference in the amount of data between the two backups. The
difference in the amount of data was expected because the restrictions imposed
by the operating system in the jailbroken device had been eliminated, and the 3uTools
was able to gain access to more data in that device.
To further explore the backup capability
of the 3uTools, the iOS backup encryption for the non-jailbroken device was
turned on using iTunes. Prior to connecting the device, the “Prevent iPods,
iPhones, and iPads from syncing automatically” was turned on in iTunes to
prevent syncing between the computer and the iOS device. Once the device was
connected back to the 3uTools, the device was recognized as having the encrypted
backup option enabled, and the tool presented an option that could be used to
change the backup password. The tool requested the backup encryption password
prior to beginning the backup process. The backup process was completed
successfully, and the amount of data received from the phone increased to 30.45
MB from 29.22 MB before encrypting the backup. Meaning that more data was received
from the device with backup encryption but did not reach the amount of data
obtained from a jailbroken device. These results were expected because an iOS
device with an encrypted backup has restrictions imposed by the operating
system on certain data to be extracted from the device. At the same time, more
data can be collected from an encrypted backup device because the operating
system would allow for more data categories to be included in the backup when
the backup encryption option is turned on.
Exporting Filesystem Data
One of the options found under the iDevice
tab in the 3uTools is the Files tab found on the left side of the user
interface. Clicking this option would provide a window showing directories in
the filesystem. The directories can be reviewed to determine their contents;
however, as an examiner, it is essential to reduce any direct interactions with
the device filesystem and it would be much better to extract the data and
review it offline.
The Files view in the 3uTools provides an
option to export all the listed directories by highlighting all the directories
or specific directories, then right-clicking on the highlighted items and
choosing the “Export” option. The number of directories seemed to be depending
on the status of the device. As shown below in Figures 9 through 11, testing
revealed that the least number of directories were for the unencrypted backup
device. The encrypted backup device had more directories, but the most
significant number of directories were seen in the jailbroken device. This
further confirms that 3uTools has less data access when dealing with a device with
an unencrypted backup, more data for an encrypted backup device, and the most
data would be for jailbroken devices.
The amount of data exported from the Files
tab for the encrypted backup device and the jailbroken device was different in
a surprising way. The 3uTools reported the number of folders and files that
were exported from each device. However, the number of directories obtained
from the jailbroken device was significantly less than those obtained from the device
with an encrypted backup. However, the number of files exported from the backup
encrypted device was slightly less than the jailbroken device. Figures 12
and 13 show the number of directories and files exported from each device.
Restore Feature
The restore feature was mainly tested to
determine whether 3uTools requires iTunes to be able to interact with iOS
devices. After iTunes was uninstalled from the testing system, an iOS backup
was restored to a test device using the 3uTools’ restore feature. The
referenced backup was created using 3uTool. The restore process was completed
successfully, meaning that this tool operates independently from iTunes and
does not require iTunes drivers to be installed to run its functionalities. Further,
iTunes was installed back in the system, and the prevent sync option was turned
off to allow syncing. Both tools, iTunes and 3uTools, were both running while
the test device was connected to the system. iTunes appeared to sync the device,
which meant that 3uTools does not prevent iTunes from syncing the iOS device.
This test further confirmed that these tools operate independently and do not
affect each other’s functionalities.
Screen Capture
As explained previously, 3uTools can be
used to obtain screenshots from an iOS device using the Realtime Screen feature
found under the Toolbox tab. The status of the device regarding jailbroken or
non-jailbroken did seem to affect this feature. This feature can be used to
obtain screenshots without the need for an external camera. Collecting
screenshots from a device is highly critical in the event that the evidence cannot
be extracted from the device. This feature did not require any changes to the
settings of the phone or any other special steps to get the phone screen to be
mirrored onto the computer monitor. The Realtime Screen feature also offered a
way to capture the current screen of the device and save it to a file or copy it to
the clipboard. Figure 14 shows the Realtime Screen feature in 3uTools. During
testing, the screenshots were saved in the C:\3uTools\ScreenShot directory as
the default location in the local system. This feature can also be used by
examiners to mirror the device to the computer monitor, and then video record
the screen. Such recordings can be of great value in showing that no changes were
inflicted on the user data during the extraction process.
The screen capture feature can also be valuable
when dealing with applications that encrypt their data. These types of applications
would have a decryption key found within their application director; however,
it usually requires at least a full filesystem extraction to acquire the file
containing the decryption key. This means that the application data would not
be decrypted if a full filesystem extraction was not possible. In such
instances, screen captures of data found in the encrypted application would be
of great value in showing the encrypted data.
3uTools Jailbreak Feature
As discussed previously, a full filesystem
image was obtained from one of the test devices using the Checkm8 exploit
offered by Cellebrite UFED. The capability to jailbreak iOS devices provides
examiners access to data that otherwise would be inaccessible. The 3uTools
provide jailbreaking capability with an added bonus. The tool checks the device
information and provides all the available jailbreaking options. The tool also
provides steps to jailbreak if the capability cannot be conducted directly by
the 3uTools. In Figure 15, the 3uTools provided jailbreaking options for an
iPhone 5s and also simplified steps for completing the Checkra1n jailbreak that
cannot be completed within the tool. It is worth mentioning that the unc0ver
jailbreak listed as an option in Figure 15 was attempted using 3uTools, but it
was unsuccessful. However, attempting Checkra1n was successful using the method
explained previously.
Examination of Extracted Data
Overview
This section is dedicated to examining the
contents of the extractions obtained during the testing section of the research.
The examination process aimed to compare the contents and metadata of the
filesystem extraction obtained using Cellebrite UFED and all the backups
created using the 3uTools. The comparison would also include metadata obtained manually
from the test device to provide further confirmation for the results offered in
this research. Magnet AXIOM was used to process all extracted data collected
during the testing phase.
The review of the extracted data is broken
down by the type of extraction conducted using the 3uTools, which was backup
and filesystem exports. Extractions using the same method were compared to
determine any differences in the amount of data and the type of data extracted.
The data and metadata found in the full filesystem extraction were compared to those
found in 3uTools extractions to determine whether 3uTools caused changes to the
user data.
Cellebrite Full Filesystem Extraction
The full
filesystem image obtained using Cellebrite UFED was processed successfully
using AXIOM. All artifact categories offered by AXIOM for iOS data processing were
selected to obtain more information from the image. After data processing was
completed, AXIOM presented a total of 22,214 artifacts collected from the extraction.
Most of the reported artifacts were in the Media category, as there were 10,400
media entries collected from the image. The artifacts and information reported
from the full filesystem image were used to compare with the results of data collected
using 3uTools. Figure 16 shows data categories and the number of artifacts
collected by AXIOM from the full filesystem image.
3uTools Backup from Jailbroken
Device
As shown in Figure 17, AXIOM recovered exceptionally
fewer artifacts from the backup created using 3uTools from the jailbroken
device. This difference in the number of artifacts was expected because of the
difference in the amount of data included in an iOS backup versus a full
filesystem extraction. The full filesystem image would include data that is not
considered user data, such as operating system logs and files that the user did
not create. The difference in the type of data extracted in the full filesystem
and data backups can be clearly observed through the Media data category.
Almost all media files recovered from the data backup were user-created video
and picture files. As for the full filesystem image, the majority of the files
reported in the Media data category were operating system and application-related
media files.
A. Safari Artifacts: AXIOM recovered the same web visits from the full filesystem image and the 3uTools. The time stamps matched in both extractions, meaning 3uTools did not affect Safari data or alter any of the metadata. Figures 18 and 19 show a comparison between web artifacts collected from both images. It is worth noting that the Safari artifacts were not available on the device to compare with the results obtained from both images.
B.
Call Logs: A comparison
between call log artifacts collected from both images revealed an exact match
in the phone numbers, call duration, call type, call status, and time/date of
the call. Figures 20 and 21 show a comparison between call logs obtained
from the two extractions.
C.
Contacts: The name, numbers, and creation
dates matched in both extractions. See Figures 22 and 23.
D.
iMessage: The contents
and metadata of the iMessage matched in both extractions. Both extractions also
reported the same messages that contained media files. Meaning that 3uTools did
not affect the content or metadata of the messages and was able to extract the
same live data as the full filesystem extraction. Figures 24 and 25 show the iMessage records comparison from both extractions.
E.
Media Files: The review of
the results revealed the same user-created videos and pictures in both
extractions. The review of the results also revealed that 3uTools did not cause
any changes to the media files. Figures 26 and 27 show the same results
obtained from both extractions.
3uTools Backups from Devices with Encrypted
and Unencrypted iOS Backup
As it was explained previously, the
non-jailbroken device was used to create two backups, one with iOS encrypted
backup option turned on and the second backup was conducted with this option
turned off. Both images were processed using AXIOM, but the results were
surprisingly different. AXIOM was able to extract more information from the
unencrypted backup than from the encrypted backup. In any other situation, the
encrypted backup would have more information than the unencrypted backup because
the operating system would allow more data to be backed up when that option is
enabled. One crucial detail to note here is that AXIOM did not recover any user
data from the encrypted backup. Figures 28 and 29 show the number of
artifacts parsed by AXIOM for each backup.
The Manifest.plist file was checked for
both images to eliminate the possibility of a mix-up in the extracted images. The
“IsEncrypted” key had the value “True” in the encrypted backup and the value “False”
in the unencrypted backup. Further review of the encrypted backup contents
revealed that the files did not contain human-readable data, meaning 3uTools
could not correctly handle data backups when the iTunes backup encryption was
enabled.
A review of the artifacts recovered by
AXIOM from the unencrypted backup did not show any differences in the number of
artifacts or metadata found during the review of the full filesystem image or
the 3uTools backup of the jailbroken device. This meant that 3uTools does not
cause any changes to the user data or associated metadata, regardless of
whether the device was jailbroken or not. However, the tool had an issue
recovering data from the device when the backup encryption option was enabled.
3uTools Filesystem Export
A review of artifacts in AXIOM obtained
from the filesystem exports revealed that AXIOM parsed only media files from the
data obtained from jailbroken and non-jailbroken devices. A review of the
contents of the filesystem exports was conducted, which revealed that no data
files were found in the backups related to user data, other than the media
files. This meant that filesystem exports using 3uTools were not useful to
extract artifacts other than for media files, even when dealing with a
jailbroken iOS device.
Comparing the timestamps
associated with the pictures and videos found in the full filesystem extraction
and the filesystem export obtained using 3uTools revealed a match of all files. Figures 30 and 31 show the timestamps associated with pictures and
videos obtained through filesystem extraction and filesystem export using
3uTools.
3uTools Backups File Structure
This section provides a review of the directory
structure of the backups created by 3uTools and compares them to the directory structure
of a regular iTunes backup. Backups from both tools provided a matching directory
name, which represented a 40 characters unique device identifier (UDID). The
only difference in the main backup directory is that 3uTools provided two text
files along with the backup directory, named “log.txt” and “Please do not
modify the directory or file.txt.” The log.txt file contained, as the name suggests,
logged activities related to the creation of the backup. The logged information
does not provide information as to what exact data categories were backed up by
the tool or the files acquired during the backup. The log entries provided the status of the backup and the UDID of the backup directory, along with the
timestamps. Figure 32 shows a screenshot of the log.txt file. The second
text file, “Please do not modify the directory or file.txt,” contained a
message for the user advising not to change the directory structure or directory/file
names as it would affect the ability to restore that data back into a device.
As for the directories structure inside
the backup directory, both backups were a match in the number of directories
and files obtained during the backup process. Similar to iTunes backup, 3uTools
provided Info.plist, Manifest.db, Manifest.plist, and Status.plist files. A further
review of backups revealed that the 3uTools backup had a matching directory and
file names found in the iTunes backup. Figure 33 shows both backups side-by-side
comparison.
3uTools Offline Capabilities
Part of the testing of the 3uTools was
determining whether this tool is capable of operating offline without an Internet
connection. For this tasting section, the testing system was disconnected from
the Internet, and multiple features of the tool were tested. The tool was able
to obtain information about the device without being affected by the lack of an
Internet connection. The Info feature was also tested using an iPhone that had
not been connected to the tool before to ensure that the tool was not
presenting information about the test device that was cached during previous
interactions. Even with the newly connected device, the tool successfully
presented all the information about the device, which meant 3uTools does not
require an Internet connection for the Info feature. The same results were
noted for the Backup/Restore and Realtime Screen features. The only feature of
interest to digital forensic examiners that did not work when the system was
offline is the Jailbreak feature, and the tool provided a prompt stating,
“Download configuration file failed, do you want to try again?” There were
other tabs in the tool that recognized the lack of network connection and did
not show any results, which meant that this tool relies on an Internet
connection to perform many of its functionalities.
Conclusion
The 3uTools is a management tool for iOS
devices that can also be beneficial during iOS device forensics. It can be used
to create data backups similar to iTunes. However, this tool was not successful
in providing a data backup that could be digested by Magnet AXIOM when the iOS device
had the backup encryption option enabled.
This tool excelled in providing detailed information about an iOS device,
including whether the backup encryption was enabled. The tool also provides a
great feature to create screenshots of iOS devices without the need for an external
camera. This feature can be taken advantage of when a digital forensic examiner
is not able to acquire the evidence from an iOS device or the acquired data cannot
be decrypted offline. 3uTools can also be used by examiners to determine all
available jailbreaking capabilities for a specific iOS device. The tool is
capable of performing certain jailbreaks but also offers instructions if the jailbreak
cannot be conducted within the tool.
3uTools also has features that
examiners should be very cautious about when utilizing. For instance, the
restore feature cannot be used to restore information to a device that contains
digital evidence. Such an action would be detrimental to the evidentiary value
of the data. However, this feature can be used to restore data back onto a
device that does not contain any evidence or a test device. 3uTools has many
other features that are primarily designed for regular iOS device users for the
purpose of device management.
References
3uTools (n.d.). An all-in-one
tool for iOS devices. 3uTools Website. http://www.3u.com/