Forensics 101, Mobile Devices, Network Forensics, Wireless

From iPhone to Access Point

Introduction

A wireless Access Point (AP) is a device that allows wireless devices to connect to internet using Wi-Fi. With the remarkable increase in number of wireless devices the number of APs has also increased drastically to serve the Wi-Fi needs of these devices. We have APs at home, offices, airports, public hotspots. Any clue about the AP a device connected to could be an important piece of information for law enforcement or examiners. When a device connects to an AP it leaves evidence behind. This article is geared towards analyzing a file in iPhone that contains vital information about the Wi-Fi AP to which the device got connected.

Prerequisites

To perform this experiment we used:

  • A jail-broken iPhone with iOS version 6.1.3
  • A Windows 7 machine
  • A plist editor installed on Windows PC
  • WinSCP to access iPhone files

Steps

Step 1 – Collecting Data

In order to better understand different keys of the file we performed a simple experiment of connecting the iPhone device to multiple access points at different locations including a home, university, and a public hotspot to collect variant data.

Step 2 – Extracting the required file

The file ‘com.apple.wifi.plist’ contains significant information about wireless APs and is located in /private/var/preferences/SystemConfiguration/. As the name indicates, it is a plist file that can be opened with any plist viewer. Following are the steps to extract the file from iPhone.

1-     Install Cydia Package SSH

2-     Note the IP address of the iPhone

3-     Using WinSCP to SSH iPhone using its IP address found in step 2

4-     Go to location /private/var/preferences/SystemConfiguration/ and copy the file com.apple.wifi.plist locally on Windows machine

Note that the following research has been done on iOS v6.1.3. The name, location, content and/or type of the file might be different in other versions of iOS.

Step 3 – Parsing com.apple.wifi.plist file

This is the main step which explains how to read and understand the plist file extracted from the iPhone. Below given is a sample com.apple.wifi.plist file populated after performing the experiment. Some vital keys highlighted below include SSID, security mode, last auto joined time, last joined time and BSSID (MAC address of router). iPhone connects to a home network named JAZZ with WPA2 personal security.

Main

LastAutoJoined

This is true when,

1)       Device automatically connects to the network, without user interaction.

The time is in UTC format and as the name indicates, it only saves recent or last auto joined date/time.

LastJoined

This is true when,

1)      User joins the network by entering the password and connects to it. This could happen when user joins to a network for the first time or rejoined the network after the device forgets the saved network setting.

2)      User scans the network and taps on the SSID he/she wants to connect to (with password saved already).

The time is in UTC format and as the name indicates, it only saves recent or last joined date/time.

Types of Wi-Fi Connection

Next important thing is to understand types of Wi-Fi connection based on authentication method.

-        Password method

-        Certificate method

We noticed that mostly certificate method is used at public Wi-Fi hotspots while at homes, colleges/universities, password method is implemented. But this is just a limited observation and of course it can vary place to place.

We were lucky to find both types of network easily and below is presented the comparison.

At Home

We connect to a home network JAZZ that just needs a passkey set on the router to authorize the user.  Below is the screenshot of a sample plist that logs the device connected with password authentication (PEAP)

figure 1

Figure 1

Where did BSSID go???

Did you notice that there is no BSSID key in the above capture?

Yes this is a gotcha. Here is what happened; BSSID key comes with LastAutoJoined key. If there is no LastAutoJoined key in the file, you won’t find the BSSID field. Yes, this is weird but that’s how it is working according to our research.

Let’s reproduce the result. In order to remove the LastAutoJoined key from the plist, do the ‘Forget this Network’ on the iPhone (shown below).

figure 2

Figure 2

In this example, iPhone connects to the network SSID JAZZ (we entered the password this time). Notice how the file gets updated with no BSSID and LastAutoJoined keys (Figure 3).

figure 3

Figure 3

Next, we turned the Wi-Fi off and back on and let the device connect automatically. This updates the file at the same time and adds not only the lastAutoJoined key but also BSSID. Refer to screenshot shown in Figure 4.

figure 4

Figure 4

At Starbucks

In addition to password or passkey method, many of us must have also experienced certificate type network authentication. Usually at places like coffee shops, hotels and airports we allow the certificate to get authorized for free or pay for it. Our next experiment was at a free public hotspot Starbucks. This time we noticed a certificate type authentication connection. It is interesting to note the variance in some keys when the authentication method of the network changes

One of the differences noticed in this case was authentication method key ‘is WPA’ with value ‘0’ and it also had an additional key ‘Captive Network’. Next, we disconnected and reconnected to see if the auto join works here and found that it worked. Probably, this auto join is possible till the certificate expires.

figure 5

Figure 5

At UCF

Another important piece of information examiner might want to check is wireless security mode.

In WPA personal no server has to be involved and a passphrase can be set on the router or AP that can be used by every user. On the other hand, in WPA Enterprise, a RADIUS server is involved for authentication that contains unique username and password for each user.

This time we hooked the iPhone to University of Central Florida (UCF) network. The below sample plist clearly shows the difference. One can easily guess the mode of Wi-Fi by looking at it.

The value of ‘SecurityMode’ key is WPA-Enterprise. It also gives the username under the EAPCLientConfiguration in Enterprise profile (Figure 6)

figure 6

Figure 6

Compare it with WPA- Personal mode where there is no such key Enterprise profile.  And the SecurityMode value is ‘WPA2 Personal’ (Figure 1)

Conclusion

The outcome of this experiment implies that

  • com.apple.wifi.plist contains info of ONLY last connection (LastAutoJoined or LastJoined) to the unique AP.
  • MAC address (BSSID) of the AP can be found through this file if the network was auto joined. The BSSID key is missing if there is no LastAutoJoined key.
  • In certificate method, similar to password method, BSSID field can be a good piece of information to determine possible physical network device.
  • Insight knowledge of keys and their values could be helpful in understanding the type of Wi-Fi authentication configuration.
  • One can determine if the network was WPA personal or WPA enterprise type by looking at this plist file.
  • In case of WPA Enterprise, username might be extracted that can be helpful in further investigation.

About Nasa Quba & Kausar Khizra

Nasa Quba and Kausar Khizra graduated from University of Central Florida with MS degree in Digital Forensics. They are addicted to learn and work on diverse challenging projects and spread the knowledge to society.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 2,043 other followers

%d bloggers like this: