Apple Watch Forensics 02: Analysis

June 26th, 2019 by Mattia Epifani
Category: «Did you know that...?», «Hardware», «Tips & Tricks»

Over the last several years, the use of smart wearables has increased significantly. With 141 million smartwatch units sold in 2018, the number of smart wearables sold has nearly doubled compared to the year before. Among the various competitors, the Apple Watch is dominating the field with more than 22.5 million of wearable devices sold in 2018. Year over year, the Apple Watch occupies nearly half of the global market.

During the years, starting from 2015, Apple manufactured five different models with WatchOS, a wearable OS based on iOS and specifically developed for the Apple Watch.

Some initial an innovative research of the device was done by Heather Mahalik and Sarah Edwards back in 2015 on the original Apple Watch. The presentation is available on Sarah Edwards’s GitHub account (PDF).

Since then, not a lot of research was done on how to extract data from this kind of devices. I have been working on this topic over the last months, by researching methods on how to extract and analyze data stored on the internal memory of the Apple Watch.

In terms of acquisition, as already discussed in the previous blog post, we have three options:

  • Acquiring a backup of the paired iPhone
  • Directly connect the Apple Watch to the computer
  • Cloud (to extract synced Health data)

Analyzing backups of a paired iPhone

Logical extraction of an iPhone is well known. You can make a backup of the iPhone via iTunes or by using a forensic tool of your choice (e.g. Elcomsoft iOS Forensic Toolkit).

Once you have extracted the iPhone backup, you can analyze it to obtain information about the paired Apple Watch. In this article I will use two great tools named iBackupBot available for both Windows and MacOS, and SQLite Expert for Windows.

We can start investigating the Apple Watch by analyzing the device specification.

In the \HomeDomain\Library\DeviceRegistry.state folder we can find the following three files:

  • historySecureProperties.plist
  • stateMachine-<GUID>.PLIST
  • activestatemachine.plist
  • history.plist

The historySecureProperties.plist file contains the Serial Number, the UDID (UniqueDeviceIdentifier), the Wi-Fi Mac Address and the BT Mac Address of the paired Apple Watch.

The stateMachine-<GUID>.PLIST file contains the Pair status (typically it contains the value PairSuccess), the WatchOS version that was installed on the Apple Watch at the time of pairing and the pairing timestamp (stored in Apple Cocoa Core Data format – https://www.epochconverter.com/coredata).

The activestatemachine.plist contains similar information to the stateMachine-<GUID>.PLIST, with the addition of the WatchOS version installed on the device at the time of making the backup.

The \HomeDomain\Library\DeviceRegistry folder contains a subfolder named as a GUID of the stateMachine-<GUID>.plist file: this folder contains the backup data coming from the AppleWatch.

Among the various files and folders, the following ones present the most interest:

The NanoAppRegistry folder containing information about installed applications. In the following picture, you can find information about the Facebook app along with Bundle Version, Display Name, Bundle Identifier and Bundle Name.

The NanoMail\Registry.sqlite file contains information about the synced email accounts.

In the SYNCED_ACCOUNT table, you can find Display Name and Email Address for each email account set on the device.

In the MAILBOX table, you can find the email organization in terms of folders and subfolders for each email account set on the device.

The NanoPasses\nanopasses.sqlite3 databases contains the list of “Passes” available in the Wallet on the AppleWatch. For each pass, you can find the Type_ID, the Organization Name, the Ingest Date (stored in Apple Cocoa Core Data format) and the Description.

Some passes can also have the “Encoded Pass” field, a binary plist file containing details about the pass. The binary plist file can be extracted from the database, saved as a separate file and opened with a plist viewer (for example plist Editor).

In the following screenshot, you can see the encoded pass related to a hotel reservation on Booking.com. The Encoded Pass can be opened with SQLiteExpert and saved as a separate file

The file can then be opened with plist Editor to extract specific information about the reservation such as the Hotel name and address, the Guest name, the paid price, the Booking Number and the dates of check in and check out.

The NanoPreferencesSync folder contains various files related to Apple Watch configuration. One of the most interesting subfolder is \Backup\Files\, containing information about watch faces that can be customized by the owner with pictures synced from the iPhone. In the following screenshot you can find the details of all the files stored there.

Every single file is a zip file.

The file contains:

  • Face.json with the “Face” details, including the creation date (stored in Apple Cocoa Core Data format)
  • The Resources folder, containing the face picture in JPG format and the plist file containing picture information and metadata

Extracting data from Apple Watch

There is an option to directly extract data from the Apple Watch. A set of some specific requirements and restrictions applies to this type of acquisition.

  1. You need a way to connect your computer to the Apple Watch. As described in the article about Apple Watch and Apple TV acquisition, an adapter is available for Apple Watch S1, S2 and S3. We don’t know anything about adapters for the Apple Watch 4.
  2. When connected to a computer, the Apple Watch must be paired to allow data access. If the Apple Watch is protected with a passcode and the passcode is not known, there is no way to generate a pairing.
  3. There is no backup service running on WatchOS, so there is no way to directly create a backup of the Apple Watch.
  4. No public jailbreak is available for recent versions of the WatchOS.

Having in mind these restrictions, there are three different types of data we can obtain from the connected Apple Watch:

  1. Device information and the list of installed applications
  2. File acquisition through the AFC (Apple File Conduit) protocol
  3. Device logs

Device Information and the list of installed apps

By using Elcomsoft iOS Forensic Toolkit on a Windows or MacOS computer connected to a paired Apple Watch, you can use the “I” (Information) option to extract device info.

This command generates three files:

  • Ideviceinfo.plist
  • Applications.txt
  • Applictions.plist

The ideviceinfo.plist file contains detailed information about the device including the Hardware Model, the WatchOS version, the Serial Number, the UDID, the Device Name, the Wi-Fi and Bluetooth addresses, the Time Zone and the actual set Time.

It also contains information about the Total Disk Capacity, the Total System Capacity, the Total Data Capacity, the Total Data Available and the local language.

The Applications.txt file contains the list of installed applications, including the Bundle Identifier, the Bundle Version and the Bundle Display Name.

The Applications.plist file contains detailed information about installed applications, including the Application Path and Container folder. In the following screenshot, you can find an example of the Uber app information.

Acquisition through the AFC (Apple File Conduit) protocol

By using Elcomsoft iOS Forensic Toolkit on a Windows or MacOS computer connected to a paired Apple Watch, you can use the “M” (Media) option to extract media files available through the AFC protocol.

Once acquired, you can analyze the data by using your favorite forensic tools (X-Ways forensics, in this example).

The DCIM folder contains pictures synced from the iPhone.

Pictures are resized compared to the originals, but they still can contain interesting metadata like the Camera Model Name and the Original acquisition timestamp.

The iTunes_Control\iTunes folder contains a file named MediaLibrary.sqlitedb and the related SHM (Shared Memory) and WAL (Write Ahead Log) files. This SQLite file contains interesting information like the iCloud account ID of the user and the list of media (songs and movies) and e-books acquired by the user from the Apple Store. This file contains information about purchases made with all of the user’s devices synced with the same iCloud account.

The database contains 36 tables. The _MLDatabaseProperties table contains the iCloud Account ID.

To extract meaningful data from the database, you can use the following SQL query:

select
ext.title AS "Title",
ext.media_kind AS "Media Type",
itep.format AS "File format",
ext.location AS "File",
ext.total_time_ms AS "Total time (ms)",
ext.file_size AS "File size",
ext.year AS "Year",
alb.album AS "Album Name",
alba.album_artist AS "Artist", 
com.composer AS "Composer", 
gen.genre AS "Genre",
art.artwork_token AS "Artwork",
itev.extended_content_rating AS "Content rating",
itev.movie_info AS "Movie information",
ext.description_long AS "Description",
ite.track_number AS "Track number",
sto.account_id AS "Account ID",
strftime('%d/%m/%Y %H:%M:%S', datetime(sto.date_purchased + 978397200,'unixepoch'))date_purchased,
sto.store_item_id AS "Item ID",
sto.purchase_history_id AS "Purchase History ID",
ext.copyright AS "Copyright"
from
item_extra ext
join item_store sto using (item_pid)
join item ite using (item_pid)
join item_stats ites using (item_pid)
join item_playback itep using (item_pid)
join item_video itev using (item_pid)
left join album alb on sto.item_pid=alb.representative_item_pid
left join album_artist alba on sto.item_pid=alba.representative_item_pid
left join composer com on sto.item_pid=com.representative_item_pid
left join genre gen on sto.item_pid=gen.representative_item_pid
left join item_artist itea on sto.item_pid=itea.representative_item_pid
left join artwork_token art on sto.item_pid=art.entity_pid 

This query will extract detailed information about the purchases made by the user including title, media type, file size, total time (for songs and movies), account ID, data of purchase and purchase history ID. For purchases stored on the Apple Watch you will also find the file name.

 

The corresponding file can be found in the Purchase folder extracted through the AFC protocol:

 

The PhotoData folder contains files related to the synced photos. The most interesting information you can find here are the Photos.sqlite database and the Thumbnails folder.

 

The Photos.sqlite file contains information about photos stored on the device. A detailed explanation of the structure of this file is available at https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/. A SQL query to parse this file is available at https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql.

The Thumbnails folder contains thumbnails for pictures stored on the Apple Watch. You can analyze the ITHMB files with iThmb Converter and possibly finding thumbnails of deleted pictures.

 

Extracting device logs

By using Elcomsoft iOS Forensic Toolkit on a Windows or MacOS computer connected to a paired Apple Watch, you can use the “L” (Logs) option to extract this information.

I strongly recommend reading the research “Using Apple “Bug Reporting” for forensic purposes” written by me, Heather Mahalik and Adrian Leong (Cheeky4n6monkey).

In this research, we highlight the importance of using sysdiagnose profiles to extract data from Apple devices. This method was also tested on the Apple Watch, generating a complete TAR file with a lot of useful information. In the following screenshot, you can find the sysdiagnos logs extracted from an Apple Watch.

 

We also developed various scripts to parse some of the files available during sysdiagnose acquisition. These scripts are available from GitHub https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts.

Some of the most relevant information you can find in sysdiagnose logs are:

MobileActivation logs, containing information about installed build version over the time, hardware model and product type. It also details operating system upgrades. In the following screenshot, you can see the execution of the script on the Mobile Activation log of an Apple Watch.

 

MobileContainerManager logs, containing information about application uninstalls, which may be of historical interest. In the following screenshot, you can see the execution of the script on the MobileContainerManager log of an Apple Watch.

 

MobileInstallation logs, containing historical information about installed applications. In the following screenshot, you can see the execution of the MIB PARSER script by Alexis Brignoni on the MobileInstallation log of an Apple Watch.

 

PowerLog logs, containing information about user interaction with the device. The structure of this database has already been studied and described by Sarah Edwards in her presentations (PDF) and in her open source toolkit APOLLO. In the following screenshot, you can see the execution of APOLLO against the PowerLog extracted from the Apple Watch.

 

WiFi logs can be used to extract the list of networks the device connected to. The easiest file to analyze is the com.apple.wifi.plist, containing details for each network including SSID, BSSID and last joined date. BSSID can also be used to reverse-lookup the location of the Wi-Fi network by using services like Wigle.

 

Cloud acquisition

Acquiring data from iCloud is another option for Apple Watch, and is particularly useful to extract Health data synced between the Apple Watch and the iPhone. In the following screenshot, you can fine Health data extracted from an iPhone backup stored on iCloud.

Conclusion

The acquisition and analysis of Apple Watch is still new. We need more research and testing considering the increasing number of wearable devices sold worldwide. In the previous article, we highlighted the available methods to extract data from an Apple Watch device, the synced iPhone device and iCloud. In this article, we did show some of the interesting information you can pares once the data is extracted.

Bonus: video recording of Apple Watch Forensics: Is It Ever Possible, And What Is The Profit? presentation (together with Vladimir Katalov) from The Digital Forensics Research Conference (DFRWS EU 2019):

About the Author

Mattia Epifani is partner and founder at REALITY NET – System Solutions, where he works as a senior consultant in Digital Forensics, Forensic Readiness, Mobile Security and Incident Response. Mattia is a SANS instructor and a co-author of Learning iOS Forensics.

 


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »