-
-
[转帖]Understanding iOS Time Stamps
-
发表于: 2020-3-19 18:39 4485
-
Original link: https://www.magnetforensics.com/resources/understanding-ios-time-stamps/
Thanks to the wide availability of full file system images for iOS, there have been some great artifact discoveries. But what about the file system itself?
While looking at the iOS file system this week with some of my colleagues at Magnet Forensics (Brad de Vlugt, Jamie McQuaid [@reccetech], and Mike Williamson [@forensicmike1]), we discovered some unique things.
Comparison of Time Stamps in iOS, Windows FS, and APFS
When you SSH into a jailbroken iOS device and use the stat command, you will see four time stamps; namely Access, Modify, Change, and Birth. APFS has five (Birth, Date Added, Modify, Access, and Created). Many users are familiar with three time stamps from Windows FS (Modified, Accessed, and Created).
We looked at a GrayKey image in the .zip format. When GrayKey creates an image from an iOS device, it uses extended attributes to retain the time stamps.
So how do these compare? We have observed that “Birth” is synonymous with created times. These are consistent with much of the research for HFS+ as researched by Lee Whitfield and presented at the 2017 SANS DFIR Summit and this blog post.
Regarding Access time, we didn’t see it updated in our testing. However, we did note that there is a “noatime” setting in mount options that may account for us not seeing these updates. This is similar to the NTFSupdateaccesstime registry flag. It is possible that the access time stamp may be changed by an application, so results may vary.
Figure: SSH showing that several partitions of an iOS device are mounted with “noatime”.
Here are some of observations regarding Modify and Change times for iOS. There are similar to the modification of an HFS+ file from Lee Whitfield’s research in this area. For example, we have determined that altering a file, i.e. creating a note in Notes, will update both the “Change” time and the “Modify” time.
Figure: SSH view of time stamps of the WAL file for Notes before adding a note.
Figure: SSH view of time stamps of WAL file for Notes after adding a note in Notes showing an update to the Modify and Change time stamps.
It is important to note that editing pictures will not always produce the same changes as iOS uses the Mutations folder for photos.
So, what are some other differences between Change and Modify times? Altering file permissions via SSH access updates only the Change time. Altering and accessing the file via SSH updated both the Modify and Change time.
Figure: SSH view of time stamps of WAL file for Notes after altering permissions via SSH showing an update to the Change time stamp only.
I wanted to share this with you all so that you would understand the potential time stamps you may see when looking at iOS file systems and the value in looking at these four time stamps. We will be adding support for these additional fields over the next releases.
Let me know if you have questions by reaching out to me via email jessica.hyde@magnetforensics.com
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)