Initial Release

.gitignore

@@ -0,0 +1,4 @@
+output
+*.pyc
+*.pyo
+*~

README.md

@@ -0,0 +1,58 @@
+# iosForensic
+
+iosForensic is a python tool to help in forensics analysis on iOS.
+It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
+
+
+## Installation
+Simply clone this git repository and install dependencies.
+
+### Dependencies
+
+#### Linux
+- 	OpenSSH
+- 	sshpass
+-	sqlite3
+-	python >= 2.6
+-	[Python-magic](https://github.com/ahupp/python-magic/)
+- 	[plistutil](http://cgit.sukimashita.com/libplist.git)
+
+#### Device
+-	a jailbroken device
+- 	OpenSSH
+- 	syslogd to /var/log/syslog (it's the name of the application, restart your phone after install)
+- 	wifi ON
+- 	on some firmware, usb connection needed
+
+## How to use
+
+### Options
+-	-h --help : show help message
+-	-a --about : show informations
+-	-v --verbose : verbose mode
+-	-i --ip : local ip address of the iOS terminal
+-	-p --port : ssh port of the iOS terminal (default 22)
+-	-P --password : root password of the iOS terminal (default alpine)
+
+## Examples
+	./iOSForensic.py -i 192.168.1.10 [OPTIONS] APP_NAME.app INCOMPLETE_APP_NAME APP_NAME2_WITHOUT_DOT_APP
+	./iOSForensic.py -i 192.168.1.10 -p 1337 -P pwd MyApp.app angry MyApp2
+
+## Author
+Written by Florian Pradines (Phonesec), this tool is a referenced OWASP Android security project since 2013.
+
+You can contact me via my [website](http://florianpradines.com)
+
+## Licence
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.

changelog

@@ -0,0 +1,9 @@
+Version 1.0 (May 2013 - Initial Release)
+- Get application's files
+- Convert .plist files in XML
+- Extract all databases
+- Convert binary cookies
+- Get application's logs
+- List all packages
+- Find packages
+- Extract multiple packages

general.py

@@ -0,0 +1,66 @@
+#!/usr/bin/python
+# -*- coding: utf8 -*-
+
+from subprocess import Popen, PIPE, STDOUT
+import sys
+
+def about():
+	print "####################################################"
+	print "#	@author		Florian Pradines	   #"
+	print "#	@company	Phonesec		   #"
+	print "#	@mail		[email protected]	   #"
+	print "#	@mail		[email protected] #"
+	print "#	@version	2.0			   #"
+	print "#	@licence	GNU GPL v3		   #"
+	print "#	@dateCreation	20/05/2014		   #"
+	print "#	@lastModified	23/05/2014		   #"
+	print "####################################################"
+	print ""
+	print "iosForensic is a python tool to help in forensics analysis on iOS."
+
+def help():
+	print "Usage : "+ sys.argv[0] +" [OPTIONS] APP_NAME.app INCOMPLETE_APP_NAME APP_NAME2_WITHOUT_DOT_APP"
+	print "-h --help : show help message"
+	print "-a --about : show informations"
+	print "-v --verbose : verbose mode"
+	print "-i --ip : local ip address of the iOS terminal"
+	print "-p --port : ssh port of the iOS terminal (default 22)"
+	print "-P --password : root password of the iOS terminal (default alpine)"
+	print ""
+	print "Examples"
+	print sys.argv[0] + "-i 192.168.1.10 [OPTIONS] APP_NAME.app INCOMPLETE_APP_NAME APP_NAME2_WITHOUT_DOT_APP"
+	print sys.argv[0] + "-i 192.168.1.10 -p 1337 -P pwd MyApp.app angry MyApp2"
+
+
+def printVerbose (process):
+	while process.poll() is None:
+		print process.stdout.readline().replace("\n", "").replace("\r", "")
+	process.communicate()
+
+def writeResultToFile (cmd, filename, verbose):
+	try:
+		f = open(filename, "w")
+		process = Popen(cmd.split(), stderr=STDOUT, stdout=PIPE)
+
+		while True:
+			line = process.stdout.readline()
+			if not line:
+				break
+
+			f.write(line)
+
+			if verbose:
+				print line.replace("\n", "").replace("\r", "")
+
+		process.communicate()
+		f.close()
+
+		return True
+	except IOError as e:
+		print "File " + e.filename +" not created"
+		print "Exception : "+ e.strerror
+
+def removeDuplicates (seq):
+	seen = set()
+	seen_add = seen.add
+	return [ x for x in seq if x not in seen and not seen_add(x)]

iOSForensic.py

@@ -0,0 +1,117 @@
+#!/usr/bin/python
+# -*- coding: utf8 -*-
+
+#Copyright (C) <2014>  <Florian Pradines>
+
+#This program is free software: you can redistribute it and/or modify
+#it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+#
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#GNU General Public License for more details.
+#
+#You should have received a copy of the GNU General Public License
+#along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from subprocess import Popen, PIPE, STDOUT
+import getopt
+import sys
+
+from general import *
+from package import *
+
+def main():
+	try:
+		opts, args = getopt.getopt(sys.argv[1:], "ahvi:p:P:", ["about", "help", "verbose", "ip=", "port=", "password="])
+	except getopt.GetoptError, err:
+		print err
+		help()
+		sys.exit()
+
+	ip 			= False
+	port 		= "22"
+	password 	= "alpine"
+	verbose 	= False
+
+	#Parse options
+	for opt, arg in opts:
+		if opt in ("-a", "--about"):
+			about()
+			sys.exit()
+		elif opt in ("-h", "--help"):
+			help()
+			sys.exit()
+		elif opt in ("-v", "--verbose"):
+			verbose = True
+		elif opt in ("-i", "--ip"):
+			ip = arg
+		elif opt in ("-p", "--port"):
+			port = str(arg)
+		elif opt in ("-P", "--password"):
+			password = arg
+
+	if not ip:
+		print "Error : you must give the local ip address of the device"
+		help()
+		sys.exit()
+
+	print "Test connection to the device"
+	cmd = "sshpass -p " + password + " ssh root@" + ip + " -p " + port + " -oStrictHostKeyChecking=no echo ok"
+	process = Popen(cmd.split(), stderr=STDOUT, stdout=PIPE)
+	stdout, stderr = process.communicate()
+	if stdout.replace("\n", "").replace("\r", "")[-2:] != "ok":
+		print "Error : " + stdout
+		sys.exit()
+	print "Connection successful"
+	print ""
+
+	print "Searching packages"
+	found = []
+	if len(args) is 0:
+		args.append("")
+
+	for arg in args:
+		if arg[-4:] == ".app":
+			arg = arg[:-4]
+
+		package 	= Package(ip, port, password, arg, verbose)
+		justFound 	= package.find()
+
+		if justFound:
+			found = removeDuplicates(found + justFound)
+
+	if not found:
+		print "no packages found"
+		sys.exit()
+
+	i = 1	
+	for package in found:
+		print str(i) +") "+ package.split("/", 1)[1].replace(".app", "")
+		i += 1
+
+	choices = raw_input("Which packages do you want extract. Ex: 1 3 6 (type 0 to quit) : ").split()
+	if choices[0] is "0":
+		sys.exit()
+
+	packages = []
+	for choice in map(int,choices):
+		if choice < 1 or choice > len(found):
+			print str(choice) + " is not a good value"
+		else:
+			packages.append(found[choice - 1])
+
+	for package in packages:	
+		print ""
+		print ""
+
+		if package[-4:] == ".app":
+			package = package[:-4]
+
+		package = Package(ip, port, password, package, verbose)
+		package.extract()
+
+if __name__ == "__main__":
+	main ()