www.digitalforensicsworkbook.com Page 1 of 10
Analysis of a Vault App Michael Robinson 15 November 2015 Vault Apps On November 6, 2015 an article appeared in The New York Times regarding a sexting ring, which occurred at Cañon City High School in Colorado. The superintendent of the school system stated that between 300 and 400 nude photos were being circulated among students’ cell phones and the images included “over 100 different kids.” The persons in the images were believed to be students at the high school as well as eighth graders from the middle school (Cloos and Turkewitz, 2015). The students appeared to be using vault apps to hide the images on their mobile devices. While the news story has concerns around the judgment of the involved students, issues of child pornography, and how the district attorney will purse charges of the participating minors, the story brings to light a technical issue: how vault apps work and what can be recovered from them. Vault apps impersonate legitimate apps on a mobile device and provide a hidden vault in which a user can store photos, files, and other data. Access to the vault is protected by a user-‐assigned password. A casual observer, who examines the phone, would see the app’s façade and find it to be a legitimately functioning app, such as a calculator. The observer would not be aware of the hidden contents or be permitted access to the vault without entering the correct password. Vault apps can be used for the legitimate purpose of protecting sensitive information, but they also be used for purposes of hiding illicit or illegal pictures, conducting corporate espionage, etc. There are numerous vault apps in Apple’s App Store and Google’ Play, which include Secret Photo+Video Vault – The Ultimate Private Photo & Video Manager by Zero Cool, Secret Calculator Folder Free – Private photo video album manager protection by One Wave AB, and Vault-‐Hide SMS, Pics & Videos by NQ Mobile Security. The following are results of an analysis of the vault app named Secret Calculator Folder Free – Private photo video album manager protection. The analysis was performed to:
• Determine what information could be recovered regarding the app’s installation. • Identify hidden information within the vault app, which could be recovered after a
forensic acquisition was performed.
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 2 of 10
Installation of Secret Calculator Folder Free – Private photo video album protection The iOS app Secret Calculator Folder Free – Private photo video album protection, was installed and used on an iPhone. Table 1 contains the details of the installation. After installation and usage of the vault app, the iPhone was visually inspected and a forensic acquisition was performed. Mobile device Apple iPhone 5S Mobile OS iOS 9.1, non-‐jailbroken1 App name Secret Calculator Folder Free – Private photo video album protection App Developer One Wave AB App Version Both the free and paid versions were tested Forensic tool Cellebrite UFED Physical Analyzer
Table 1: Details of installation of vault app After the free version of the app was installed on the iPhone, the following actions were performed:
1. The password 159753 was assigned to the vault app. 2. A photo album was created in the vault app. 3. Three pictures were taken and stored directly within the album in the vault app.
The pictures were not saved to any other location. 4. Contact information for one individual was stored in the vault app. 5. Notes were stored in the vault app. 6. Credentials for a website were stored in the vault app. 7. A file was transferred to the vault app using iTunes. 8. A forensic acquisition was performed of the iPhone. 9. The vault app was upgraded from the free version to the commercial version. 10. Two new photo albums were created in the vault app. 11. Three new pictures were taken: two new pictures were stored in one of the new
albums; one new picture was stored in the other new album. The pictures were not saved to any other location.
12. A website was visited using the vault app’s secure browsing feature. 13. A forensic acquisition of the iPhone was performed.
Observed artifacts from installation of vault app Vault apps may impersonate a variety of legitimate apps. Secret Calculator Folder Free – Private photo video album manager protection, poses as a working calculator. Figure 1a displays the icon associated with Apple’s official calculator, which is located within the “Extras” container. Figure 1b displays the icon associated with Secret Calculator Folder Free.
1 By using a non-‐jailbroken iPhone, Apple’s native security remained intact and was not circumvented.
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 3 of 10
Figure 1a: Apple’s legitimate calculator contained within “Extras”
Figure 1b: Icon for installed vault app, which used the name Calculator+
Upon launching the vault app, a functioning calculator is shown as shown in Figure 2.
Figure 2: Calculator+ user interface
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 4 of 10
To enter the vault, the user-‐assigned password followed by the percent symbol (%) must be typed into the app. In addition to the icon being displayed on the user interface, iOS retained additional information regarding the vault app just as the operating system did with all installed applications. The history of the installed vault app appeared in the list of apps under AppStore > Updates > All. This is shown in Figure 3.
Figure 3: List of all installed purchases on the iPhone including the vault app
When examining the list of installed apps, the app’s name as it appeared in the App Store was displayed. The name used with the app’s icon, i.e., Calculator+, which appeared in Figure 1b, was not listed. Within the “Settings” area of iOS, additional information was retained regarding the vault app. Examination of the permissions assigned to the app, which appears in Figure 3a, showed the app was able to access both the camera and cellular data. These permissions would be atypical for a calculator app. By going to Settings > General > Storage & iCloud Usage > Storage – Manage Storage > CALCULATOR+, the size of the app and the amount of data stored by the app were displayed. After three pictures and some trivial data were hidden in the vault, the amount of data displayed by the app was 4.2MB as identified by iOS. This is shown in Figure 3b.
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 5 of 10
Figure 3a: Permissions for the vault app Figure 3b: Vault app’s storage
After loading data in the vault app, the app was closed. The home button was double tapped on the iPhone to load the app switcher. The results of this action are displayed in Figure 5. Rather than displaying the last screen shown in the vault app, which would have been one of the hidden pictures, the app switcher displayed a screen capture of the app’s working calculator.
Figure 5: App switcher display of vault app
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 6 of 10
Upon connecting the iPhone to a computer running iTunes, it was possible to transfer files directly to the vault app using iTunes. After launching iTunes, the hidden files were displayed as shown in Figure 6. In this analysis, one file was transferred to the app.
Figure 6: Hidden files within the vault app as shown by iTunes
Data recovered from forensic acquisitions Upon completing a forensic acquisition of the mobile device, the manifest.plist was examined for evidence of the vault app. The portion of the manifest, which contained references to the free and paid version of the app, appears in Figure 7.
Figure 7: Manifest.plist with relevant details
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 7 of 10
The name of the bundle identifiers (i.e., com.onewave.lockedcalcfree and com.onewave.lockedphotosvideocalc) and the location of the apps (i.e., /var/mobile/ Containers/Bundle/Application/4DF7626C-‐7745-‐41DB-‐AD92-‐1F6248CE8A73/Locked Folder.app and /var/mobile/Containers/Bundle/Application/ 5A33321D-‐4E5-‐48C2-‐857B-‐00165F6ECB3B/Locked Folder.app) were identified. The file structures for the free and paid versions of the app appear in Figure 8a and 8b, respectively.
Figure 8a: File structure for free version Figure 8b: File structure for paid version Examination of the two structures revealed that even after the app was upgraded, the file structure for the free version of the app was still used. Contained within the directory structure of the free version of the app was a subdirectory named “Documents,” which contained the file transferred via iTunes to the vault app, i.e., Taxi-‐Receipt.png. Within the subdirectory named “images” were the pictures stored within the vault. Each image started with the word “picture,” contained the sequence number indicating the order in which the photos were added to the vault, the name of the album in which the image was stored and the timestamp of the when the album was created. The iPhone’s file system contained the created, modified, and accessed timestamps for each file. The file named Cookies.binarycookies contained cookies related to the secure web browsing performed within the vault app.
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 8 of 10
A database named Locked_Folder.sqlite was stored within the directory structure for the two apps. The database used the structure as shown in Figure 9.
Figure 9: SQLite database structure
Within the tables of the database were plaintext versions of the data entered by the user. Table 2 contains a brief description of the data contained within the various tables.
Table Contents ZALBUM List of photo albums ZBOOKMARK Websites bookmarked by the vault app’s browser ZCONTACT Contact information stored by the user in the vault app ZNOTE Notes stored by the user in the vault app ZPASSWORD Website credentials stored by the user in the vault app ZPHOTO At the time of analysis, this table was empty. Z_METADATA The universally unique identifier (UUID) of the app Z_MODELCACHE At the time of analysis, this table was empty. Z_PRIMARYKEY The names of the table and number of entries within each
Table 2: Table contents The website credentials entered by the user were stored in the table named ZPASSWORD. This is shown in Figure 10. As it can be seen, the password was not encrypted.
Figure 10: Website credentials stored in plaintext within ZPASSWORD table
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 9 of 10
The table named ZALBUM, which is shown in Figure 11, contained details regarding each photo album used by the vault app.
Figure 11: Photo album information contained within ZALBUM table
ZALBUM contained the name and location of each album along with the time stamp of the app’s creation. Within the directory structure was a plist file named com.onewave.lockedcalcfree.plist. A portion of this file is shown in Figure 12.
Figure 12: Contents of com.onewave.lockedcalcfree.plist
Analysis of a Vault App
www.digitalforensicsworkbook.com Page 10 of 10
The plist file contained the user-‐assigned passcode for the vault app. Additionally, the plist contained data indicating which functions of the app were enabled, i.e., functions that were enabled with the upgrade to the paid version of the app. Conclusion The vault app Secret Calculator Folder Free – Private photo video album manager protection by One Wave AB was capable of hiding photos, notes, contact information, and website credentials from a casual observer of an iPhone. If the observer were to examine the history of installed apps, the app’s marketed name would be discovered. The app’s features were obfuscated by a modification of the cached image loaded by the iPhone app switcher. A forensic examination revealed that none of the hidden contents were encrypted, e.g., passwords were stored in plain text and photos were not encrypted. All contents stored within the vault app were fully readable after the acquisition was performed. While some other vault apps may encrypt data, this version of this particular app did not. Reference Cloos, K. and Turkewitz, J. (2015, November 6). “Hundreds of Nude Photos Jolt Colorado School.” The New
York Times. Retrieved from The New York Times website on November 8 2015: http://www.nytimes.com/2015/11/07/us/colorado-‐students-‐caught-‐trading-‐nude-‐photos-‐by-‐the-‐hundreds.html?_r=0