Thursday, 3 September 2020

iOS - Tile App Part 2: Custom Artifact Boogaloo

 After the earlier post this week about Tile for iOS, I wanted to circle around and provide some custom artifacts and SQLite queries. It also gave me a chance to work with a good friend and colleague of mine, Alexis Brignoni (@AlexisBrignoni). Let's start with the databases. There are two databases of value held within the Shared data folder: 

  • com.thetileapp.tile-TileNetworkDB.sqlite
  • com.thetileapp.tile-DiscoveredTileDB.sqlite
First is the DiscoveredTileDB database. This file only keeps a little bit of information that we're directly interested in right now, and that's the discovered tile UIDs. We can use this information when looking at the Tile log files because now we can start searching against these logs for these identifiers as well as compare them to the other database that shows which tiles they have "discovered" or been in contact with, that don't belong to our user. This information can be found within the  ZTILENTITY_DISCOVEREDTILE table of the com.thetileapp.tile-DiscoveredTileDB.sqlite file. 




Next up is the TileNetworkDB database. This database has a lot of tables but a couple of them to give us some good information. We can use this table to collect the user information for the signed-in device. The ZTILENITY_USER table will store the email address, phone number, name, and user account of the signed-in user. 

By using two other tables within this database, ZTILENITY_NODE and ZTILENITY_TILESTATE, we can collect all of the user's Tile devices and phones tied to their account as well as some last recorded location and timestamp information. You can use this query to join the tables together: 

Select ZIS_LOST, ZACTIVATION_TIMESTAMP, ZLAST_LOST_TILE_COMMUNITY_CONNECTION, ZREGISTRATION_TIMESTAMP, ZID, ZNAME, ZNODE_TYPE, ZSTATUS, ZALTITUDE, ZLATITUDE, ZLONGITUDE, ZTIMESTAMP FROM ZTILENTITY_NODE INNER JOIN ZTILENTITY_TILESTATE ON ZTILENTITY_NODE.ZTILE_STATE = ZTILENTITY_TILESTATE.Z_PK;

Or, you could use the Custom Artifact found in the Magnet Artifact Exchange




These TileID values can also be found within the log files mentioned within the last post. Let's examine a possible scenario to use this data. 

Scenario: 
A victim is found deceased with an iOS device and a Tile on their keychain. By analyzing the data left behind, officers can find out the registered user of the devices and find all of the Tiles associated with that user. By analyzing the log files left behind, they may also discover OTHER tile devices that the user has come into contact with not belonging to the user. 

Seeing as those log files were also full of location data, I wondered if there was a good way to get that into something easier to read. For that I turned to friend and python mentor Alexis. If you've never used it, Alexis has crafted a great tool for your forensic toolbox called iLEAPP. Alexis was able to take those log files and incorporate a plugin in iLEAPP to pull out all of the geolocation data into an easy-to-read report as well as a set of TSV and database files. Alexis has also included the above mentioned SQLite database-based artifacts into the latest version of iLEAPP as well!


Once processed with the tileApp plugin, the report can list out all of the recovered geolocations points. 

But what if you wanted to take these geolocation points and put them back into AXIOM along with the rest of the artifacts? Using the Magnet Custom Artifact Generator, we can ingest the Tile App Lat Long.tsv into AXIOM with an artifact to bring in these geolocation points back against the rest of our evidence. After all is said and done, by using our artifacts headed soon to the artifact exchange your tile app can end up producing this: 


It was a lot of fun to be able to build some custom artifacts again, and always fun to work with Alexis. Hopefully we can continue to bring you even more cool stuff in the near future!

No comments:

Post a comment