CarPlay is Apple's attempt to make driving your car and using your phone at the same time safer. In order to do this, Apple has basically created a screen mirroring service which allows for your in-car infotainment system to stream data from your mobile device. This is great for listening to your favorite podcasts and use Siri to send/receive messages while driving. There's been some great research done previously on CarPlay and forensics including the talk by Heather Mahalik and Sarah Edwards which is available here (slides here) as well as Josh Hickman's take on the topic available here.
Without rehashing the CarPlay artifacts that haven't really changed, this post is going to focus on the artifacts that have changed with iOS 16. Most of the plist files from the /private/var/mobile/Library/Preferences directory are still there and full of data. The biggest change when it comes to CarPlay is where we used to search for "carplay/isConnected" in the KnowledgeC database, those entries are no longer present. Instead, which you probably surmised from the title of this post, the data can be found within the Biome directories.
CarPlay isConnected
Looking into the biome data there's a couple of places you can find CarPlay information. One of those places is the directory private\var\mobile\Library\Biome\streams\restricted\_DKEvent.Carplay.IsConnected\
Pulling apart this SEGB file (which for more information about them go back to Part 1 here) reveals protobufs that contain information about when CarPlay is connected or disconnected.
The protobuf will contain a start and end date and time (in UTC) of when the CarPlay state was changed. The final timestamp will be when the protobuf is recorded to the SEGB file.
A varint value will reflect 1 or 0 where 1 is when CarPlay is in the connected state, and 0 when CarPlay is in the disconnected state. The final varint value reflects the offset of the timezone the device was in during the recording of the event (recorded in seconds).
CarPlay Red Herring
There's also a CarPlay folder within the biome directory under private\var\mobile\Library\Biome\streams\public\CarPlay\. The biome here doesn't tell much as each protobuf only contains two values. The first value will reflect a 0 or a 1, and the second value always a 0 in my testing. There are no timestamps or other identifiers within this data. The protobuf record header within the SEGB file does contain two 8 byte Apple timestamps but they didn't line up with events within my test evidence directly so are likely more related to when they are written.
inMotion
Another KnowledgeC event "/inferred/motion" has made its way over to the biome data found within the directory private/var/mobile/Library/Biome/streams/restricted/_DKEvent.Inferred.Motion/. When parsing the protobufs stored within, its fairly familiar to others in the CarPlay family.
There are again Apple Time values of the start and end of the event in UTC, a varint reflecting either (1) or (2), a string value recording the GUID of the event, a double storing an Apple Time value when it was written, and finally the offset for the timezone in seconds.
One additional note is that when the GUID is searched across the device you will likely not find it. The GUID seems to be tied into the syncing process so that an event can be kept unique across multiple devices.
DoNotDisturb / DoNotDistrubWhileDriving
Within the biome data another way to help track that CarPlay may being used is to check for the DoNotDisturbWhileDriving biome data. Similar to the CarPlay Red Herring above, the protobuf is very small. The protobuf for DoNotDisturbWhileDriving will only track a 0/1 record within the data but there are 8 bytes equating to an Apple Time timestamp within each protobuf record header in the SEGB file.
One thing to make sure is to not confuse DoNotDisturbWhileDriving with the DoNotDisturb biome. While more research is being conducted, Apple treats the DND (do not disturb from here on out because I'm lazy) for driving a bit differently from other focus enabled DNDs. In the directory \private\var\mobile\Library\DoNotDisturb\DB\ there is a plist file: IDSSyncEngineMetadata.plist. This plist file tracks the user's Focus settings. Focus settings from the plist files are tracked within the DoNotDisturb biome but the DND for driving is not. To compare, the DoNotDisturb biome stores a lot more information within the biome's protobuf records and an example is below.
Similar to other protobuf records, it will track a start and end time in Apple Time (UTC, of course), a varint of 0/1 for when that setting has changed, and the same information at the bottom including the GUID for the event, a timestamp for being written, and the timezone offset.
CarPlay Plist Check
A couple of things to consider that have been added in more recent versions of iOS is tracking the difference between plugged-in CarPlay and wireless CarPlay. It's also important to track what vehicles or how many vehicles have been authorized to use CarPlay. As mentioned in some of the other posts linked at the beginning, the two main plist files for digging into are in the private/var/library/Mobile/Preferences directory.
The com.apple.CarPlay.plist tracks our pairings between the two devices. You can see the connection to what I affectionately refer to as my own personal "DoomBuggy" (shout-out to anyone who gets the Disney reference from my all-time favorite ride).
You can also see that this device supports WirelessCarPlay but NOT USBCarPlay. So by looking through this data, you wouldn't necessarily be able to correlate any events like "Plugged-In" or "Charging" from KnowledgeC or PowerLog.
The other plist file to look at in this directory is com.apple.carplayapp.plist. This tracks some of the recent app usage of the CarPlay service.
In the above screenshot you can see an example where the recently used app was com.apple.Maps and it is tracking a Unix epoch value of the last time it was used. You can also see what app is supposed to pop up on start on connection as well as some information about when the previous session may have ended. Using this as a pivot point in our case you might be able to find other supporting information that CarPlay was in use by using this "CARRecentAppHistory" timestamp value. The following is an example of searching within that same time window which shows some hits within PowerLog for the CarPlay application being used.
Wrap-Up
Hopefully you've enjoyed our little drive through the neighborhood of iOS. While the previously tracked records of CarPlay in KnowledgeC.db are gone, they're not forgotten, just moved over to the biome areas. Seeing that several records store GUIDs for the events gives me hopes they'll be syncing to other devices too. For me it's always about tracking WHY something happened and a big one there is location data. Why was there location data being generated? Seeing a bunch of location points like in the next screenshot from our test phone, I would want to know why they're being generated. While the use of Apple Maps can help generate these, the points can also be passive just from being connected to CarPlay and its use of Apple Maps in the background even when no trips are active.
Is CarPlay even in play? If you believe so, check the plist files! Once you know that to be the case, start digging into those biomes for more information to show that it was connected during that time frame, and don't forget it can be a wireless connection now too! What about trying to see if the user was doing something while they were driving? Were they locked into the DoNotDisturbWhileDriving mode? Were there any other set of DoNotDisturb settings applied?
With Apple pushing harder into the CarPlay space and wanting to extend the features which was discussed during this year's WWDC event, I don't think we're going to see CarPlay going anywhere anytime soon. More and more manufactures are enabling CarPlay and Android Auto so expect to get familiar with these artifacts and what they can mean for your investigations as you proceed. Until next time!
No comments:
Post a Comment