 Imagine you've been given an iPhone dump, but you don't have any specific tools to analyze it. The only thing you have right now is a copy of Linux. Can you still start your analysis? Sure. So here we have an extracted iPhone dump, and I have a couple file systems with the entire iPhone file system in it. So one of the first things I can do is use find period. That'll recursively list all of the file names in the dump. Just listing all of them isn't going to be that interesting. But what we can do instead is use find and then pipe that into grep-i and then search for a keyword. It'll look for a non-case sensitive keyword inside the file name. So for example, if I type grep-i keyboard, then I find any file name or directory that includes the term keyboard. We could also do something instead of looking for keyboard. Let's do jpg. And then I'll find any file name that has jpg anywhere in the file name. So you can see here I have .jpg.png. Well, let's say that I want only files that end with the extension .jpg. Because I'm using grep, I can do jpg dollar sign and that basically says jpg must be at the end of that file name. And then we only get files with jpg at the end of the file name. Now are these valid jpg images? I don't know yet. So I can take one that I think is interesting. I'll just take this one at the very end. I'm going to copy that. So I can use file-i and then paste in that file name and then hit enter. And that will tell me the type of file. So here we have application octet stream, char set binary. And then if I just do file without i, then we get for example, a apple binary property list or a BP list. So what I'm able to do is search by file name, search for keywords in the file name and try to find interesting things within the file names themselves. I can specify file types that I'm interested in and see if they have that extension and then pull out all those files and do something with them. What else I can do is use grep and dash r to be recursive and i and search for some sort of keyword. So maybe I'm interested again for keyboard, keyboard. And then if I do star, then I'm going to search all of the files in this particular dump recursively. So I'm going to go through each directory. And I'm going to look for any files that contain the word keyboard inside of the contents. So I'm not just looking for file name keywords. I'm looking for any contents that contain keyword. We had a couple hits up there. So we have a lot of files that are responsive to that. But let's look at some of these matches on my screen. It's kind of purple. And then we have in red, where we matched the file that it matched on. Okay, so we have some sort of localizable strings. And then we have the line that matched with everything else here looks like it's probably a binary match, which means that all of these files were responsive. But we expect that because keyboard is such a general term that a lot of different files are going to match it. I think the suspect's name was Marsha. So let's look for Marsha. We get a couple, again, binary matches, some with Siri, a couple matches that actually printed out. So that's a quick way that we can start to do keyword searches within files. Now, the problem with using find and grep this way is that every time you want to search for a particular keyword, you have to rerun that query over all of the data. If you have the time indexing all of this with some sort of indexer, maybe like autopsy will go through and index all of those files, then whenever you do your keyword searches, it'll use the index instead and it'll be much faster. But if you only need to check one or two keywords or do a really quick check of whether certain files exist, using find and grep is a very, very quick way to do this. Remember, we're dealing with an iPhone, so it's pretty much like doing command line analysis of a Windows system. What you'll find though with iPhone are P lists and BP lists and BP lists cause a little bit of problems. So let's look at how to look at those on the command line. So let's find our file that we're interested in. So I'm going to do grep user words does CTRL. Okay, so I'm looking for user words that CTRL and I got a hit. So its location is mobile library keyboard. And I want to analyze, for example, how many keyboards, software keyboards are installed on this phone right now. If I do cat and then paste in that directory, read all of the contents of this file. Now you notice that we have a lot of these question marks and it also starts with BP list. Whenever you see these question marks like this on command line and just has a bunch of junk, it's probably a binary file. Now one way that we could analyze this is by using XXD. And that'll give us the hexadecimal view of everything. But you can see that things are still kind of encoded and it doesn't look very easy to analyze. So we can do a little bit better by using a tool called BP Lister. So this is from three planet software BP Lister is excellent if you want to actually get access to binary P lists. If you're dealing with iOS, you're probably going to run into binary P lists at some point and BP Lister will really help in this situation. So it is in a GitHub repository. So go ahead and click code, copy the repository. So I'm going to put it inside this iPhone directory do get clone paste that GitHub repository in there. So we've cloned it down and then BP Lister is written in Ruby. So we have this P list parse dot RB. Okay, so the whole path of our file is here. I'm going to copy this. So now I'm going to do Ruby because I need to have Ruby installed to run the Ruby script BP Lister P list parse dot RB. And then I just feed it the file that I know is a BP list user words dot CTRL is a BP list. If I enter, then now we kind of get the pretty version of this. It looks something a lot closer to JSON, I can actually read it out instead of having to go through a hex editor. And we can see here a couple different things. But what I'm really interested in are these three entries and these are the software keyboards that are installed in the phone. And again, if we just tried to read that data out, it would just be a binary data that would be hard to understand. So even if you're using something like autopsy to analyze an iPhone, not all of these data structures are parsed out correctly, you might need to extract it. And if it starts with BP list in the header, run it through BP Lister, and you should be able to read it out. So there's a couple tips for you, you absolutely can do a full iPhone investigation through command line. Of course, it's not always going to be as convenient, you are going to have to do some of these conversions. But if you have something like BP Lister, it'll make the job way easier. But that's all I have for you today. Thank you very much.