From 2463effd5ce53d2581d94d7c907a571af62bbeb9 Mon Sep 17 00:00:00 2001
From: Jan Vales <jan@jvales.net>
Date: Fri, 20 Jun 2014 21:14:26 +0200
Subject: [PATCH] iphone + analyse. zwangspause.

---
 report4/content.tex | 265 ++++++++++++++++++++++++++++++++++++--------
 report4/main.tex    |   1 +
 2 files changed, 220 insertions(+), 46 deletions(-)

diff --git a/report4/content.tex b/report4/content.tex
index 28c0875..182d7c5 100644
--- a/report4/content.tex
+++ b/report4/content.tex
@@ -1,50 +1,25 @@
 
 \newpage\section{Questions (12 points)}
 \subsection{How and when did Mr. Smith and Mr. Mayer communicate? (2 point)}
-account lists
-* IPHONE info:
-.. FB found.
-
-* Android info:
-..
+\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | X | }
+  \hline service & timestamp & (from) to & content\\
+  \hline skype & 27-11-2012 12:20:00 & to:allegro.mayer from:johannes.m.smith & Auth\_Request\\
+  \hline skype & 06-12-2012 13:20:33 & from:allegro.mayer to:johannes.m.smith & Auth\_Granted\\
+  \hline call & 2012-12-06 14:35:38 & Johannes Smith 06603169718 & (0:01:15 sec)\\
+  \hline skype & 06-12-2012 16:33:53 & to:allegro.mayer from:johannes.m.smith & "Hallo"\\
+  \hline sms & 2012-12-06 17:20:46 & to +436603169718 & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\
+  \hline sms &2012-12-06 17:30:43 & to +436603169718 & Sicherer kanal wär besser ....\\
+  \hline viber call & 2012-12-06 17:31:57 & Johannes Smith & (71 sec)\\
+  \hline sms & 2012-12-06 17:36:26 & from +436605166042 & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
+  \hline sms & 2012-12-06 17:42:50 & to +436605166042 & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
+  \hline sms & 2012-12-06 17:45:19 & to +436605166042 & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
+  \hline call & 2012-12-06 17:45:36 & Johannes Smith +436605166042 & (0:00:21 sec; diensthandy? DumpBank We Sell Your Shit)\\
+  \hline
+\end{tabularx}\end{center}
 
 
 \subsection{What information was exchanged between Mr. Smith and Mr. Mayer? (3 points)}
-
-skype 27-11-2012 12:20:00 to:allegro.mayer from:johannes.m.smith Auth\_Request 
-
-tun+vr
-ph1
-
-skype 06-12-2012 13:20:33 from:allegro.mayer to:johannes.m.smith Auth\_Granted
-
-call 2012-12-06 14:35:38 Johannes Smith 06603169718 (0:01:15 sec)
-
-skype 06-12-2012 16:33:53 to:allegro.mayer from:johannes.m.smith: "Hallo"
-
-ph2
-
-sms +436603169718 Sent on: 2012-12-06 17:20:46
-Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.
-
-sms +436603169718 Sent on: 2012-12-06 17:30:43
-Sicherer kanal wär besser ....
-
-viber call 2012-12-06 17:31:57 Johannes Smith (71 sec)
-
-sms +436605166042 Received on: 2012-12-06 17:36:26
-Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/
-
-sms +436605166042 Sent on: 2012-12-06 17:42:50
-Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...
-
-sms +436605166042 Sent on: 2012-12-06 17:45:19
-Ich hab von einem kollegen wichtige informationen. Ruf dich an
-
-call 2012-12-06 17:45:36 Johannes Smith +436605166042 (0:00:21 sec; diensthandy? DumpBank We Sell Your Shit)
-
-
-
+dropbox extracted from android. no time now. mutter kollabiert gerade.\\
 
 \subsection{Can you find any evidence or hints that support the suspicion of insider trade? (3 points)}
 No hard evidence was found.\\
@@ -74,8 +49,9 @@ ff746e574a0d668e1d82c3ff72501a75eabe642e1dee7f20d3d74b9fe72054f9\\
 9b9a91ded1b3f98067a63065423c620c73c42c65e13c3b110424854b3e7f6678}
 \end{quote}
 
+
 \subsection{Contacts}
-The contacts-db was extracted from \emph{\textbf{IPBA::Home Domain:Library/AddressBook:AddressBook.sqlitedb}}
+The contacts-db was extracted from \emph{\textbf{IPBA::Home Domain:Library/AddressBook/AddressBook.sqlitedb}}
 \begin{quote}
 \textbf{size}: 87040 byte\\
 \textbf{''file''-output}: SQLite 3.x database\\
@@ -83,7 +59,7 @@ The contacts-db was extracted from \emph{\textbf{IPBA::Home Domain:Library/Addre
 }
 \end{quote}
 
-The following contacts were found inside.
+The content was:
 \begin{center}\begin{tabular}{ | l | r | }
   \hline Name & Phone \\
   \hline <None> & +436603169718 \\
@@ -94,15 +70,212 @@ The following contacts were found inside.
   \hline
 \end{tabular}\end{center}
 
+
 \subsection{Call-Log}
-\subsection{SMS-Log}
+The call-log was extracted from \emph{\textbf{IPBA::Wireless Domain:Library/Callhistory/call\_history.db}}
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+The content was:
+\begin{center}\begin{tabular}{ | l | l | l | l | }
+  \hline date & to/from & Phonenumber & duration (sec)\\
+  \hline 2012-12-06 13:35:38 & to & 06603169718 & 75\\
+  \hline 2012-12-06 14:02:20 & to & 06803303660 & 0\\
+  \hline 2012-12-06 14:03:02 & from & +436605969364 & 23\\
+  \hline 2012-12-06 14:08:34 & to & 0660303010 & 0\\
+  \hline 2012-12-06 14:10:02 & to & 0660303030 & 1181\\
+  \hline 2012-12-06 15:17:05 & to & 0660303030 & 1023\\
+  \hline 2012-12-06 15:34:30 & to & 0660303030 & 864\\
+  \hline 2012-12-06 16:00:10 & from & +436605166042 & 17\\
+  \hline 2012-12-06 16:08:02 & to & 06604394199 & 9\\
+  \hline 2012-12-06 16:25:30 & from & +436605166042 & 0\\
+  \hline 2012-12-06 16:26:11 & from & +436605166042 & 0\\
+  \hline 2012-12-06 16:34:39 & to & 06604394199 & 6\\
+  \hline 2012-12-06 16:34:52 & to & 06604394199 & 12\\
+  \hline 2012-12-06 16:35:10 & to & 06604394199 & 23\\
+  \hline 2012-12-06 16:45:36 & to & +436605166042 & 21\\
+  \hline
+\end{tabular}\end{center}
+
+
+\subsection{SMS/iMessage}
+The SMS-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/SMS/sms.db}}
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+
+The content was:
+\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | X | }
+  \hline date & from/to & number & service & text\\
+  \hline 2012-12-06 16:17:20 & from & Viber & SMS & Your Viber code is: 9386 Close this message and enter the code into Viber to activate your account.\\
+  \hline 2012-12-06 16:20:46 & to & +436603169718 & SMS & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin\\
+  \hline 2012-12-06 16:30:43 & to & +436603169718 & SMS & Sicherer kanal wär besser ....\\
+  \hline 2012-12-06 16:33:58 & to & +436604413637 & iMessage & Hi wie gehts? Treffen wir und mal auf einen drink?\\
+  \hline 2012-12-06 16:36:26 & from & +436605166042 & SMS & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
+  \hline 2012-12-0616:42:50 & to & +436605166042 & SMS & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
+  \hline 2012-12-0616:45:19 & to & +436605166042 & SMS & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
+  \hline
+\end{tabularx}\end{center}
+
+
+\subsection{Calendar}
+The Calendar-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/Calendar/Calendar.sqlitedb}}
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+The content was:
+\begin{center}\begin{tabular}{| l | l | l | l | }
+  \hline event & start & end & location\\
+  \hline Paris geschäftsreise & 2012-12-07 14:00:00 & 2012-12-09 19:00:00 & Paris\\
+  \hline Meeting & 2012-12-10 10:00:00 & 2012-12-10 11:00:00 & Zbank\\
+  \hline Nordic walking & 2012-12-11 07:00:00 & 2012-12-11 07:30:00 &  \\
+  \hline Statusmeeting & 2012-12-11 08:00:00 & 2012-12-11 12:00:00 &  \\
+  \hline
+\end{tabular}\end{center}
+
+
+\subsection{Browser}
+The plist \emph{\textbf{IPBA::HomeDomain:Library/Safari/History.plist}} opened with IPBA2 plist-viewer cointains the browser history.
+
+\begin{center}\begin{tabularx}{\textwidth}{| l | X | X |}
+  \hline timestamp & title & url \\
+  \hline 2012-12-07 09:03:15 & Flughafen Wien - Abflüge - Offen für neue Horizonte & https://www.google.at/url?sa=t\&source=web\&cd=3\&ved=0CD0QjBAwAg\&url=http\%3A\%2F\%2Fwww.viennaairport.com\%2Fjart\%2Fprj3\%2Fva\%2Fmain.jart\%3Frel\%3Dde\%26content-id\%3D1249344074230\%26reserve-mode\%3Dactive\&ei=jLDBULjlB8bE4gTn-oGABw\&usg=AFQjCNHU5R5b3WsiOhYSIsli3inGLTEFGQ\\
+  \hline 2012-12-07 09:02:03 & flughafen wien - Google-Suche & https://www.google.at/search?q=flughafen+wien\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
+  \hline 2012-12-07 09:01:54 & Laura Markovic & https://m.facebook.com/laura.markovic.129?\_\_user=100004760941674\\
+  \hline 2012-12-06 16:14:19 & RNS News - London Stock Exchange & http://m.londonstockexchange.com/exchange/mobile/news/detail.html?announcementId=11421386\\
+  \hline 2012-12-06 16:14:14 & FTSE AIM 100 - London Stock Exchange & http://m.londonstockexchange.com/exchange/mobile/indices/summary.html?index=AIM1\\
+  \hline 2012-12-06 16:14:07 & Homepage - London Stock Exchange & https://www.google.at/url?sa=t\&source=web\&cd=1\&ved=0CEQQFjAA\&url=http\%3A\%2F\%2Fm.londonstockexchange.com\%2Fexchange\%2Fmobile\%2Fhomepage.html\&ei=ScTAUPK8FMfKtAaQq4GYBQ\&usg=AFQjCNE22q6svVgMrwz\_D7x-iD0srW0nTw\\
+  \hline 2012-12-06 16:14:00 & stock exchange london - Google-Suche & https://www.google.at/search?q=stock+exchange+london\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
+  \hline 2012-12-06 16:10:22 & Ohne Anstehen: Tickets Eiffelturm \& Rundgang Rive Droite, | Mobil - GetYourGuide.com & http://www.getyourguide.de/paris-l16/ohne-anstehen-tickets-eiffelturm-rundgang-rive-droite-t25185/\#calendar\\
+  \hline 2012-12-06 16:10:03 & Ohne Anstehen: Tickets Eiffelturm \& Rundgang Rive Droite, | Mobil - GetYourGuide.com & http://www.getyourguide.de/paris-l16/ohne-anstehen-tickets-eiffelturm-rundgang-rive-droite-t25185/\\
+  \hline 2012-12-06 16:09:56 & Paris: Touren, Ausflüge \& Aktivitäten | Mobil - GetYourGuide.com & https://www.google.at/aclk?sa=l\&ai=Cw0lOT8PAUNn8BIaX0wXeoYHwD43W1e0EldC\_uXSaooQJCAAQAiD4mYsSKAJQw5HQuPv\_\_\_\_\_AWCpsL6AzAGgAYutzM0DyAEBqQJiko-yhe21PqoEIk\_QmH99e-Hnj0NaSGjzY1ceX0oZt9LcfH\_ckQNETkSVs7yABZfgvAvYBgI\&sig=AOD64\_3cmbdhf4eRcAjv\_a9FMrltcGuHTA\&ved=0CC0Q0Qw\&adurl=http://21.xg4ken.com/media/redir.php\%3Fprof\%3D89\%26camp\%3D65425\%26affcode\%3Dkw720159\%26inhURL\%3D\%26cid\%3D31229666013\%26networkType\%3Dsearch\%26url\%5B\%5D\%3Dhttp\%253A\%252F\%252Fwww.getyourguide.de\%252Fparis\%252Fsightseeing-touren-ltc16-2\%252F\%253Fpartner\_id\%253DCD951\\
+  \hline 2012-12-06 16:09:50 & paris sightseeing - Google-Suche & https://www.google.at/search?q=paris+sightseeing\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
+  \hline 2012-12-06 16:08:58 & Laura Markovic & https://m.facebook.com/laura.markovic.129?\_\_user=100004760941674\#!/laura.markovic.129?\_\_user=100004760941674\&soft=jewel\%3D2\\
+  \hline 2012-12-06 16:08:49 & Facebook & https://m.facebook.com/home.php?refid=9\#!/laura.markovic.129?\_\_user=100004760941674\\
+  \hline 2012-12-06 13:56:39 & Facebook & http://m.facebook.com/?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&\_rdr\#!/home.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&soft=side-area\&\_\_user=100004760941674\\
+  \hline 2012-12-06 13:55:36 & Facebook & http://facebook.com/\\
+  \hline 2012-12-06 13:51:26 & Facebook & https://m.facebook.com/home.php?refid=9\#!/home.php?soft=side-area\&\_\_user=100004760941674\\
+  \hline 2012-12-06 13:50:58 & Facebook & https://m.facebook.com/home.php?refid=9\#!/home.php?soft=jewel\%3D0\&\_\_user=100004760941674\\
+  \hline 2012-12-06 13:46:54 & Facebook & https://m.facebook.com/login.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&landing\_serial=2\&refid=9\\
+  \hline 2012-12-06 13:46:08 & Willkommen bei Facebook & https://m.facebook.com/login.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&landing\_serial=1\&refid=8\\
+  \hline
+\end{tabularx}\end{center}
+
+
+\subsection{WLANs}
+The plist \emph{\textbf{IPBA::SystemPreferencesDomain:SystemConfiguration/com.apple.wifi.plist}} opened with IPBA2 plist-viewer cointains a list of Wireless Networks the phone has joined.\\
+
+\begin{center}\begin{tabular}{| l | l | l |}
+  \hline ssid & last join & last autojoin \\
+  \hline tunet & 2012-12-06 90:41:55 & \\
+  \hline VirtualRouter & 2012-12-06 09:38:00 & 2012-12-06 09:45:45 \\
+  \hline pornhub & 2012-12-06 11:51:01 & 2012-12-06 16:05:07 \\
+  \hline
+\end{tabular}\end{center}
+
+
 \subsection{Media}
-\subsection{eMail-App}
+Images were extracted from \emph{\textbf{IPBA::CameraRollDomain:Media/DCIM/100APPLE}}\\
+
+Screenshot of Facebook-App showING a photograph of a woman. Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}) seems to be tagged in that photograph.
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+Screenshot from Maps-App showing directions within Paris.
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+Showing some statistics about company shares.
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+
 \subsection{Viber-App}
+The Viber-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.viber/Documents/Contacts.data}}
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+The content was:
+\begin{center}\begin{tabular}{| l | l | l | l | l |}
+  \hline timestamp & to/from & number & name & duration (sec)\\
+  \hline 2012-12-06 16:27:32 & to & 436803303660 & Laura Markovic & 0\\
+  \hline 2012-12-06 16:31:57 & to & 436605166042 & Johannes Smith & 72\\
+  \hline
+\end{tabular}\end{center}
+
+
 \subsection{Skype-App}
-\subsection{Whatsapp-App}
+The Skype-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.viber/Documents/Contacts.data}}
+\begin{quote}
+\textbf{size}:  byte\\
+\textbf{''file''-output}: SQLite 3.x database\\
+\textbf{sha512}\\\ttfamily{
+}
+\end{quote}
+
+The content was:
+\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | X |}
+  \hline timestamp & to/from & Skype id & name & content\\
+  \hline 2012-11-27 12:20:00 & from & johannes.m.smith & Johannes Smith & Hallo! Ich wüurde Sie gerne in meine Skype-Kontaktliste aufnehmen. Johannes Smith\\
+  \hline 2012-12-06 13:20:33 & to & johannes.m.smith & Johannes Smith & \\
+  \hline 2012-12-06 13:20:57 & to & christoffel.johannes.smith & Chris Smith & Fügen Sie mich als Kontakt hinzu, damit wir anrufen und chatten können\\
+  \hline 2012-12-06 13:21:33 & to & addy-juli & Julia & Fügen Sie mich als Kontakthinzu, damit wir anrufen und chatten können.\\
+  \hline 2012-12-06 16:33:51 & from & johannes.m.smith & Johannes Smith & Hallo\\
+  \hline
+\end{tabularx}\end{center}
+
+
 \subsection{Dropbox-App}
+The plist \emph{\textbf{IPBA::AppDomain:com.getdropbox.Dropbox/Library/Preferences/com.getdropbox.Dropbox.plist}} opened with IPBA2 plist-viewer cointains a field \emph{\textbf{Dropbox Username}} and the email-address \emph{\textbf{allegro.mayer\@gmail.com}}\\
+
+Also the field \emph{\textbf{Dropbox Camera Upload Has Ever Uploaded}} is \emph{\textbf{true}}\\
+
+
 \subsection{Facebook-App}
+The plist \emph{\textbf{IPBA::AppDomain:com.facebook.Facebook/com.facebook.Facebook.plist}} opened with IPBA2 plist-viewer cointains a field \emph{\textbf{FBLastLoginEmail}} and the email-address \emph{\textbf{allegro.mayer\@gmail.com}}\\
+
+Searching of FB reveales the link to the profile: \url{https://www.facebook.com/allegro.mayer}.\\
+That About-Page states his relationship status is married to Mrs. Ilse Mayer-Brandl (profile: \url{https://www.facebook.com/ilse.mayerbrandl}).\\
+
+Relevant FB-postings by Allegro Mayer:\\
+On December 7. 2012 11:54 at Flughafen Wien, Vienna Airport, Austria.
+\begin{quote}On my way to Paris\end{quote}
+
+On December 7. 2012 14:17 at Paris, with Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}).
+\begin{quote}enjoying a romantic weekend with my dearest love in Paris!\end{quote}
+
+
+
+
+
 
 \newpage\section{Android}
 \subsection{Source: Android.tar.gz (ANDROID)}
diff --git a/report4/main.tex b/report4/main.tex
index 809a927..8308d9e 100644
--- a/report4/main.tex
+++ b/report4/main.tex
@@ -109,6 +109,7 @@
 {ö}{{\"o}}1
 }
 
+\usepackage{tabularx}
 
 % START DOCUMENT
 \begin{document}\thispagestyle{empty}
-- 
2.43.0