Introducing Evanole Community Edition
Mobile device examination is typically limited to time and level of access. Evanole is a tool to perform acquisition and analysis of iOS devices quickly and thoroughly to gather data and evidence regardless of iOS version and hardware combination. To accomplish this, Evanole employs conventional mobile device forensic techniques along with novel data gathering over multiple modes of communication. This blog will focus on the release of the free Hexordia tool - Evanole Community Edition.
Data Sources
Evanole Community Edition gathers data from System Logs and USB queries.
System Logs:
The iOS System Logging feature enables real-time monitoring of backend device operation. These system logs are highly ephemeral, real-time data streams, as opposed to more traditional logs that are stored in a file. This feature was released for developers yet may provide valuable information as a secondary forensic data source. Live System Logs output a considerable volume of data in a short period of time, which makes parsing such logs manually time consuming. Evanole automates the parsing of logs to quickly identify key information and artifacts.
USB:
Queries are sent to the device over USB to gather information such as the devices’ name, model, OS version, and other key identifiers. These values provide an overview of the device hardware and software along with unique identifiers.
Device View
When an iDevice is detected, Evanole CE will attempt to quickly query basic information from the device. Gathered information is presented in a text view. If a trust relationship has been established between the device and the PC, Evanole will be able to gather more information. To gather identifiers, again the examiner may unplug the device from the PC for a few seconds and then plug it back in.
Figure 1 - Screenshot of Device View in Evanole Community Edition showing a multitude of identifiers for the mobile phone.
Monitor View
The monitor interface serves as a controller to gather and view System Logs in real-time. An examinaer may use the play and stop controls to monitor the log or import an existing log. Once the examiner has concluded their observation session they may stop and export the log.
Figure 2 - Screenshot of Monitor View as it shows live data from the mobile device
A trusted state is required to gather System Logs from the device. The log may be gathered from locked devices and sleeping devices when the device is connected to, and authenticated with, the PC.
Figure 3 - Close up view of lines of content from Monitor View
Notice that each line contains two datetime strings at the beginning. The timestamp appended to the very beginning of the line is a UTC timestamp provided by the host PC. This timestamp will provide a true UTC time of log collection in the case that the device time is incorrect.
The second datetime string is provided by the connected device in <<Month, Day, HR:MIN:SEC>> format. This timestamp will follow the Timezone configured on the device. If the device time is set incorrectly, this time will be incorrect.
Analysis View
While the System Log is monitored Evanole will parse each line and output key findings to the Analysis view. The examiner can view the key findings as they populate in real time or after importing an external log.
Figure 4 - Analysis View of Evanole Community Edition showing real-time parsed results
Support and Compatibility
Evanole tool supports all iPhones and iPads regardless of iOS version. Syslog gathering capabilities is limited to devices running iOS versions 10 and greater. The tool is operable on Windows operating systems.
