The Apple Watch was released in spring 2015. As expected, the Apple Watch craze began. Sarah Edwards, the author of FOR518, and I spent a few hours picking apart the watch to see what we could find. I recently upgraded to the Apple Watch Series 3 with cellular, and a lot has changed. Before we dive into that, lets start with the first and second Apple Watches.
The Apple Watch must be paired with an iPhone running iOS 8.2 or later for full functionality. True, anyone can wear and use certain features of the Apple Watch, but full functionality requires that the device be paired with an iPhone. The Apple Watch is paired to the iPhone via Bluetooth. The watch connects to Wi-Fi, which means that the device continuously syncs data that the iPhone accepts when connected to the same Wi-Fi. For example, my Apple Watch is connected to my personal iPhone. I use this iPhone for both work and personal use. I sync personal email, calendars, and notes for both work and personal accounts. When my watch is connected to my work Wi-Fi (as is my iPhone), the calendar continues to update even if Bluetooth is turned off. See any issues with this? We address those in a few slides.
The Apple Watch runs a Watch OS, which is similar to iOS. The watch has at least 512 MB of RAM and 8 GB of internal flash storage separate from iPhone device storage.1 Thus, a good chunk of data is saved on the Apple Watch. Currently, the easiest way to get data from the Apple Watch is to parse the backup file for the iPhone from iTunes or iCloud. We cover parsing backup files in Section 4 but will take a quick glimpse at what the data will look like. As shown in the screenshot, a diagnostics port is available, and we believe we can pull data directly from the Apple Watch; however, I was not willing to ruin my watch should I be incorrect!
There are both forensic and security implications when wearing, examining, and handling an Apple Watch. Two things to consider is that when we parse a backup of an iPhone to obtain data from an Apple Watch, what if:
The watch is no longer synced, and the data is missing?
The backup is encrypted?
Another aspect is physical access. What if the watch is lost, or stolen, or worse, the iPhone it is paired with is? What happens when an Apple Watch enters a secure or prohibited facility?
Security is something else we, as users and examiners, must consider. With Wi-Fi and Bluetooth always being enabled, we are putting our devices (Watch and iPhone) at risk for unwanted access. We are now visible to others who may be scanning for Wi-Fi devices! In addition, the permissions we give our watch can be taken and used by others if the watch is stolen or borrowed. Further research is required to determine just how vulnerable we are by wearing an Apple Watch.
Each Apple Watch has its own Synced Data Directory under /var/mobile/Library/DeviceRegistry/<GUID>. Under this directory, a plethora of information pertaining to the Apple Watch can be recovered. Be careful when examining a first or second edition of the Apple Watch because a lot of the files are exact copies of what is on the device and do not represent what happened on the watch. Some examples of data you can find in the DeviceRegistry directory of the first two Apple Watches include:
AddressBook
GeoServices
Health
Maps
Passes
Preferences
PairedSync
Photos
This list is just a sampling of what can be recovered. Some other important locations to examine include:
Email: /var/mobile/Library/DeviceRegistry/<GUID>/NanoMail/registry.sqlite
AddressBook: /var/mobile/Library/DeviceRegistry/<GUID>/AddressBook
Voicemail: /var/mobile/Library/DeviceRegistry/<GUID>/PreferencesSync/NanoDomains/com.apple.mobilephone
This binary plist file is stored on the iPhone as /mobile/Library/DeviceRegistry.state/properties.bin. Here, we can see information pertaining to the Apple Watch.
The properties.bin file contains paired Apple Watch information, including:
Watch Name
Make
Model
OS
GUID
The Synced Data Directory contains a list of installed applications on the Apple Watch. This file is a binary plist with an embedded plist. Fun, right? This embedded binary plist is located in /var/mobile/Library/DeviceRegistry/<GUID>/NanoPreferencesSync/NanoDomains/com.apple.Carousel.
Make sure you know how the data is being populated on the device under the DeviceRegistry for the Apple Watch. The question is this: Was the activity initiated on the Apple Watch or the iPhone? Does it matter? Why does the Watch data contain information that occurred before the Watch was released?
Make sure you familiarize yourself with ways to extract data directly from the Apple watch (more information is provided in the course Dropbox)!
Reference:
[1] https://for585.com/watch