Sunday, May 24, 2020

Get your red Solo cup: It's time for a little Houseparty


That's a different House Party, however. This post is about:

I ran into an iPhone a while back that happened to have the Houseparty app installed on it. It wasn't the first time I'd run across it over the last several years.  It's a relatively popular social networking and video chat app available for Android, iOS, and macOS devices as well as a browser extension for Google Chrome.  What I hadn't run across before was the massive amount of case relevant data that I encountered. I was fortunate to have a full file system image of the suspect device, which gave me access to the app data.

Alexis Brignoni has a couple of excellent blog posts covering both Realm databases as well as the Houseparty app.  He used Josh Hickman's iOS 13 images to explore some artifacts.  The foundation that Alexis built gave me a good path to start on.  I had a live device that had extensive Houseparty use so I had a lot more data to work with and ran across some stuff that wasn't available in the test image. 

What I found really helpful was Alexis' mention of the Python json2html package.  As Alexis covered in his blog posts, Realm databases can be opened and viewed in Realm Studio and the data can be exported to a JSON format. That JSON format gives us some parsing options and json2html certainly fits the bill. You can use it to get a lot of data but it's not all relevant.  I'll delve more into that towards the end.

Nightmare on Realm Street


Not useful and there's a lot of it.


Let's start with what I first saw in the database itself.  As Alexis had noted, the RealmPublicUser, RealmNote, and RealmLocalContact classes had some useful data.  The RealmNote data in particular is great because it contains chats.

Data has been faked and hidden to protect the guilty

 The Realm Conversation and RealmHouseMessage classes also contain messaging data.  The RealmHouseMessage class, however, doesn't contain the date/time data for the message.  That can be found be in the RealmHouseItem class with the corresponding "id" value. 

RealmHouseMessage data


Corresponding RealmHouseItem data

One of the most interesting things I found was in the RealmFacemail class.  Facemail is a recorded video message.  During my exam I had located MP4 videos at:

/Library/Application Support/Prefetched-Facemails

As it turns out, those video file names corresponded to "mediaID" values in the RealmFacemail class data.

RealmFacemail data


Once again, the "id" value here corresponds to the "id" value in the RealmHouseItem class where a date/time value can also be found.  You might also notice that obvious pattern with the thumbnail values.  When I think thumbnail, I think of a picture.  My educated guess was that string was a base64 encoded picture.  I copied some of that string out and threw it into CyberChef to see what I had.


Sure enough, it was a PNG file.  I wrote a short Python script to decode it and save it as such.  The thumbnails matched the Facemail videos I had located earlier.

Wrapping Up



With the amount of relevant data I had, screenshots were going to be a little arduous.  Since I'd already started a little Python work on this, I decided to expand on it.  I ended up using json2html to parse each class into it's own HTML page, converted those Facemail thumbnails and stuck them in there, and generated a clean, straight-forward HTML report.


Presenting HPPO - Houseparty Parsing Outputer


HPPO can be found on GitHub:  https://github.com/bluesmoke4n6/hppo.  

The example shown here has parsed all of the Realm classes.  By default it only parses tables with data that appears to be user, contacts, and messaging related.

It's not complicated but it creates a somewhat understandable report that I can use and share with others.  My Python skills are far from advanced but they yielded something that will be a time-saver for future exams and hopefully for others as well.


Conclusion

Houseparty definitely presents some challenges, not the least of which is the Realm database.  Tool support for Realm is lacking compared to SQLite but there are some options for a manual analysis as shown here.

If I haven't been complimentary enough, I'll once again tout Alexis Brignoni's work which made this so much easier for me.  Additionally, Alexis is currently hosting a DFIR Python Study Group with lessons on Zoom and discussion on the DFIR Discord.  The first meeting was last week so it's not too late to get involved.  Check it out!

Saturday, May 23, 2020

whoami



Hello and thanks for dropping in! I’m a digital forensics practitioner in the law enforcement field. Much like my entry into a law enforcement career, digital forensics was an unplanned but fortunate decision. I didn’t start with a significant tech background but I did find myself with a voracious appetite to learn and do more and a good environment to accomplish that. I’ve certainly not mastered this craft yet and probably never will. Technology is constantly changing and we’re in a never-ending cycle of keeping up with those changes and their forensic implications.

I hope to share some of the things I’ve learned along the way in addition to documenting the new (to me) stuff. I’ve benefited from having worked in a lab with a couple dozen other examiners. Having people sitting at the desk next to you with a decade or two of knowledge under their belts and a willingness to help is a huge advantage. Hopefully this blog can act as an online sharing point and someone other than me will benefit from it.

One of my other passions is barbeque, which happens to be the source of the bluesmoke moniker. When the fire in your smoker is at just the right point, burning clean and ready for the meat to be thrown on, it’s a thin, vaguely blue wisp which gives your food that perfect smoky kiss. I often find myself hovering around one of my smokers awaiting smoked goodness of a rack of ribs or brisket. I may document and share some of those processes from time to time.

The all too usual disclaimer applies here: The opinions and views expressed here are only my own and not that of my employer, co-workers, or other organizations that I am associated with unless explicitly attributed to them.

Let’s get forensicating!