Hello to everyone at Mobile Forensics World 2015 in Myrtle Beach, SC! 

Last week, I decided to do some experimenting with my Apple Watch. I wanted to see if the watch could contain data independent of its paired iPhone.  The answer to this is – YES.  Not only could it contain data, but it can also be used as an independent communication device.

For this to work, Apple Watch must have been paired with an iPhone at some point.  In addition, that iPhone must have had authenticated itself to the WiFi network on which Apple Watch will communicate on.  After the authentication information is passed over to the Apple Watch, the phone can basically be put into airplane mode, or completely turned off.

Depending on the user’s settings, Apple Watch will mimic being put into airplane mode when the iPhone is.  After ensuring the iPhone was in airplane mode, I proceeded to open the Messages application on Apple Watch.  I was able to look at old messages (text and iMessage) that reside on the watch.  I located a contact which I knew had iMessage and dictated a message.

Indication #1 that there was still a connection to the internet was that dictation still worked.  I selected to send the text version of the message rather than the audio version and it showed “delivered”.  A brief moment later, I received a reply directly on the watch from the other party. 

To ensure this was definitely happening, I turned my phone completely off, as well as my iMac, MacBook Pro, and iPad (just for good measure).  Again, I was able to send and receive messages in both text and voice memo format.  I allowed one voice memo to expire and disappear, while another was “kept” on the watch before the 2 minute expiration.  I also did a few screen captures on the watch, attempted to make a phone call, and attempted to send a regular SMS (non-iMessage).  As expected, the phone call and SMS failed.  Lastly, I attempted to launch a few apps like Twitter, Instagram and Skype.  All of these failed, but gave a visual indication that they required the phone to work properly.

Next, with the phone rebooted, but still in airplane mode, I conducted an advanced logical acquisition of my phone using UFED Physical Analyzer 4.2.1.7.  Almost immediately after the acquisition was done, I powered up the phone (approximately 12:31pm EDT).  I continued using the phone and watch, then ran a second advanced logical acquisition at 2:10pm EDT.

With both acquisitions loaded up, I ran a few searches for keywords from the messages I dictated solely on the watch – again, never having typed them into the phone itself.  The hits came up only in the second acquisition – as expected.  I have given up on looking for whatever keychain may exist that contains the SSID and PW for now, but I can only assume it is in there somewhere. I was able to play around with today would not work at a wifi hotspot which requires a user to enter a password in a browser window.  However, it is something that I will be testing nonetheless.

So, theoretically, if a subject wished to pair his/her watch to an iPhone, which has authenticated to a particular wifi network in the past, and that authentication is still valid (SSID and PW), the Apple Watch can be used as a standalone device for iMessage communications.   I know this is not what most (if any) person will do if they are buying Apple Watch.  But, pending further testing, it appears that a person could establish an anonymous iTunes account on a prepaid SIM and put it into an iPhone.  The user can then pair Apple Watch to that iPhone and subsequently authenticate to several WiFi access points they wish to use.  At this point, the user can basically dump the phone they used to get the watch going, and use that Apple Watch independently of the phone to communicate via iMessage with others using wifi.  Add to that the complexity of a free or pre-paid cell-based hotspot and tracking down that individual becomes more problematic – thinking gangs, drug rings, etc...  Granted, the message data may still be available on iCloud, but until we have the ability to connect directly to the Apple Watch and extract data (YES – there is a hidden service/diagnostic port connection on it), it may be challenging to identify the user’s email address on that iTunes account.  Even then, if we did connect to the watch directly, the question remains – can we extract actionable data?

Many theories… Many possibilities… I can only imagine we will soon be able to look at the health tracking information a bit closer. Imagine having access to heart rate logs and using data to narrow down a window of time related to someone's death.

What is best practice to deal with the Apple Watch?

Until we know what to do as best practice, we may want to NOT take the watch off of someone’s wrist!  IF they have set it to lock upon taking the watch off, you won’t have much luck getting back in there. The unlocking function is either done manually by the user on the watch itself, or, depending on the setting, will unlock when the iPhone is unlocked.  This also leads me to another question to attempt to answer.  Does the iPhone log when the watch is taken off, put back on, and even unlocked?  

Below are some things that are definitely interesting to look at using Physical Analyzer regarding my “offline” activity with Apple Watch.

Picture
Here are my outbound messages from the watch with no phone actively linked to it end up being parsed all together, by themselves as shown here from chat #577.


Click image for larger view.

Picture
Replies, although they came into the watch, end up put together with my prior conversations as shown here in row 254.  Remember, you are now looking at the post-sync advanced logical acquisition of my iPhone.


Click image for larger view.

Picture
Next, screen captures on the watch… here is a thumbnail (5003.jpg - from IMG_7049.PNG).  Notice the discrepancy in the time shown in the screen capture versus the file dates/times reported – the sync time is the time reflected as MAC times.

Click image for larger view.

Picture
A closer look at IMG_7049.PNG

Click image for larger view.


Picture
A closer look at the File Info tab on IMG_7049.PNG

Click image for larger view.



Picture
A closer look at the Hex View on IMG_7049.PNG

Click image for larger view.

Picture
More indications that the screen capture date/time is the sync time – you will see they are all within seconds of each other, most at the same time of course.

Click image for larger view.

Picture
Phone Call from Apple Watch

I attempted to call out via the watch. Apple Watch does not support wifi calling or Facetime calling at this point.  Of interest here is that although this is a “failed call” it did not log anywhere on the handset in the recent calls list.  It was not logged in the call logs within Physical Analyzer.  The only area I still need to look at is within all the binary plist files I have exported to see if there is anything in there about calls which have failed.

Click image for larger view.

Picture
Exploring the File System

I wanted to get this out and there is a lot more to explore within the file system of the iPhone which has been paired to the Apple Watch.  For example, here is a pre-written reply messages located within a file named com.apple.MobileSMS under /Lbrary/DeviceRegistry/<GUID>/NanoPreferencesSync/NanoDomains

Click image for larger view.

Picture
Apple Pay stuff is there... Still have to look closer at it all, but it is there. I don't suspect to find any surprises.

Click image for larger view.