iOS meaning of &quo...
 
Notifications
Clear all

iOS meaning of "networkKnownBSSList Key"?

4 Posts
3 Users
0 Likes
1,436 Views
(@anucci)
Posts: 21
Eminent Member
Topic starter
 

Hello Everyone.

I am trying to determine whether a device connected to a specific network at a specific date and time. I was able to obtain an extraction from the iOS device using Cellebrite and D AXIOM. I was able to find (using both tools), within the network connections, the SSID in question and with a connection date and time for "LastJoined" and "LastAutoJoined". No issues there.

My struggle comes with understanding what does it mean when additional connections show within the "networkKnownBSSListKey".
When drilling down the file system, I located the com.apple.wifi.plist (location where information on Access Points/Wi-Fi can be found). I was able to locate the entry for the Access Point in question, and it contained the "LastJoined" date and time, which is what pertains to my case. However, I also located another key called "networkKnownBSSListKey". Upon expanding this key I located numerous entries (for this same SSID) with a date and time listed as "lastRoamed". This entry also has a BSSID, some of them match the BSSID of the Access Point in question, but other do not. It should be noted the SSID is a public wi-fi network so the SSID (network name i.e starbucks) may be the same in different locations and the BSSID may differ (different MAC address for the router?).

In this case, the "LastJoined" date and time for the SSID in questions shows accurately in both tools, and it also displays in the TimeLine view on both Cellebrite and AXIOM as a network connection. However, the "connection" I found within the "networkKnownBSSListKey", displaying a "lastRoamed" date and time of only 10 minutes after the "lastJoined" does not display in the time line in AXIOM, but it does in Cellebrite. (?)

So… I am stumpped trying to figure out what it all means. Do the entries in the "KnownBSSListKey" mean the device connected to that network? or does it mean something else? Does anyone one previsely what "lastRoamed" means within that key?

I wonder why Cellebrite showed this as a "wireless connection" in the Timeline Report, while AXIOM did not… Did this device connect to the network, disconnect, then connected again? That is what I am trying to determine.

) Thanks for the help.

 
Posted : 20/12/2019 3:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

See if this applies
https://www.richinfante.com/2017/3/16/reverse-engineering-the-ios-backup

networkKnownBSSListKey - For enterprise/multi-ap networks, the phone maintains a list of all access points that have been connected.

  • CHANNEL - The AP’s channel
  • BSSID - The AP’s BSSID
  • lastRoamed - The last time the AP was connected.

jaclaz

 
Posted : 20/12/2019 4:08 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Would take some effort, but could you factory reset a test phone and then image it, then connect to specific wireless access points, etc, record network name and time, then reimage the iPhone for analysis of what changed in your specific file from the factory reset version to the “used” version.

You could vary the experiment by having the phone only in Bluetooth, only with WiFi on, only with cellular data turned on to compare each result.

 
Posted : 21/12/2019 1:06 am
(@anucci)
Posts: 21
Eminent Member
Topic starter
 

Thanks for your responses.

Jaclaz, I will look into the article, see how it all relates.

As UnnallocatedClusters suggested, I think I may have better say if I do some testing myself. That way, I can speak to how things are logged and can say for certainty what it means.

Thanks so much for all your help!

- Just one more day in forensics… test, test, and more tests. ) !!!

 
Posted : 23/12/2019 2:49 pm
Share: