Sherloc

A.K.A. Software to Help with Evidence Retrieval and Log Online Cyberabuse

Sherloc is a tool to support computer security clinics. It is meant to be run by a tech clinic consultant, allowing the consultant to enter findings and investigations. Then, Sherloc enables the consultant to create an evidentiary document synthesizing the consultation.

Sherloc is built on ISDI, which checks Android or iOS devices for spyware.

Installing Sherloc 💻

Right now, Sherloc only natively supports macOS and Linux. If you are using a Windows device, you can use the Windows Subsystem for Linux 2 (WSL2), which can be installed by following these instructions. After this, follow the remaining instructions as a Linux user would, cloning/running Sherloc inside the Linux container of your choice.

Dependencies

These are written and tested for macOS users. We trust power (Linux) users know how to make the script work.

• Python 3.10 (check your version with python3 -V)
• adb
• expect
• ideviceinstaller
• wkhtmltopdf requirement
  • This project uses wkhtmltopdf to generate the evidentiary document. The brew cask for wkhtmltopdf is deprecated, so you will need to download the appropriate wkhtmltopdf binary from the project website: https://wkhtmltopdf.org/downloads.html.

Steps for macOS users

We rely on Homebrew to install packages on macOS.

Follow the steps in https://brew.sh/ to install the homebrew package manager. Install the xcode developer tools if prompted as well.

(Something along the lines of /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)")

Then quickly install the project dependencies by running brew bundle in the sherloc subfolder.

Caveats

• wkhtmltopdf
  • If installing on Mac, this error will appear when opening the .pkg file "Apple could not verify “wkhtmltox-0.12.6-2.macos-cocoa.pkg” is free of malware that may harm your Mac or compromise your privacy.” To fix this go to System Settings > Privacy & Security > Security and see the message of the .pkg failing. Click open anyway and continue installation.

Debian family

sudo apt install adb expect libimobiledevice-utils ideviceinstaller ifuse

Windows Subsystem Linux (v2)

Installing adb is not so straightforward in WSL2, and it won't work straightaway. You have to ensure having the same version of adb both in WSL2 and in normal Windows (with adb version), then you will need to start the adb process first in Windows, then in WSL2 (with for example adb devices).

---

Running Sherloc

After Sherloc is installed, run the following command in the terminal (in the top-level directory of this repository):

cd sherloc
./sherloc.sh

There is an optional --install flag that installs requirements from requirements.txt. However, even without this flag, the script will notice if sherloc fails and install requirements anyway.

Sherloc is run in sudo by default, which is required to take screenshots on iPhones using pymobiledevice3. If you do not want to run Sherloc with sudo, please use the --nosudo flag when running ./sherloc.

Sherloc should open http://localhost:6200 in the browser.

Requirements for taking screenshots with iOS devices

iOS devices have two requirements if you want to take screenshots.

1. Developer mode must be on (instructions below).
2. Sherloc must be run in sudo, which is the default when using ./sherloc.sh.

To turn on developer mode:

1. Plug in the client’s phone.
2. Open XCode and start the OpenHaystack project.
3. Go to Product -> Destination -> Manage Run Destinations
4. Choose the client’s phone as the run location and hit Run. If it says Developer Mode must be opted into, hit cancel. Then enable Developer Mode on the phone in Settings > Privacy & Security > Developer Mode.
5. Restart the phone.

Please see this article for more details on how to turn on developer mode using XCode: https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device.

Debugging tips

If you encounter errors, please file a GitHub issue with the server error output. Pull requests are welcome.

Cast iOS Screens or Mirror Android Screens

It is possible to view your device screen(s) in real time on the macOS computer in a new window. This may be useful to have while you are running the scan (and especially if you use the privacy checkup feature), as it will be easy for you to see the mobile device screen(s) in real time on the Mac side-by-side with the scanner.

How to do it: You can mirror Android device screens in a new window using scrcpy, and cast iOS device screens on macOS with QuickTime 10 (launch it and click File --> New Movie Recording --> (on dropdown by red button) the iPhone/iPad name).

Downloaded data

The data downloaded and stored in the study are the following. 1. A sqlite database containing the feedback and actions taken by the user. 2. phone_dump/ folder will have dump of some services in the phone. (For Android I have figured out what are these, for iOS I don't know how to get those information.)

Android

The services that we can dump safely using dumpsys are the following.

• Application static details: package Sensor and configuration info:
• location, media.camera, netpolicy, mount Resource information:
• cpuinfo, dbinfo, meminfo Resource consumption: procstats,
• batterystats, netstats, usagestats App running information: activity,
• appops

See details about the services in notes.md

iOS

Only the appIds, and their names. Also, I got "permissions" granted to the application. I don't know how to get install date, resource usage, etc. (Any help will be greatly welcomed.)