iTunes Forensic Analysis
A Practitioner’s Guide to locating fruits of a crime when explicit files are shared on a local network.
By now most examiners in the digital forensic community have become familiar with Gnutella-based (peer-to-peer) software programs where users can download from and share all types of files with the world. For approximately ten years the capability of sharing all types of multimedia files has extended to local networks by use of the iTunes application and Gnutella-based software programs. Two types of sharing features are incorporated in the iTunes application since version 9; one which allows iTunes users to access (stream) files from a shared library, and the other allows users to import shared files.
The first version of iTunes (v1.0) was released by Apple, Inc. in January, 2001.2 Since the release of this paper, 10.4.0.8 was the latest available version and can be downloaded for free from the Apple iTunes Web site (http://www.apple.com/itunes/). The primary purpose of the iTunes program was to provide users with a “one-stop-shop” to organize music, movies, audio books, TV Shows, and more.
Since version 9.x, iTunes has the ability to share files between other iTunes users on a local network by use of a service discovery called Bonjour. Bonjour is also known as zero-configuration networking that enables the automatic discovery of any node, (computers, printers, services, etc.) which uses the industry standard Internet protocol.3 The implementation of Bonjour into iTunes has become a key component on most other applications by Apple that are used on peer-to-peer and client-server networks. When the computer’s registry or file system is examined and the Bonjour service is identified, a forensic examiner will know one or more Apple applications are installed.
Starting with v4, the Digital Audio Access Protocol (DAAP) was introduced into iTunes’ audio player where the music sharing server listens on TCP port 3689. The DAAP is used to not only share music across a local network, but to list a user’s playlist as the host.6
What prompted the writing of this paper? In a recent child pornography case, two software programs of interest were installed on a suspect’s laptop computer: LimeWire 5.2.13 and iTunes 126.96.36.199. The user did not modify any default settings in LimeWire and therefore downloaded files from the peer network were shared with the world. However, the prosecution took the distribution charge off the table and focused primarily on possession of child pornography. The user downloaded numerous videos from the peer-to-peer (P2P) network using LimeWire with filenames indicative of child pornography. The video files were found in the default LimeWire folders (Incomplete and Saved), which were located under the user’s profile. The Saved folder contained the fully downloaded files found in the Public Shared List of LimeWire. But the main focus from the prosecution’s standpoint was mainly the iTunes program and how it shares files on a local network. Although the distribution charge was no longer a consideration, discovery in the capability of iTunes and the interaction with P2P programs might indicate the user’s possible intent, or at least their knowledge, of sharing video files from the iTunes Library on a local network.
The child pornography case initially stirred up when the suspect and his colleague (witness) were temporarily assigned to a foreign country. Both stayed in separate rooms where each room in the hotel provided a desktop computer with Internet access. However, the available computers were not in English. Therefore the two employees had disconnected the Ethernet cable from the hotel room computer and attached the cable to their personal laptops to gain access to the Internet. With iTunes also installed on the witness’ laptop, the witness opened the program one evening and discovered on the left side-bar of the iTunes interface a shared folder that contained a nickname that he recognized as his colleague (suspect). Out of curiosity, the witness clicked on the shared folder and noticed a list of video files with filenames indicative of child pornography. The witness took a screen shot (print screen) of his iTunes program interface and reported the discovery to his immediate supervisor. Shortly thereafter an investigation was opened, but unfortunately and for unknown reasons, the law enforcement agency did not seize the suspect’s laptop computer until a month after the incident. The suspect’s laptop and the paper copy of the iTunes screen shot were submitted to the computer forensic lab for examination and analysis.
Since 2010, the forensic lab has received many more criminal cases that involved the iTunes application along with P2P software programs.
The iTunes application contains five main sources: Library, Store, Shared, Genius, and Playlists. The main sources have separate purposes, but primarily each one is used by users to access, organize, and/or share multimedia files. The two sources of primary interest are the Library and Shared, where the iTunes Library consists of sub-sources (Music, Movies, TV Shows, Podcasts, and Radio). Files listed in the iTunes Library will either contain files that were added by iTunes upon the initial startup or files that were added by the user.
Only upon the initial startup of iTunes, early versions would prompt the user to scan the computer for audio files on the file system and add the music to the iTunes Library. However, recent versions (10x) will now scan a computer system for video files as well. If the user chooses to not have iTunes scan the system upon the initial startup, the Library would remain empty; any files added to the iTunes Library thereafter would typically result from user interaction.
Of the many preference settings involved with the program, iTunes incorporates two types of sharing features: Home Sharing and Shared Library.
Home Sharing is designed to let users stream and transfer music, videos, and more with up to five other computers on a local network, and is intended to be the easiest way to copy items from an iTunes Library to a Mac or PC.5 The stream and transfer of files is much like a Gnutella-based software program. However, in order for the Home Sharing feature to be used some requirements must be fulfilled, and should be noted by the forensic examiner when performing analysis. The requirements: iTunes must be version 9 or later, an Apple ID must be associated with an iTunes or App Store account, and there must be a local network connection with access to the Internet. This shared feature can be recognized by a house with a musical note.
Shared Library allows users to only stream media files from iTunes Libraries that are shared on a local network, and does not require users to log into an account. When users share media files from their iTunes Library, other iTunes users on a local network can immediately listen to music or watch videos from their iTunes interface. Shared Library is disabled by default and would require user action to enable sharing of any files within the iTunes Library. If enabled, users have the ability to share their entire iTunes Library all at once or specific categories (Music, Music Videos, Movies, Audio Books, etc.) can be selected individually. This shared feature can be recognized by an icon that depicts a stack of documents with a musical note.
Local Network Sharing
A few iTunes Preference settings will come to light with regards to how iTunes behaves on a local network. The screen shots in Figures 1 through 3 were obtained from iTunes version 10.1.2, but the settings for the Shared Library feature are the same for version 9 and later. Depending upon which iTunes version and which operating system iTunes is installed on, the Preference settings are typically accessible from the file menu.
Figure 1 displays the General tab in the iTunes Preferences. Take note of the Library Name Paul’s Library. When iTunes is installed on a computer system, it captures the user account name (Paul) and appends an apostrophe S (‘s) with a space and the word ‘Library’. When a user enables sharing of their iTunes Library, the Library Name is displayed on the iTunes program used by other users on a local network. The Library Name will be adjacent to the Shared Library icon (stack of documents with musical note). The Sharing tab in the Preferences reveals the Shared Library settings (Figure 2). The Look for shared libraries option is enabled by default, and allows iTunes to automatically locate any shared libraries on a local network. By default, iTunes does not share files listed in the Library on a local network; the Share my library on my local network option is disabled. When the option is enabled by the user, more sharing options become accessible (Figure 3). The user can share their entire iTunes Library or select one or more specific categories (playlists). Any of the playlists selected remain active regardless if iTunes or the computer system is restarted. In Figure 3, Share selected playlist is enabled and Movies is the only playlist selected for sharing.
Regardless if music or movie files are shared from an iTunes Library, the behavior remains the same to any type of file that is compatible with iTunes. Testing both iTunes version 188.8.131.52 and 10.1.2.17, two videos where added to the Library, and based on the Preference setting for sharing movies, the two video files are shared on a local network. As shown in Figure 4, right-clicking on the Movies library item from the side-bar confirms movies are shared, which incidentally can be disabled from the dropdown menu shown.
Figure 5 displays the iTunes program from a second computer connected to the same local network where the Music library source is selected, one song is displayed on the interface. The side-bar on the left of the main screen displays Paul’s Library adjacent to an icon (stack of documents with a musical note).
This quickly identifies the Shared Library feature is enabled on a computer connected to the local network. Depending upon the Library name, it may also identify who is sharing their iTunes Library. However, if the Library Name was changed from its default (user account name) to Albert Einstein’s Files, users on a home network could possibly know who might be sharing their iTunes Library, but in a large network used in a government or corporate business, it would be difficult to positively identify which user was sharing their iTunes Library. In other words, there is no definitive way from the iTunes program to identify a particular computer on the network by means of an IP address or Media Access Control (MAC) address.
When Paul’s Library is selected from the side-bar, the two videos are displayed in the right pane to other iTunes users on the local network, as long as their default iTunes Preference option Look for shared libraries remains enabled.
If the arrow to the left of the Shared Library icon to Paul’s Library is selected, iTunes will display a dropdown menu. By looking at the dropdown menu list, an iTunes user on the network would be able to determine whether the host was sharing their entire iTunes library or just specific categories. In Figure 6, only Music and Movies are shared.
Other iTunes users on the local network can play any of the two shared videos. Unlike Home Sharing, the Shared Library feature only allows users to access the shared files, not import/save them to their system.
Known Facts #1
Based on testing and the discovery of the iTunes functionality…
- Upon initial startup and with default settings (users can disable), iTunes will scan a computer system to search for audio files only (early iTunes versions) or audio and video files (later versions) and add the multimedia files to the iTunes Library.
- With the exception of the above fact, iTunes does not dynamically add files to the Library; it takes user interaction to add compatible multimedia files individually or adding groups of files from a parent folder to the Library.
- Any text entered in the Library Name under the iTunes preferences is displayed to other iTunes users on a local network.
- Sharing is not enabled by default, and therefore takes user action to enable sharing of either the entire Library or specific playlists in the Library.
- It cannot be determined when the Shared Library feature was enabled on a user’s system.
- Shared Library only allows other iTunes users on the network to access (stream) shared files for listening or viewing of music or videos, respectively; the files cannot be saved to their system.
- AppleScript, (2011), Doug’s AppleScripts for iTunes, Retrieved from http://www.dougscripts.com/itunes/itinfo/itunes602info.php.
- The Apple Museum, (2010), Timeline of iPod and iTunes, Retrieved from http://www.theapplemuseum.com/index.php?id=43.
- Developer; Open Source, (2011), Bonjour, Retrieved from http://developer.apple.com/opensource/.
- iTunes Support, (Jan. 6, 2011), iTunes: What are the iTunes Library files?, Retrieved from http://support.apple.com/kb/HT1660.
- iTunes Support, (Feb. 5, 2011), iTunes: Understanding Home Sharing, Retrieved from http://support.apple.com/kb/HT3819.
- SourceForge.net, (2010), Digital Audio Access Protocol, Retrieved from http://daap.sourceforge.net/docs/index.html
Paul B. Ciaccio, DFCP|CFCE|CDFE|CEECS|EnCE, works in Advanced Information Systems at General Dynamics and is contracted to the Defense Computer Forensics Laboratory in Linthicum, Maryland. He can be reached at email@example.com or firstname.lastname@example.org.