Facebook iOS App v345.0 - Anti-Forensics & Covert Audio Analysis

Technical Diagrams

**Timeline Evidence:** Line 25

| Time | Monitoring State | Facebook Behavior |
|------|------------------|-------------------|
| 06:36 | MITM active | Feed frozen |
| 06:43 | Added Frida/objection | Remained frozen |
| 06:56 | Added ARP spoof | Remained frozen |
| 07:04:11 | **Stopped all monitoring** | **Feed immediately resumed** |

Line 84

├── tools/
│   └── extract_lsb_audio.py       # LSB audio extraction script
├── mitm-capture/
│   ├── facebook_capture.py        # mitmproxy addon
│   └── start_capture.sh           # Capture startup script
├── packet-capture/
│   ├── fb_capture_*.pcap          # Raw packet captures
│   └── fb_all.pcap                # All phone traffic
├── realtime-capture/
│   ├── audio-block-*.m4a          # Extracted audio files
│   └── *.json                     # Session/analytics data
└── results/
    ├── extracted_audio/           # LSB-extracted audio
    └── EXTRACTION_REPORT.txt      # Extraction findings

Code Evidence

Plain Text

07:00:58 192.168.4.38 : PTR query for _airplay._tcp.local
07:00:58 192.168.4.38 : PTR query for _raop._tcp.local

Plain Text

FBSSLPinningNSURLProtocolProvider
FBSSLKeyMaterialLogger
kFBSSLKeyLoggingKey - SSL key material exfiltration
sslkeymaterial - SSL key export mechanism

Plain Text

Facebook.app/Frameworks/FBMessagingFramework.framework/FBAnchorCerts.crts

Plain Text

 tools/
│   └── extract_lsb_audio.py       # LSB audio extraction script
├── mitm-capture/
│   ├── facebook_capture.py        # mitmproxy addon
│   └── start_capture.sh           # Capture startup script
├── packet-capture/
│   ├── fb_capture_*.pcap          # Raw packet captures
│   └── fb_all.pcap                # All phone traffic
├── realtime-capture/
│   ├── audio-block-*.m4a          # Extracted audio files
│   └── *.json                     # Session/analytics data
└── results/
    ├── extracted_audio/           # LSB-extracted audio
    └── EXTRACTION_REPORT.txt      # Extraction findings

**Date:** 2024-12-30 **Device:** iPhone SE 2nd Gen, iOS 15.1 (Jailbroken) **App Version:** Facebook 345.0

Executive Summary

Investigation revealed Facebook iOS app exhibits sophisticated anti-forensics behavior and contains evidence of covert audio handling capabilities. The app actively detects analysis tools and ceases network communication when monitored, resuming immediately when monitoring stops.

Key Findings

1. Anti-Forensics Detection System

**Behavior Confirmed:**

undefined

**Timeline Evidence:**

Time	Monitoring State	Facebook Behavior
06:36	MITM active	Feed frozen
06:43	Added Frida/objection	Remained frozen
06:56	Added ARP spoof	Remained frozen
07:04:11	Stopped all monitoring	Feed immediately resumed

**Detection Vectors (Likely):**

undefined

2. AirPlay/RAOP Discovery

**Observation:** Phone sends mDNS queries for audio output devices when Facebook is active:

Plain Text

07:00:58 192.168.4.38 : PTR query for _airplay._tcp.local
07:00:58 192.168.4.38 : PTR query for _raop._tcp.local

**Correlation:** RAOP queries occurred at same timestamps as Facebook network activity, suggesting app-triggered audio device discovery.

3. SSL Key Infrastructure

**Found in Binary Analysis:**

Plain Text

FBSSLPinningNSURLProtocolProvider
FBSSLKeyMaterialLogger
kFBSSLKeyLoggingKey - SSL key material exfiltration
sslkeymaterial - SSL key export mechanism

Facebook has built-in infrastructure to:

undefined

4. Network Evasion Techniques

**Observed:**

undefined

**Pinned Certificates Location:**

Plain Text

Facebook.app/Frameworks/FBMessagingFramework.framework/FBAnchorCerts.crts

Technical Infrastructure

Files Created During Analysis

Plain Text

 tools/
│   └── extract_lsb_audio.py       # LSB audio extraction script
├── mitm-capture/
│   ├── facebook_capture.py        # mitmproxy addon
│   └── start_capture.sh           # Capture startup script
├── packet-capture/
│   ├── fb_capture_*.pcap          # Raw packet captures
│   └── fb_all.pcap                # All phone traffic
├── realtime-capture/
│   ├── audio-block-*.m4a          # Extracted audio files
│   └── *.json                     # Session/analytics data
└── results/
    ├── extracted_audio/           # LSB-extracted audio
    └── EXTRACTION_REPORT.txt      # Extraction findings

Detection Bypass (For Future Research)

With Ghidra analysis available, potential bypass points:

undefined

Conclusions

undefined

Recommendations

undefined

Evidence Locations

undefined

Facebook iOS App v345.0 - Anti-Forensics & Covert Audio Analysis

Technical Diagrams

Code Evidence

Executive Summary

Key Findings

1. Anti-Forensics Detection System

2. AirPlay/RAOP Discovery

3. SSL Key Infrastructure

4. Network Evasion Techniques

Technical Infrastructure

Files Created During Analysis

Detection Bypass (For Future Research)

Conclusions

Recommendations

Evidence Locations

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`

Agent Handoff Document