Information found during an iPhone Forensics Investigation
View(s):According to Gartner, the worldwide total installed base for smartphones is currently around 7 billion units. The end-user spending has continued to shift from low-cost “utility” phones toward higher priced “basic” and “premium” smartphones.
Cybercrime is defined as “unlawful acts wherein a computer is either a tool or a target or both and include tampering with computer source documents, hacking, accessing protected system, breach of confidentiality and privacy, data diddling, forgery, financial crimes, virus/worm attack, e-mail spoofing, e-mail bombing, salami attack, cybersquatting, cyber defamation, trojan attack, Internet time theft, web jacking, publishing of obscene information in electronic form, child pornography and cyber stalking”. There is virtually no difference between a smartphone and a computer today. Hence, the cybercrimes committed using the computers are now carried out using a smartphone. These cybercrimes have triggered the rapid growth of mobile forensics, a field of digital forensics.
Mobile phone generally belongs to a single person; an analysis of it could reveal lots of personal information. SMS, contacts, installed applications, GPS data, emails and deleted data can be easily extracted by syncing mobiles phone to a computer using a software. However the device class, device name, WiFi address, telephony capability, hardware Model, IOS version information can be gathered by connecting it to a forensic workstation regardless whether the phone is locked or unlocked.
In this article, we will focus on Apple IOS mobile forensics. The iPhone has a single disk and has two partitions. The first one is the firmware partition. The partition is a read only partition and this partition is overwritten by iTunes with the new partition when an upgrade is performed. This partition contains system files, upgrade files and basic applications. The second partition will contain user data. This partition will be the focus of most forensics investigations. The iTunes applications will reside along with the profile data of the user in this partition.
iTunes performs an automated backup during the sync process and/or when an upgrade to the iOS is performed. The data about the latest backup, the IMEI number along with the phone number can be found in the backup folder. The native iOS applications such as Calendar, Text Messages, Notes, Photos and Address Book utilises a database structure to store and organise the data. The Property List is used to store various types of data on iOS operating systems including the configuration data, browsing history, favourites and other application related data. The forensics examiner will find valuable evidence in the second partition.
The most common evidence acquisition technique is pulling data from an iTunes backup. A logical API type method, jail breaking and obtaining a physical image of the storage hardware are used to pull data for investigations. However, each IOS model will require different methods based on the case under consideration. The heightened security policies in organisations and general user awareness of theft have prompted the users to lock the device using a passcode. The forensic examiner will first try to secure the passcode from the owner and immediately disable the passcode requirement if the phone is accessible. If not, the forensic examiner will resort to offensive techniques like password cracking and Jail Breaking. Once the device is unlocked, the auto-lock feature will be set to “never” and place it in “airplane mode” for the duration of the investigation. The “airplane mode” setting will remove the ability for an outside entity to perform a remote wipe of the device thus tampering with the evidence after seizure.
There is a growing market of tool sets to acquire data from an iPhone. The tools allow the forensics examiner to gather evidence on SMS, call logs, calendar events, contacts, photos, web history and email accounts and many more.
Here is sample list of native as well as third party applications information that can be retrieved from the database using appropriate forensics tools:
- Device Information: Information about the account which was used to set up applications and the installed application list including the computers paired with iOS devices and lockdown
- AppStore, Apple application’s settings and configurations including preinstalled IOS applications
- The Safari related information is important from the forensic perspective. Even if the user deletes cache or history from the browser, the file in which these information is stored would not be deleted.
- Last SIM card used, Call History including call details. This file remains even if the user deletes call history and hence, forensically this is a very important information.
- SMS, MMS, voicemail and iMessages sent or received including the attachments and the drafts.
- Information on IP networking viz., router, network address and server used previously including the known Wi-Fi networks and timestamp of last joined.
- Audio recordings including related information and pictures created by the user such as photos captured by camera or screenshots, photo albums synced with clouds as well as a computer. Thumbnails and information about images can be used to recover deleted images.
- Address Book and the images associated with contacts.
- Emails sent, received or drafted for each account.
- Fade-out effect feature is forensically valuable information can be gathered and there is a possibility that screenshots of deleted SMS may be available.
- Facebook, Skype and WhatsApp profiles used to log in from this device and related information including chat history
- Local copies of opened files in the cloud storage application Dropbox and Google Drive are saved on cache folder and contains user information like name, surname, and email.
Forensics examination is always performed on the backup dataset. It is possible to obtain some data even after a factory reset of the device using an appropriate tool. Further, some models will not reveal call history, calendar, notes, contacts or messages due to the introduction of data protection techniques and there are forensics tools which can still show the data in the clear. The tools provide access and a viewer into files that the forensic examiner may choose to preview in the IOS. Since, this is executed against the iTunes backup, the evidence is forensically sound as no changes are made to the data. The typical mode is to run the tool against a workstation backup from iTunes or from the phone if a previous backup is not available.
(Today’s column deals with some of the issues that the Treasury Bond Commission is dealing with in terms of mobile phone data, etc. The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA), a board member of the (ISC)2 Colombo Chapter and ISACA Sri Lanka Chapter. He can be emailed at sujit@layers-7.com)