iPhone Forensics – What You Need to Know
Article written by HTCIA member David Shelton of Advanced Technology Investigators, LLC and published in issue 16 (October 2013) of eForensics Magazine.
One of the more popular cell phones to attempt a forensic examination on is the Apple iPhone. The iPhone is a smart phone made by Apple. The Apple iPhone can hold tremendous amounts of data. If successful at an acquisition, all the tedious and hard work is quite satisfying to the forensic examiner, in that, the examiner has overcome challenges with each iPhone model and different iOS versions examined, and has most likely used multiple tools to acquire all the available data the iPhone can produce.
What you can expect from an iPhone forensic examination
Before we began the step by step process we must identify the different types of acquisitions available for the iPhone model and the iOS version running on the particular iPhone. The experienced examiner will know, or will research if the phone to be examined is able to be examined Logically (Data that can be seen), or with a Physical examination (Data that cannot be seen, such as deleted data). There are different tools for each method the examiner can use. The chosen tool will depend on the tools available to the examiner, the circumstances of the case, and the data the examiner is looking for. Several Forensic tools can acquire a physical image of iPhone models previous to the iPhone 4 and below, such as the iphones 3, 3G, and 4. At the time of this paper, there are no forensic tools that will acquire a physical acquisition of the iPhone 4s or the iPhone 5.
The examiner will however, still be able to recover a limited amount of deleted text messages located in the logical database file, as well as data that can be carved from application files. Knowing as much information about the case will help the examiner to pick the most appropriate available tools for the case.
There are quite a few challenges with acquiring the data from an iPhone. Several tools are needed to examine the different types of files the examiner successfully acquires. Some of the forensic software’s have several different tools built into the software and automated for the examiner already. There are other software’s that you must conduct separate task with the phone in order to access all the data the iPhone can hold. The Apple iPhone was introduced into the market in 2007. Its proprietary operating system is the iOS. One of the most known challenges of the iPhone is the constant upgrades and patches made with each release of the iOS firmware. As cell phones evolve, the forensic software tools must do the same to attempt to keep up with the newest technology. There are teams of developers and hackers that constantly work to crack the iOS encryption so the device
can be forensically examined. If you start researching iPhone forensics you can find a multitude of books written specifically on topics of the iOS operating systems and how it works, and how to develop apps for it.
Preserving the Data
The very first and most important step in any Digital Forensic examination is to protect the data from changing so to preserve the source data from changing. There are arguable points as how to accomplish this task. Do you simply turn the phone off or do you protect the device with a Faraday cage to keep the device from communicating with the wireless network? Knowing that a cell phone is a mobile device, there are many possibilities on how the device suddenly became an item of interest to be examined. The first responder at the scene may not be trained in Cell Phone Forensics, and may not have the necessary tools to perform a triage on the spot. Even though a first responder may not be trained in preserving digital evidence, most first responders know that documentation is very important at any incident they may encounter, thus the words document…document…document, must get burned into the first responders brain. Taking a picture of the cell phone, its screen, and any visible ports before deciding to cut the phone off or to faraday protect the phone is a reasonable and smart decision to make.
If the situation is that the first responder has access to a faraday cage, it is important to note that some models of iPhones have a metal exterior showing around the edges of the phone, and if you place a faraday article against the metal of the phone, instead of blocking the cellular signal, the result could be that you actually cause an antenna effect of the phone shell and boost the signal to the iPhone. It’s always good to have some way of isolating the phone from the actual faraday protectant, just in case this situation arises. If faraday protection isn’t an option, placing the iPhone in airplane mode will disconnect the phone from the network as well. It is important for the first responder to document and let the examiner know what state the iPhone will be arriving, so the examiner can reduce the chances that the data can be wiped from the user’s account at a later time by the User. These items conducted properly will allow the examiner to report the proper preservation of the data. The first responder and the examiner will be responsible in establishing a chain of custody to follow the cell phone from the time the cell phone is in possession, until the conclusion of the case.
Want to read more? Including information on iPhone forensic tools, types of data that can be found on an iPhone, the examination process, etc., then download the entire article here and enjoy the entire article on page 48.