iPhone Forensics

With 10’s of millions of iPhone, rife with personal data and always connected to the Internet, it will be (is) an irresistible target for malware, spyware, identity thieves and more (you get the idea):

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

via First iPhone worm discovered – ikee changes wallpaper to Rick Astley photo | Graham Cluley’s blog.

As more and more consumers use smart phones and the thousands of apps in the various market places, I am very concerned about an increase in identity theft, spyware, malware, etc.  I understand Apple’s code review process is rigorous but as with any highly competitive market, everything happens fast.  Will Apple, Google and others do enough to protect their users or will speed to market win (and consumers lose)?

A maker of some of the most popular games for the iPhone has been surreptitiously collecting users’ cell numbers without their permission, according to a federal lawsuit filed Wednesday.

The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. The Redwood City, California, company, which claims its games have been downloaded more than 20 million times, has no need to collect the numbers.

via Backdoor in top iPhone games stole user data, suit claims • The Register.

While it is possible to recover video files from the iPhone 3GS, it is not a simple task. After considerable research, here’s what I’ve found:

1. Partial recovery is possible
2. Metadata recover (date/time, GPS, etc.) is also possible even if the video is not recoverable
3. Due to wear-leveling algorithms, recovery of the full videos is not always possible.

Point 3 is what is really making things difficult.  The larger the the file is, the more fragmentation occurs which Apple (and other vendors) implement in an attempt to use the storage evenly to avoid disproportionally wearing out parts of the drive.  One researcher I collaborate with stated:

“The spare data at the end of the blocks holds the key.  We at least figured out that the available data sheets are wrong.  We can piece together information based on available logical sector numbers, but they are sometimes missing or corrupted.”

A lot of research will have to go into the closely guarded wear-leveling algorithms different vendors use in order to recover the larger files.

Also far as the specific 3Gs video file format, we pieced together the file signature/magic numbers for the file format.  They are:

Header: 0000 0014 6674 7970 7174 2020 0000 0000

Footer: 2f00 0004 0066 7265 6500

After the footer, there is a series of all 0’s but we have not determined if it is a fixed amount or dynamic based on file size.  Stay tuned for more updates.

Details of the SMS exploit for the iPhone will be released today at the Black Hat conference.  Apparently, Apple was notified 1 month ago but no word yet.  Android was also vulnerable but had been patched but apparently Windows Mobile is still vulnerable.

There will be a paradigm shift in the near future as people realize their mobile devices are full blown computers with enormous personal information about you and your company available.  It’s also perpetually network…that’s the point.  Phone, SMS, Internet, WiFi…it’s online and powerful.  When you combine all the personal data with literally billions of devices on the market, it’s a target that will be diligently exploited at every corner.  Details below:

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.

via Your iPhone: Soon to be iPwned? | TechBlog | Chron.com – Houston Chronicle.

Recovering deleted text messages on the  iPhone… it isn’t easy, but it is possible.  Once a SMS or text message is deleted it remains stored, although hidden, on the iPhone for a period of time.  The storage of the deleted text message is not permanent because it is eventually overwritten with other data.  The greater amount of use between deletion and recovery of the text message decreases the chances of recovering the text message.

There are a number of iPhone data extraction devices and techniques available but most of those don’t recover deleted text messages.  See iPhone Forensics – White Paper.  The different and emerging versions of the iPhone make the recovering of deleted text messages or SMS messages all that much more difficult.  Different code and software is needed when working on different versions.

The are two main ways the deleted text message may be recovered one is by extracting the deleted message itself.  A more time consuming method is to review all screen shots saved by the phone and then recovered using an extraction technique.  This is time consuming because the information is in the form of an image and cannot be searched and must be manually examined.

Unless you know you are using the correct procedure based on iPhone model and version you could mistakenly permanently remove the information you are attempting to recover.  Therefore it is important to have someone with experience in this area before attempting to extract the deleted text messages.  viaFORENSICS has this kind of experience.

The Apple iPhone is unlike most smart phones on the market in that trained experts can successfully recover deleted text messages (and other deleted items), provided certain steps are taken. The below steps will help ensure you have a total recovery of the deleted items you want.

Stop using the iPhone immediately
First, time is everything. If possible, completely stop using the iPhone. Place the iPhone in airplane mode or turn it off. Or you can remove the SIM card if you prefer. The longer you the use the iPhone, the less likely a full or even partial recovery is possible.

Do’s (or Steps to follow to maximize recovery of deleted text messages)

1. Stop using the iPhone immediately.  Turn the iPhone off, place in airplane mode or remove the SIM card.  Yes, I am repeating myself but this is the most important thing you can do.
2. Make a backup of your *iPhone backup directory* (not your iPhone but your existing backup directory on your computer).  Valuable information from a previous backup (which occurs when you upgrade the iPhone OS or specifically request a backup) can contain the information you need.  See my previous post about iPhone backups for more information.
3. Contact an iPhone expert who can perform the recovery.  We use various techniques including:
   1. Forensic imaging and analysis of the iPhone (admissible in court if needed)
   2. Recovery of deleted records in the SMS database if present
   3. Examination of the keyboard cache files for outbound conversations
   4. Recovery of iPhone screenshots which may contain images of the text messages
   5. Full indexed search of the iPhone user data partition using powerful searching tools

Dont’s (or Things to avoid when trying to recover deleted text messages)

1. Avoid using the iPhone, at all.  (do you see a theme here)
2. Don’t sync or backup the iPhone (let the expert take care of this)
3. Don’t install new applications from the App Store
4. Don’t modify/examine the files in your backup directory unless you know how
5. Don’t forgot to call the expert as soon as possible.

Often times, people approach us weeks or months after they text messages have been deleted.  While we are able to sometime make partial recoveries (message fragements), full recovery at that point is nearly impossible.  However, if your text messages are deleted and you follow the steps about immediately, I guarentee full recovery or we’ll provide a 100% refund on the fee we charge.

If you are interested in this topic more, please check out our free iPhone Forensics white paper, contact us at 312-283-0551 or complete the form below.  Good luck and should you need to recover a deleted text message (or other file from the iPhone), we hope to hear from you.

*Name:
Title:
*Company:
Telephone:
*Email:
Subject:
Message:

Good news for those of us in the business of computer/mobile forensics – latest web applications and trends are to cache (even more) data to the device.  This will make the recovery of potentially important data/evidence easier, provided you have the proper training, tools and technical knowledge.  The latest upgrade to GMail provides these types of changes and is likely just the beginning:

These features include a graphics tool called Canvas, “persistent storage,” and an “application cache,” explains Shyam Sheth, product manager on Google’s mobile team. Canvas is something of an alternative to the popular Adobe Flash software that’s commonly used to create graphics and animation on the Web. Persistent storage provides a way for data, originally on a remote server (such as Google’s e-mail servers), to be stored locally, on the device. The HTML 5 application cache keeps important information about an application on the device that allows it to open quickly, as if it were running directly on the hardware instead of remotely. The iPhone version of Gmail uses only HTML 5, whereas Android uses a combination of HTML 5 and Gears (a Google software add-on that enables its Web apps to run offline).

via Technology Review: Gmail Sidesteps the App Store.

I just released a free, 101 page iPhone Forensics white paper.  I hope that you find this paper useful and will consider continuing the discussion by participating in our forums to help advance this exciting and emerging discipline.

Apple filed comments with the U.S. Copyright Office recently (as part of the 2009 DMCA triennial rule making) arguing that jailbreaking the iPhone constitutes copyright infringement and a DMCA violation. Several groups and individuals have comments posted how this interpretation of the DMCA is  incorrect and serves to  only limit or hurt the consumer.  Certainly if Apple’s interpretation became law, it would pose an obstacle in some analyst’s  minds to Jonathan Zdziarski’s effective technique for forensically analyzing the iPhone even though this technique is technically not jailbreaking the iPhone.

For the past month, I have been working on an iPhone Forensics white paper and I will release it in the next few weeks.  I maintain a separate website for the iPhone side of our business as this is a specialized skill set.  Please take a look at the articles, HOWTOs and definitely register for the white paper which will be out soon.  The report will provide an overview of the iPhone and a thorough analysis of the various forensic tools available today.