| << go to main contents | < prev chapter | next chapter > |
Chapter 4: FTS iXAM
Zero-Footprint Forensic Acquisition for Apple iPhone™ and iPod Touch™
iXAM® is able to provide comprehensive, non-invasive data recovery from the Apple iPhone™ and iPod Touch™.
iXAM® is proven to deliver a range of information potentially vital to law enforcement investigation, providing anything from a stored contact or text message to an email, photograph or specific map location. The forensic read is a byte level physical data copy which can be set to target specific data sets or the entire file system.
Our secure extraction technique creates a full forensic image of the device via USB download, which can be retained for additional investigations in the future. An evidential report can then be produced along with an XML audit trail covering the data extraction process.
iXAM® has recently been tested and verified by the National Institute of Standards and Technology (NIST).
The iXAM package arrived with a dongle, USB drive with software files and installation guide, and registration information. iXAM hosts an FTP site where users can connect and get updated software. In this case, I had to connect to the site and download recent updates. Following the instructions provided, this was a simple task. Prior to installation, the “provisioning” process must be completed on an Internet-connected machine. This step only needs to be performed once per USB media device. The manual provides a much more detailed description of this process. Following the provisioning process, which took about 5 minutes, I began the install via the setup.exe file provided. Prerequisites are first installed. This step required me to accept and continue through several prompts. Once the software is installed, a post-installation sequence is performed which purges all existing Apple Device drivers. The entire installation process, including provisioning and post-installation, took approximately 20 minutes.
After first installing iXAM, the user is prompted to configure the software. In other words, you are to set a standard directory in which you want your case files to be created. The instructions in the manual step you through each of the settings and what they mean. Once this step was complete, I was ready to connect the device and begin the acquisition.
The acquisition of the 3G iPhone was a complex process, partially because I was working through a virtual machine. iXAM immediately found the connected device and proceeded to walk me through instructions to acquire data off of the device. I was able to successfully power of the device then place it in DFU mode, with the help of a timer in the upper-right hand corner.
The next step involved installing drivers. Because I was using a virtual machine, I had to manually connect the device each time a driver needed to be installed, otherwise the driver install wizard would not be displayed. It is assumed that this would not be an issue when using a physical machine.
Following this step, Stage 1bootloader had to be sent to the device. Next, I was asked to verify the hardware, then Stage 2 and Stage 3 bootloaders were sent to the iPhone. Again, I ran into issues because the device kept getting disconnected from the virtual machine and had to be reconnected, but after getting past that, all stages completed successfully. The phone was then ready for imaging.
I elected to choose the “Forensic Image” option as opposed to a logical download. I filled in the Case information, and clicked “Begin Download.”
The total acquisition time was estimated to take about 85 hours, so I let it run over the weekend. The image was started on a Friday evening and completed the following Tuesday morning at 4:53am, however the use of a virtual machine in testing could have been one reason for the excessive amount of time. The next release of iXAM is said to decrease the acquisition time by 75%.
The standard acquisition resulted in a 14.6 GB DMG file. To view this image, I first decided to mount it, read-only, on a Macintosh. I browsed through the folder structures to find a majority of the items. Most of the standard data could be viewed by looking at the database and plist files, including call logs, contacts, SMS, calendar events, pictures, etc.
I then decided to use iXAMiner, which is iXAM’s reporting tool. The log file or backup files can be used as a data source. I first chose the log file, however I received the following error when selecting it:
The manual states that this error is received because iXAMiner requires the installation of Macdrive software in order to parse the image file. After contacting iXAM, I was informed that future releases will include a native HFS reader to remove the reliance on third party software.
Once I chose the backup file as a data source, I had the option to select from the following categories in order to create my report.
I chose to select all, then “Analyse Data.” This process took about 5 minutes, and the results were exported into an excel file, with a different tab for each category. All logical data extracted, with an example of the speed dials shown below. One nice feature of this tool is that it also shows the filename and path of the data source. For example, below, the speed dial information was gathered from the com.apple.mobilephone.speeddial.plist file. This is helpful for an examiner to explain where the data originated.
Since I was only able to view the allocated files with the reporting tool, I decided to do some file carving on the .dmg file in order to see if deleted items could be recovered. The data within these files could easily be viewed by opening each file with the appropriate application (in this case, I used SQLite Database Browser v1.3 for the .db files, and textedit for the .plist files).
I decided to run scalpel against the image, which was able to recover a lot more data than just viewing the mounted image. The following is a list of the scalpel-output folder, which contains various types of data and 9,046 files:
E-mails were one significant piece of information that were recovered. In the mounted image, I was only able to see mailbox information and contacts, not the message content itself. With scalpel, I was able to open each .email file using a text editor and view all of the content. I specifically searched for keywords that I knew were in either sent, received, or deleted e-mails on the device. Each of these key words were able to be located as well as the e-mai content surrounding them.
The resulting scalpel files also included hundreds of .jpg, .gif, and .png images. Looking through these, I was able to find 1 of the 2 photos that was deleted from the iPhone. Also among these files were snapshots of the iPhone at random points in time. When a user switches between applications, the iPhone automatically takes a screenshot of the device prior to changing. Because of this, many images of this nature were recovered. A couple examples are shown below, including one of the deleted photos that was recovered, a screenshot of the Gmail account as well as the call logs at a point in time.
The next item I wanted to look at was potential deleted SMS messages. To do this, I ran a strings search on the entire image looking for specific key words. All SMS messages were located, including the 3 known deleted messages. An example of the command and output is as follows:
The following are the results from the iXAM test:
Despite the length of time required for the acquisition of the device, iXAM separates itself from most of the other tools out there as it was able to acquire a full physical image of the iPhone. The resulting disk image file can be mounted on a Mac in order to view the files, or particular command line tools can be run on the image to recover deleted information.
The following ranking establishes iXAM’s overall rating of 3.9 on the four criteria established at the beginning of this white paper.
| << go to main contents | < prev chapter | next chapter > |
