| << go to main contents | < prev chapter | next chapter > |
Chapter 7. Lantern
Katana Forensics’ goal is to design affordable, intuitive tools for extracting data and artifacts from Smartphone devices without altering the evidence. Katana Forensics is a US-based company with an extensive background in law enforcement and computer forensics. Unlike similar products, our software does not require extensive training or costly service agreements and ever-changing hardware devices. With distribution in North America, Australia and Europe, Lantern is rapidly growing to be the tool of choice by law enforcement agencies, Fortune 500 Companies and e-Discovery firms around the world.
Lantern 2.0 will be available in early 2011, a major improvement on the already successful 1.x version. Future tools include SQLite Deleted data and Blackberry monitoring programs for law enforcement. In addition, Sean Morrissey, managing director of Katana Forensics, is the lead author of Mac OS X iPod and iPhone Forensic Analysis and the upcoming book iOS Forensic Analysis which will be published in December of 2010.
To install Lantern, a Disk Image file was sent via e-mail. I mounted this image onto a Macintosh system (Mac is required for this software), and after dragging the file into the “applications” folder, it installed right away. After opening the software, there was a “Register” button. Here, I entered the license information which was also included in the e-mail. The installation process was one of the fastest and easiest out of all the software tested.
To begin the acquisition, I opened up Lantern and started a New Case. I had the option to select only certain data to acquire such as Audio, Video, or Photos, but I opted to do the Full Acquisition.
Clicking “Next” began the process, however I had to first enter the pass code on the iPhone.
Acquiring data from the device took approximately 20-30 minutes, and the resulting case file was created and saved in the default directory.
Lantern displays the results in a simple format, with the data categorized on the left-hand side and the rest of the screen being a viewing pane. The following types of data are categorized: Device Info, Calls, Voicemail, Contacts, Messages, Notes, Calendar, Internet, Media, Photos, Dictionary, Maps, and VoiceMemo. Examples of some of these sections can be found below. For data that doesn’t fall within one of these categories, the investigator has the option to view the library directory, photo directory, applications directory, or just the overall artifact root directory. This option is located within the “Info” section.
Once you click on one of the directories (in this case, I selected the Artifact Root Directory), the folder structure automatically opens up. Here, you have the option to analyze all of the files located on the device, including sqlite database files, plists, pictures, web history, etc.
Most of the remaining sections contain most of the standard data. “Calls” lists all of the call history including call time, number, duration, and status (outgoing/received/missed).
The “Voicemail” section goes one step further, and includes a link allowing the user to open and listen to the Voicemail:
The Messages section includes all SMS and MMS messages which were sent or received. Something unique about this section is that it separates the SMS and MMS messages. If an SMS is selected, the content appears below under the “Text:” heading. If an MMS is selected, the metadata and photo is displayed under the “MMS Data:” heading. In some of the other pieces of software, it is difficult to determine which messages are SMS vs. MMS.
The following includes Internet history and bookmarks:
Within the Photos section, each image is displayed in a list:
Once a picture is selected, the image, metadata, File Hash, and Exif Data all appear on the right-hand side:
Other features include the ability to export a file as well as create a report. To do this, select the “Report” option at the top of the screen, then select from the options shown below which categories to include. In this example, I chose to include all sections.
The resulting report is in the form of a .pdf file, and this one in particular was just under 5,000 pages long. The following displays the “Safari History” portion of the pdf file:
The following are the results from Lantern:
The installation, acquisition, and analysis of the iPhone using Lantern was almost effortless. In addition to reporting most of the common data, Lantern also offers the examiner the option of viewing the source files acquired from the device. It is also important to note that, while the iPhone 4/iOS 4.0 was not tested in this paper, Lantern’s most recent version is one of very few tools that currently supports the acquisition of this model.
The following ranking establishes Lantern’s overall rating of 3.7 on the four criteria established at the beginning of this white paper.
Table 1.1. Lantern Rankings
| Area | Weight | Rank |
| Installation | 0.1 | 5.0 |
| Acquisition | 0.1 | 5.0 |
| Reporting | 0.1 | 4.5 |
| Accuracy | 0.7 | 3.2 |
| TOTAL | 3.7 |
| << go to main contents | < prev chapter | next chapter > |
