| << go to main contents | < prev chapter | next chapter > |
Chapter 2. iPhone Forensics Overview and Techniques
The iPhone was introduced on January, 2007 and as of 2009, took 3rd place in smart phone sales. As of April 2010, over 50 million iPhones have been sold. And Apple is extending the iPhone operating system (iOS) into other devices including the iPad, iPod Touch and Apple TV.
The iPhone has an active hacking community which has yielded research and tools which support forensic investigations. Several commercial software packages now offer iPhone support and in September 2008, O’Reilly released “iPhone Forensics, 1st Edition” by Jonathan Zdziarski. Several other iPhone Forensics books are currently being written, including “iOS Forensic Analysis” by Sean Morrissey (to be published December 2010) and “Apple iOS Forensics” by Andrew Hoog and Katie Strzempka (Syngress Press, to be released May 2011).
This paper will review forensic tools available for the iPhone, perform forensic analysis with each tool and report on the installation, acquisition, reporting and accuracy of each tool. The 3G iPhone (firmware version 3.1.3) was used for the testing (compared to version 2.2 used in the first release), but this white paper may, over time, include other models and firmware versions.
The iPhone, like most complex electronic devices, is a collection of modules, chips and other electronic components from many manufacturers. Due to the complex and varied features of the iPhone, the list of hardware is extensive. The following information is based on the research published online.
Table 1.1.
| Function | Manufacturer | Model/Part Number |
|---|---|---|
| Application Processor (CPU) | Samsung | S5L8900B01 – 412 MHz ARM1176Z(F)-S RISC, 128 Mbytes of stacked, package-onpackage, DDR SDRAM |
| 3D graphic acceleration | Imagination Technologies | Power VR MBX Lite |
| UMTS power amplifier (PA), duplexer and transmit filter module with output power detector | TriQuint | TQM676031 – Band 1 – HSUPA TQM666032 – Band 2 – HSUPA TQM616035 – Band 5/6 – WCDMA/HSUPA PA-duplexer |
| UMTS transceiver | Infineon | PMB 6272 GSM/EDGE and WCDMA PMB 5701 |
| Baseband processor | Infineon | X-Gold 608 (PMB 8878) |
| Baseband’s support memory | Numonyx | PF38F3050M0Y0CE – 16 Mbytes of NOR flash and 8 Mbytes of pseudo-SRAM |
| GSM/EDGE quad-band amp | Skyworks | SKY77340 (824- to 915-MHz) |
| GPS, Wi-Fi, and BT antenna | NXP | OM3805, a variant of PCF50635/33 |
| Communications power management | Infineon | SMARTi Power 3i (SMP3i) |
| System-level power management | NXP | PCF50633 |
| Battery charger/USB controller | Linear Technology | LTC4088-2 |
| GPS | Infineon | PMB2525 Hammerhead II |
| NAND flash | Toshiba | TH58G6D1DTG80 (8 GB NAND Flash) |
| Serial flash chip | SST | SST25VF080B (1 MB) |
| Accelerometer | ST Microelectronics | LIS331 DL |
| Wi-Fi | Marvell | 88W8686 |
| Bluetooth | CSR | BlueCore6-ROM |
| Audio codec | Wolfson | WM6180C |
| Touch screen controller | Broadcom | BCM5974 |
| Link display interface | National Semiconductor | LM2512AA Mobile Pixel Link |
| Touch screen Line Driver | Texas Instruments | CD3239 |
The Samsung CPU is a RISC (Reduced Instruction Set Computer) processor that runs the core iPhone processes and works in conjunction with the PowerVR co-processor for graphics acceleration. The CPU is under clocked to 412 MHz (from a possible 667 MHz) presumably to extend battery life.
This is the component in the iPhone that manages all the functions which require an antenna, notably all cellular services. The baseband processor has its own RAM and firmware in NOR flash, separate from the core resources and functions as a resource to the main CPU. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM. [XXX]
The Apple iPhone’s operating system, iOS, is a variant of Apple’s core operating system, OS X. Based on the same MACH kernel and sharing some core elements with OS X 10.5 (Leopard), the iPhone is comprised of 4 layers including the core OS, the Core Services API, the Media layer and the Cocoa Tough layer. Entire books are dedicated to the operating system and the development of applications. Research into these areas will improve an analyst’s skills and could be central to solving investigations. Also, the iPhone software development kit (SDK) is free to download after registration and is recommended for anyone performing forensic analysis on the iPhone.
Like any forensic investigation, there are several approaches that can be used for the acquisition and analysis of information. A key aspect of any acquisition, arguably the most important, is that the procedure does not modify the source information in any manner. Or, if it is impossible to eliminate all modifications, the analyst must detail the changes and the reasons why it was necessary.
The following points highlight the various techniques utilized by the products tested.
- Logical: This approach acquires data directly from the iPhone and is preferred over recovering files from the computer the iPhone was synced with (details at http://viaforensics.com/iphone-forensics/forensic-analysis-iphone-backup-directory.html). However, the forensic analyst must understand how the acquisition occurs, if the iPhone is modified in any way and what the procedure is unable to acquire.
- Backup: Analyze a backup or logical copy of the iPhone file system using Apple’s protocol. This procedure will read files from the iPhone using Apple’s synchronization protocol but is only able to acquire files explicitly synchronized by the protocol. Many key pieces of information are stored in SQLite databases and these are supported by the protocol. By querying the databases directly, you can generally recover more information such as deleted SMS, call logs and contacts.
- Physical bit-by-bit copy: this process creates a physical bit-by-bit copy of the file system, similar to the approach taken in most computer forensic investigations. While this approach has the potential for the greatest amount of data recovered (including deleted files), the process is more complicated and requires sophisticated analysis tools and techniques.
Another key point of consideration for an iPhone forensic tool is how it handles an iPhone that has a pass code set. Several products offer different strategies for this situation, each with their own benefits and drawbacks.
A 3G iPhone running firmware 3.1.3 and not jailbroken was used for this forensic analysis. The phone was heavily used including:
- Email, contacts and calendar (Microsoft Exchange Active Sync with Exchange 2007)
- Web browsing (news, Gmail accounts, Google, etc.)
- Phone calls, voicemail, text messages (some deleted), multimedia messages
- App store (Facebook, Google Earth, Sudoku, Memory Lock, Paper Toss, Twitter, WiFi Plus, TripAdvisor, iCamcorder)
- Wi-Fi network
- Pictures (some deleted)
- YouTube movies
- Google Maps
- Notes
- GPS
For obvious privacy reasons, personal information will be redacted as needed throughout the report. A comparison of what each tools is able to extract will be a primary focus of this white paper.
Each forensic tool is rated on four general areas based on the following percentages:
Table 1.2. Forensic Tool Analysis Areas
| Area | Weight | Description |
|---|---|---|
| Installation | 10% | This cover installation, activation and updates of the forensic tool |
| Acquisition | 10% | This covers the acquisition process |
| Reporting | 10% | This covers the reporting process |
| Accuracy | 70% | This covers the accuracy and completeness of the information acquired |
To determine accuracy of a forensic tool, I compared the results of the acquisition to the expected results and assigned a quantitative number between 0 and 5 for each of the 27 scenarios outlined below. If a tool failed to recover any data in a particular area, it was rated a 0 for that category. A rating of 1 ,2 or 3 indicated some information was recovered however it did not meet the expected result. A rating of 4 indicated the tool met the expected results. A rating of 5 indicated the tool exceeded the expected result including recovering deleted data and/or more information than other tools were able to recover. For readability, I also included the following text description of each rating:
- 0: miss
- 1-3: Below
- 4: Meet
- 5: Above
If a forensic tool provided multiple methods to acquire information from the iPhone and the analysis took place separately, I provide rankings for each method and then the overall tool is assigned a total rank.
The rankings in this white paper are based on my individual experiences and should be considered my opinion only. I am not recommending or endorsing any forensic tool or technique reviewed. I would strongly encourage investigators to personally test the forensic tools themselves (many offer a demo version) and form their own opinions of each product.
The following chart illustrates the 26 test scenarios and expected results.
Table 1.3. Test Scenarios
| Scenario | Description |
| Call Logs | Determine whether the tool can find call log information on the phone. -iPhone contained full populated Call Log, no entries were deleted. -Expect that tool can connect, acquire and report on full call log containing 100 records. – Expect remnants of purged logs can be recovered and reported. |
| SMS | Determine whether the tool can find Short Message Service (SMS) information on the phone. – iPhone contained 7 SMS conversations, each with multiple messages. Total messages were 49. Deleted 2 conversations (with 3 messages) resulting in 46 total messages. – Expect that tool can connect, acquire and report on 46 undeleted SMS messages. Expect remnants of deleted SMS messages can be recovered and reported. |
| MMS | Determine whether the tool can find Multimedia Message (MMS) information on the phone. – iPhone contained 2 MMS messages, none were deleted. – Expect that tool can connect, acquire and report on 2 undeleted MMS messages. |
| Contacts | Determine whether the tool can find Contact information on the phone. – iPhone contained 2486 contacts. Deleted 3 contacts resulting in total of 2483. – Expect that tool can connect, acquire and report on 2483 undeleted Contacts. Expect remnants of 3 deleted Contacts can be recovered and reported. |
| Determine whether the tool can find email messages on the phone. – iPhone was synchronized with Exchange 2007 and contained thousands of emails.- Expect that tool can connect, acquire and report on several hundred email messages. Expect remnants of deleted or purged email messages can be recovered and reported. | |
| Calendar | Determine whether the tool can find Calendar information on the phone. – Calendar contained 4 appointments and no entries were intentionally deleted however during normal usage, some appointments were likely deleted. – Expect that tool can connect, acquire and report on 4 Calendar items. Expect remnants of deleted or purged Calendar items can be recovered and reported. |
| Notes | Determine whether the tool can find Notes information on the phone. – iPhone contained 1 note and 1 note was deleted. – Expect that tool can connect, acquire and report on 1 undeleted note. Expect remnants of the deleted note can be recovered and reported. |
| Pictures | Determine whether the tool can find image files on the phone. – iPhone contained 7 pictures taken with the on-board camera and 2 that were deleted. – Expect that tool can connect, acquire and report on 5 remaining undeleted pictures. Expect remnants of deleted pictures can be recovered and reported. Expect that pictures downloaded by various iPhone applications including Safari web browser, Facebook application and more can be recovered and reported. |
| Songs | Determine whether the tool can find music files on the phone. – iPhone contained 654 songs synchronized via iTunes from a host PC. No songs were deleted. – Expect that tool can connect, acquire and report on 654 undeleted music files. |
| Web History | Determine whether the tool can find web browser history information on the phone. Expect that tool can connect, acquire and report on browser history entries. Expect remnants of deleted browser history can be recovered and reported. |
| Bookmarks | Determine whether the tool can find bookmarks from the Safari web browser on the phone. – iPhone contained 3 Safari bookmarks and 1 was deleted. – Expect that tool can connect, acquire and report on 2 undeleted user bookmarks. Expect remnants of deleted bookmark messages can be recovered and reported. |
| Cookies | Determine whether the tool can find web browser cookie information on the phone. – iPhone contained numerous cookie files from web browsing via Safari and other applications. – Expect that tool can connect, acquire and report on Safari cookie files. Expect cookie files of other applications can be recovered and reported. |
| Applications | Determine whether the tool can find Application information on the phone. – iPhone contained 9 Applications and 2 that were deleted. – Expect that tool can connect, acquire and report on 7 undeleted applications and their associated information. Expect remnants of deleted applications can be recovered and reported. |
| Google Maps | Determine whether the tool can find Google Maps information on the phone. – iPhone contained the Google Maps application and it was used for location information and directions. No information was deleted from this application. – Expect that tool can connect, acquire and report on Google Maps information including history of location information and directions. Expect remnants of map tiles (images) can be recovered and reported. |
| Voicemail | Determine whether the tool can find Voicemail information on the phone. – iPhone contained 5 voice mail messages on the phone and 1 that was deleted. – Expect that tool can connect, acquire and report on 4 undeleted voice mail messages. Expect remnants of deleted voicemail can be recovered and reported. |
| Passwords | Determine whether the tool can find various application and network password information on the phone. – iPhone contained various passwords from Applications and network resources such as WiFi, Apple iTunes ID and more. – Expect that tool can connect, acquire and report on application and network passwords. Expect remnants of deleted passwords can be recovered and reported. |
| Configuration files | Determine whether the tool can find phone and application configuration files in the XML and Plist formats on the phone. – iPhone contained many XML and Plist configuration files. In the course of normal usage, some configuration information would have been deleted – Expect that tool can connect, acquire and report on many XML and Plist configuration files. Expect remnants of deleted configuration files can be recovered and reported. |
| Phone Information | Determine whether the tool can report on basic phone information. – iPhone is a GSM device and contains basic identification information such as IMSI, IMEI, ICCID, MSISDN (Phone Number), Serial Number, phone name, Wi-Fi MAC address and Bluetooth MAC address – Expect that the tool can connect, acquire and report on basic phone information listed above. |
| Video | Determine whether the tool can find video information on the phone. – iPhone contained 6 videos and 1 deleted video. 2 were created using the iCamcorder app, 4 were imported via iTunes. – Expect that tool can connect, acquire and report on 5 undeleted video files. Expect remnants of 1 deleted video file can be recovered and reported. |
| Speed Dials | Determine whether the tool can find Speed Dial information on the phone. – iPhone contained 2 Speed Dial (Favorites) and 1 speed dial was deleted. – Expect that tool can connect, acquire and report on 1 Speed Dial favorites. |
| GPS | Determine whether the tool can find GPS information on the phone. – iPhone contains GPS device and software and many applications use this information. – Expect that tool can connect, acquire and report on GPS information including coordinate and date/time from various application usage. |
| File Hashes | Determine whether the tool creates MD5 or SHA1 hashes for information on the phone. – Expect that tool will create MD5 hashes for files extracted from the iPhone. |
| YouTube | Determine whether the tool can find YouTube video information on the phone. – iPhone was used to watch YouTube videos via the YouTube Application. – Expect that tool can connect, acquire and report on YouTube videos viewed. |
| HTML | Determine whether the tool can find cached HTML files on the phone. – iPhone was used to browse many web sites and cached files from this activity are located on the phone. – Expect that tool can connect, acquire and report on HTML files on the phone from Safari and other applications. |
| Office Documents | Determine whether the tool can find Office documents (PDF, Word, Spreadsheets and PowerPoint) documents on the phone. – iPhone contained office documents that were downloaded through email or the Safari web browser – Expect that tool can connect, acquire and report on office documents located on the phone. |
| WIFI | Determine whether the tool can find WIFI connection information on the phone. – iPhone was connected to 1 Wifi connection; none were deleted. – Expect that tool can connect, acquire and report on 1 Wifi connection. |
Table 1.4. Expected Results
| Scenario | Description |
| Call Logs | 100 |
| SMS | 5 threads/46 total messages (deleted 2 threads/3 total messages) |
| MMS | 2 |
| Contacts | 2483 (deleted 3) |
| Synced with Microsoft Exchange and Gmail accounts | |
| Calendar | 4 events |
| Notes | 1 (deleted 1) |
| Pictures | 5 (deleted 2) |
| Songs | 654 |
| Web History | No history was deleted |
| Bookmarks | 2 (deleted 1) |
| Cookies | Unknown |
| Applications | 7 (deleted 2) |
| Google Maps | Yes |
| Voicemail | 4 (deleted 1) |
| Passwords | Wi-Fi password |
| Plists/XML | Unknown |
| Phone Information | Yes |
| Video | 5: 4 iTunes/1 recorded from device (deleted 1) |
| Speed Dials | 1 (deleted 1) |
| GPS | Unknown |
| File Hashes | N/A |
| YouTube | Unknown |
| HTML | Unknown |
| Office Documents | Unknown |
| WIFI | 1 Connection |
Forensic testing was performed on either a Windows XP Professional (SP3), Mac, or Linux workstation depending on the software requirements. The tests were performed in the following order:
- UFED – Cellebrite
- iXAM – FTS
- Oxygen Forensics for iPhone
- .XRY – MicroSystemation
- Lantern – Kantana Forensics
- MacLockPick – SubRosaSoft
- Mobilyze – BlackBag Tech
- Physical DD – Jonathan Zdziarski
- Device Seizure – Paraben
- MobileSyncBrowser – Vaughn S. Cordero
- CellDEK – Logicube
- EnCase Neutrino – Guidance Software
- iPhone Analyzer
MobilEdit Forensic software was originally on the list as well, however at the time of testing, the software only supported iPhone version 3.0 or lower. It is possible that there has been a release since that time which would support more recent versions.
For each software application, I will provide a brief overview of the software and forensic process. I will also provide feedback on the installation process, user interface, acquisition process and the results of the acquisition.
One important consideration in the evaluation of iPhone Forensics tools is whether the tool performs a physical or logical analysis. By it’s very nature, a physical acquisition, which creates a bit-by-bit copy of the disk image, can recover deleted data. We debated whether we should have separate ratings or even white papers to cover the different tool types but ultimately felt that this white paper is a practical evaluation of iPhone Forensics tools from the perspective of a forensic examiner. As such, an examiner would want to understand all tools, regardless of their techniques, in an evaluation. For those reasons, we maintained consistency in our methodology but felt it was important to note the difference.
Furthermore, physical acquisitions and analysis take a considerable amount of time, expertise and analysis. For that reason, we always (and many examiners have shared a similar approach) attempt to perform a logical analysis first. If that method is sufficient for the investigation, then we can quickly move onto the next case. Thus, logical analysis software plays an important role in the investigation and analysis of an iPhone or any other mobile device.
| << go to main contents | < prev chapter | next chapter > |
