iPhone Forensics – Paraben Device Seizure

Paraben Device Seizure (DS) is a forensic software tool that performs acquisitions on over 2,700 handheld devices (including phones, PDAs and GPS devices) and runs on Microsoft Windows. The package is designed to support the full acquisition and investigation process. Paraben stresses their ability to perform physical acquisition vs. logical ones as it provides the ability to recover deleted files and other important information. They have several packages which include the DS software and various cables for phone acquisitions.

Paraben also has a product (Paraben SIM Card Seizure) which allows an analyst to read or optionally clone a SIM however this does not ship with DS or the entry level packages. If analyzing or cloning the SIM card directly is important to you, make sure you either purchase this separately or a bundle that includes it.

The DS software allows an investigator to perform the acquisition, view data in various formats (ASCII, Hex, file and data viewers, etc.), bookmark important data, export data and run various reports. Paraben states DS can extract the following from cell phones (varies by model):

My initial installation of Device Seizure (DS) was version 2.2 and I was supplied with a dongle which required activation (a software license key option is also available). I did run into a few problems with the installation and activation and had to work through their Support group to resolve. This was a bit frustrating especially when the Support website would not email me my password (a problem I still have today). However, a phone call to Technical Support resolved the issues and I was up and running shortly thereafter.

I also should note that you need to install their DS Driver package which contains the drivers for various phones and syncing software such as ActiveSync and iTunes. This process was also cumbersome and required me to remove previous versions of installed software. In the end, I had to remove iTunes 8.0.2 and the driver package installed version 7.4.2.4. This required reboots and, frankly, large changes to my system. Since Paraben stated DS would not work in a VMWare environment, I was only left with the option to change the core Window XP install on my dual-boot workstation. Overall, the installation was a difficult and frustrating.

My initial acquisitions of the iPhone with DS 2.2 failed and while I was working with Technical Support, version 3.0 was released. There were anomalies again with the download and installation process. The DS 3.0 install simply ran the currently installed installation process and made no modifications to the system. After I completely uninstalled DS 2.2, I was able to install the 3.0 version. The dongle then needed to be updated and it pointed me to an invalid URL for downloading DS 3.0 (which I had already done so it was not a big deal). After I worked through these issues, though, things ran smoothly.

With the installation behind me, I was ready to start the acquisition. Paraben made this quite easy however there were multiple approaches to choose from and the Help section was not clear on the differences. After speaking with their Technical Support department, I had a better understanding of the two approaches available. An updated Help section on the iPhone would be a welcomed change and would ease iPhone acquisitions for new users.

After DS starts, you create a new case and enter basic information.

Figure 1.1. Paraben Device Information

Next, you specify information about the examiner.

Figure 1.2. Paraben Examiner Information

And then run the Acquisition wizard (note, you can also Import from an iPhone backup with the Import Wizard however this failed in 2.2 and I focused on the acquisition in 3.0).

Figure 1.3. Paraben Device Seizure Wizard

Next, you need to select how you want to acquire the iPhone. This is where the information from Paraben’s Technical Support was very helpful. Paraben provides two methods for acquiring data from an iPhone and named them “iPhone Advanced (logical)” and “iPhone Jailbroken Devices Only (logical)”. This was very confusing and when I read the Help, I decided to only perform the iPhone Advanced as the phone was not jailbroken. However, Support recommended running both acquisitions against an iPhone and this did yield good results.

Figure 1.4. Paraben Device Selection

DS detects the device and you are ready to start.

Figure 1.5. Paraben Summary of Selections

Both the iPhone Advanced and iPhone Jailbroken Devices Only (called iPhone Jailbreak in 2.2) methods were quite fast lasting only a few minutes each.

Figure 1.6. Paraben Acquisition Process

Paraben did a very good job extracting data from the iPhone using both the iPhone Advanced and iPhone Jailbroken Devices only plug-in (even though the iPhone was not Jailbroken). The Advanced plug-in extracted 2,856 items and the Jailbroken plug-in extracted 169. The Jailbroken recovered items such as the Music files which the Advanced plug-in was unable to extract.

When the acquisition is complete, DS presents the investigator with a user interface consisting of the case and acquired elements in a left pane and a window for the properties of the acquired data (MD5 and SHA1 hashes, Category and Description). There is a large pane for viewing the contents of a data elements and running the appropriate viewer. For instance, when viewing most SQLite database (although not all for some reason), the viewer windows display the data in a grid format. There are viewers for text, binary Plists, pictures, SQLite and more file types. Below the viewer, when appropriate, there are tabs to view the data in Text or hex.

Figure 1.7. Paraben History.plist

In the example above, you can see by extracting and exposing the History.plist for Google Maps that the analyst can view the start address, end address and more information presented to the user during their interaction with the application.

The bottom window will also show search results, bookmarks and attachments. Below is an example of the data grid displaying the Contacts SQLite data.

Figure 1.8. Paraben Address Book

If you want to export the SQLite database for further analysis, you can click on the Data node and select export. The file as well as a hash file are exported to a directory of your choosing and can be further analyzed as needed.

Another nice feature is the Sorter which will sort the acquired data by file type for quick review. The Sorter is a nice feature and worked fairly well but did miss some files that can be found by (tediously) going through the full list of acquired data in the case view.

Figure 1.9. Paraben Images

Searching is built in and fairly sophisticated including options to search text, hex, filename and Boolean variables. Searches were simple to execute and results were easy to examine.

Figure 1.10. Paraben Find

You have many reporting options, including various report types, custom selected files, bookmarks, etc.

Figure 1.11. Paraben Report Wizard

I chose the Investigative report and the following HTML report was generated.

Figure 1.12. Paraben Exported Case

Finally, you can (and likely should) export the acquired data (or items you selected individually or bookmarked) to the file system. This will allow for direct examination of SQLite files and other forensic techniques. To export, I chose a “Common Export” which exported the files directly to the file system instead of within a compressed (ZIP) archive.

Figure 1.13. Paraben Export Type

You can then select the items you want to export (Entire Case or Selected Items Only).

Figure 1.14. Paraben Export Mode

The export was quick and did not exhibit any problems. The results include an export of both the Binary and Data elements in the item, a properties file which details the MD5, SHA1, Category and Description of the data and an XML hash file which also contains the MD5 and SHA1 hashes.

The following are the results from the Paraben tests.

Device Seizure 3.0 is a significant improvement over version 2.2 for acquisition of the Apple iPhone. After installation is complete, the acquisition and reporting processes are fast and thorough. Aside from a physical (dd) acquisition, Paraben returned more data from the acquisition stage than any other product. The user interface for subsequent analysis is also quite mature and provides many features other tools lack.

The following ranking establishes Device Seizure’s overall rating of 2.9 on the four criteria established at the beginning of this white paper.

Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry.

Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.

viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies.

Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.

One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including: