WOLF (by Sixth Legion, LLC., a division of Innovative Digital Forensic Solutions, LLC.) is a forensic tool designed specifically for the iPhone and supports all iPhone models (2G and 3G) running any firmware versions (1.0 – 2.2). The software only runs on Mac OS X (10.4.11 or greater) although a Windows version (called Beowulf) will be released soon. A dongle is required to run the software and you must install the Code Meter framework to activate the dongle. WOLF is able to bypass the security pass code (iPhone, SIM or both) without jailbreaking the iPhone, provided you have access to a physical computer that the phone has been used with. WOLF also claims to be the only iPhone forensic software that does not modify the iPhone (i.e. place an acquisition utility on the iPhone during acquisition) to perform acquisition. WOLF acquires data from the iPhone using a logical copy of the data and presumably cannot recover deleted data. The following data is recovered:

To acquire data from an iPhone, WOLF must be installed on a Mac OX 10.4.11 or higher, running on an Intel CPU. The software requires a dongle and an activation process. CodeMeter software is used to activate and verify the dongle and the installation of this software is straight forward. After running the software and creating your activation key, you compress the resulting file (zip) and then email it to <activations@sixthlegion.com>.

Figure 1.1. Code Meter Control Center

I sent the activation key around 10:30PM on a Sunday evening and received the reply around 2:40PM the following afternoon. After running the License Update wizard again and uploading the licensing file, the software was ready to use.

Performing a forensic acquisition of an iPhone using Wolf is quite intuitive. After the application is properly licensed, you simply run WOLF and click Acquire. You are prompted to input the examiner detail information.

Figure 1.2. Wolf Acquisition

Conveniently, WOLF remembers this information and allows you to select the Agency and Examiner from previous investigations. This is one example that, while minor, shows how an intuitive user interface assists in at least the speed of an acquisition, if not more.

Next, you supply information about the device you are going to acquire (iPhone, iPod Touch or Backup Folder) along with additional descriptive information. An important note about WOLF is that they state they can circumvent the pass code if set on an iPhone, provided you have access to the computer the iPhone was synced with.

Figure 1.3. Wolf Acquisition 2

After you confirm this information, you select the type of data you wish to acquire.

Figure 1.4. Wolf Acquisition 3

Once you hit Acquire, the acquisition begins.

Figure 1.5. Wolf Acquisition Progress

The acquisition only took about 2 minutes. A direct iPhone acquisition process has advantages over relying on the analysis of the backup files which may be out of date or unavailable. However, WOLF does support analyzing the backup files if they are available to you so I tested both the direct and backup acquisition methods.

After the acquisition is complete, you can view the results within the application or run a series of reports which save the information to HTML. For the purpose of this paper, I show the results directly from the applications as it is more effective than scrolling through long reports.

Like other products, WOLF acquired and accurately presented basic phone information.

Figure 1.6. Wolf Case Information

However, quite significantly WOLF was unable to recover the call logs or SMS messages. We are working with WOLF at this time to identify the issue and I’m hopeful a resolution is forthcoming.

All contacts were recovered and WOLF even provides MAC (Modified, Accessed, Changed) times which is a very helpful feature not found in other solutions.

Figure 1.7. Wolf- Contacts

Notes were successfully recovered as were Calendar events, again with MAC times.

Figure 1.8. Wolf – Calendar

WOLF was able to recover Bookmarks and browsing history which is something several other tools struggled with.

Figure 1.9. Wolf – Internet

WOLF recovered all songs on the device (regardless if they had DRM enabled, which prevent recovery with some products).

Figure 1.10. Wolf – Media

Finally, WOLF, unlike several other products, was able to recover not only the pictures taken from the iPhone but 31 pictures that were uploaded through iTunes.

Figure 1.11. Wolf – Images

The following are the results from the WOLF tests.

WOLF is an intuitive and fast forensic solution for the iPhone. Once the problems with the Call Log and SMS issues are addressed, WOLF is a solid forensic solution for the iPhone. However, other products which perform logical file system acquisition allow direct access to SQLite files (and thus the ability to recover some deleted data) as well as other critical files. This access provides the analysts with an opportunity to recover more information.

The following ranking establishes WOLF’s overall rating of 1.8 on the four criteria established at the beginning of this white paper.

Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry.

Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.

viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies.

Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.

One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including: