NEW WHITE PAPER AVAILABLE

For the latest information and reviews please click here to read the latest version of the iPhone Forensics White Paper.

Note: This is an old article. Please visit our latest white paper for most recent info.

iPhone Forensics – .XRY (June 2009)

Andrew Hoog and Kyle Gaffaney

viaFORENSICS

June 2009


Chapter 1. .XRY (2.6/5.0)

by MicroSystemation

Summary (from company information)

The .XRY/.XACT 4.1 is a mobile forensic system that performs logical data acquisition as well as physical dumps. The systerm is enclosed in a small brief case and contains: the USB 2.0 communication unit, a license key dongle, all current cables in cable holders, SIM card reader, rewritable SIM id-Cloner examination cards, a read only memory card reader and a CD with all software. All new cables that are released during the license period are included in the license fee as well as all SW updates.

Both systems use the .XRY report format. The .XRY reader is available for free. This reader insures the forensic report is secure..

Installation

The .XRY System came in its own hard case containing the software on a CD, hardware unit and cords, SIM readers, and 46 different cables to connect different mobile devices. Once the CD was inserted the software loaded using the standard Windows InstallShield Wizard. Before using the device a protection key must be installed on the computer from an enclosed dongle.

Our protection key expired before our test and requesting a new one was necessary. To do this Micro Systemation provides directions in the Help section of the software. Since Micro Systemation notified us of our expired protection key they took the initiative to send us this information in a .pdf. The directions described how to do update the protection key on both computers that do and do not have Code Meter installed. Code Meter was installed on the computer used and the process was straightforward. We emailed the request for a new protection key to Micro Systemation over the weekend and new one was sent to us on Monday.

We tested version 4.10. The user interface(UI) was familiar and easy to understand. The UI had both Ribbons of large shortcut buttons organized under tabs as well as traditional drop down menus.

Figure 1.1. .XRY Ribbons UI

.XRY Ribbons UI
.XRY Ribbons UI


Forensic Acquisition

The acquisition process was simple and fast. The program first asks you which type of device you are extracting information from.

Figure 1.2. Supported Devices

Supported Devices

At the end of the extraction process a summary of the results was displayed. The results of our test revealed that the extraction process finished with errors. The errors can be found in the system log. The error log reflected that the errors were a result of the device being locked.


After selecting the iPhone the following information screen for the iPhone appeared. It is important to note that the information screen states Email messages will not be retrieved unless the phone is unlocked. The iPhone tested was not unlocked.

Figure 1.3. .XRY iPhone Information

.XRY iPhone Information


The next couple of screens allows the user to select only certain items to be extracted and to choose where the results are saved. The extraction process then begins and the status is shown on the screen.

Figure 1.4. .XRY Extraction Options

.XRY Extraction Options


Figure 1.5. .XRY Extraction Progress

.XRY Extraction Progress


At the end of the extraction process a summary of the results was displayed. The results of our test revealed that the extraction process finished with errors. The errors can be found in the system log. The error log reflected that the errors were a result of the device being locked.

Figure 1.6. .XRY Extraction Finished

.XRY Extraction Finished


Results and Reporting

.XRY pulled some very valuable and useful data from the iPhone such as Contacts, SMS messages and images with GPS locations. However, because the iPhone was not ‘jailbroken’ the emails were not retrieved.

.XRY displayed the extracted information in a simple to use report. The pane on the left side of the screen lists the different categories of items retrieved from the mobile device and the main pane has the detailed information for the selected category.

The Case Data and Summary categories contained basic information about when the extraction was completed, what version of software was used. The Case Data section also contained an area for making notes. The General Information section contained information regarding the phone and carrier, i.e. phone and sim ID numbers.

The Contacts section was easy to read and contained the name, multiple number fields, address fields, email, and notes for each contact.

Figure 1.7. .XRY Contacts Display

.XRY Contacts Display


Figure 1.8. .XRY Call Logs

.XRY Call Logs


The Call Log section displayed information regarding whether the call was dialed, received or missed. The date and number were also displayed. However, only one record displayed the corresponding name from the Contacts. The device itself lists the corresponding name on most of the entries.

Figure 1.9. .XRY Calendar

.XRY Calendar


The extracted Calendar information was presented in an easy to read format.

Figure 1.10. .XRY Note

.XRY Note


The text of the note is displayed on the details pane. There was a note that was created and then deleted, the program did not retrieve the deleted note.

Figure 1.11. .XRY SMS

.XRY SMS


For this test two SMS messages were deleted. These two deleted messages were not recovered. However, the extracted SMS did contain the number, message and whether the message had been read or not. Again, like the Call Logs, the name from the corresponding Contacts file was not listed.

The area that .XRY excelled in was the extraction of photos from the iPhone. Unfortunately, it did not perform perfectly. A photo that was sync’d to the iPhone could not be found in the results.

Figure 1.12. .XRY Pictures

.XRY Pictures


.XRY extracted images from the iPhone that were displayed during web-browsing as well as icons from the iPhone. Probably the most interesting bit of information extracted using .XRY was the GPS coordinates for photos taken using the iPhone. GPS coordinates were included in the MetaData, see below.

Figure 1.13. .XRY Photos with GPS Coordinates

.XRY Photos with GPS Coordinates


.XRY also extracted audio and video files saved on the iPhone. I was able to immediately play the audio files but was unable to view the video. The audio played using Windows Media player but QuickTime was needed for the video file.

Documents and other files were also extracted. 107 documents and 43 files were extracted from the iPhone. The documents included Cookies and other .plist files. The Files section contained .db files including a search history. From these files were were able to find some of the bookmarks, cookies, a value saved in the memory of the caluclator, web browsing history, recent web searches, the speed dial file, and a location that was searched with a GPS location.

Figure 1.14. .XRY other Documents

.XRY other Documents


Figure 1.15. .XRY other Files

.XRY other Files


Matrix of Results

The following are the results from the .XRY extraction.

Table 1.1. .XRY Matrix of Results

Scenario .XRY Results Ranking Results
Call Logs 100 3 Meet
SMS 120 (all retrieved, deleted not recovered) 3 Meet
Contacts 1511 3 Meet
Email 0 1 Below
Calendar 3188 3 Meet
Notes 1 3 Meet
Pictures 312 (photos taken with iPhone included GPS coordinates) 4 Above
Songs none loaded podcasts retrieved 3 Meet
Web History Yes, 28 were listed. Also listed recent searches. 4 Above
Bookmarks 2 3 Meet
Cookies 89 3 Meet
App Info Some apps left evidence 2 Below
Google Maps 1 Address record and GPS location 3 Meet
Voicemail 0 0 Below
Password None found 0 Below
Plists/XML Many retrieved 3 Meet
Phone Info Yes 3 Meet
Video 1 3 Meet
Podcasts 4 3 Meet
Speed Dials Found programmed speed dial in plist 3 Meet
VPN 0 0 Below
Bluetooth 0 0 Below
GPS Coordinates found in both images and plist. Specific info from the GPS not pulled. 3 Meet
File Hashes An available option 3 Meet
You Tube 0 0 Below
HTML 0 0 Below


Conclusions

.XRY is a simple to use, effective iPhone extraction device. Installation and extraction is easily completed by following on-screen prompts. Extraction time for .XRY is comparable or better than many of the other products we have tested. The extracted data is presented in an easy to view, organized fashion that includes a search function. Of particular interest is the presence of GPS coordinatates in the metadata of extracted images taken with the iPhone.

The following ranking establishes .XRY’s overall rating of 2.6 on the four criteria established at the beginning of this white paper.

Table 1.2. .XRY Rankings

Area Weight Rank
Installation 0.1 3.0
Acquisition 0.2 3.0
Reporting 0.3 3.0
Accuracy 0.4 2.3
TOTAL 2.6


Chapter 2. About this white paper

About the Authors

Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry.

Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies.

Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.

Why Outsource?

One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including:

  • Impartiality: Your case must be credible, unbiased and withstand legal scrutiny; internal investigations present major obstacles in each of these areas.
  • Expertise: viaForensics is a qualified expert in the Federal Courts. Expert status is a product of extensive training and a wide range of experience, often a challenge in a single corporate environment.
  • Cost: Forensic hardware, software and training are singular in purpose and require major capital investments and recurring expenses.