Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
iPhone Data Acquisition and Analysis
Israel Les Garcia
Submitted in partial fulfilment of
the requirements of Edinburgh Napier University
for the Degree of
MSc Advanced Security and Digital Forensics
In collaboration with the Scottish Police Department
School of Computing
April 2012
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 2
Authorship Declaration
I, Israel Les Garcia, confirm that this dissertation and the work presented in it are my own
achievement.
Where I have consulted the published work of others this is always clearly attributed;
Where I have quoted from the work of others the source is always given. With the exception of
such quotations this dissertation is entirely my own work;
I have acknowledged all main sources of help;
If my research follows on from previous work or is part of a larger collaborative research project I
have made clear exactly what was done by others and what I have contributed myself;
I have read and understand the penalties associated with Academic Misconduct.
I also confirm that I have obtained informed consent from all people I have involved in the work
in this dissertation following the School's ethical guidelines
Signed:
Date:
Matriculation no: 10015988
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 3
Data Protection Declaration
Under the 1998 Data Protection Act, The University cannot disclose your grade to an
unauthorised person. However, other students benefit from studying dissertations that have their
grades attached.
Please sign your name below one of the options below to state your preference.
The University may make this dissertation, with indicative grade, available to others.
The University may make this dissertation available to others, but the grade may not be disclosed.
The University may not make this dissertation available to others.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 4
Abstract
The number of issues regarding to economic fraud and cyber-crime is increasing quickly each
day. The number of people who is avoiding taxes related to litigation cases, using computers for
gathering information in an illegal way or stealing money from digital transactions is rising every
day. Computer forensics gives investigators and law enforcement the tools and methodologies to
gather incriminatory or exculpatory evidences for a case.
Mobile forensics goes one-step further and focuses on gathering live or deleted information from
portable telephones. This technique is becoming relevant, because most of the people have a
mobile phone. Moreover, these devices cannot only store contact information or SMS’s, but also
pictures, emails, videos, footprints or documents.
The main aim of this document is to describe how to acquire as much data as possible from an
iPhone in different possible ways. This data can go from usual information such as call logs, SMS
or voice mails, to footprints left by web browsers or metadata from pictures. Finally, this
information will be categorized for determining which information is sensible for an investigation.
For achieving these goals, a process of parallel physical acquisition and logical acquisition has
been followed, extracting later the information from the backups created. This information has
been analysed showing what kind of artefacts can be found in an iPhone. The tools used in the
development were Froq for database analysis, Emailchemy for email extraction, SSH, DD,
JuicePhone for extracting data from the backups and Elcomsoft Phone Password Breaker for
cracking the encrypted backups. Finally, some of the most interesting findings are GPS location
and metadata in pictures and videos, footprints on every website visited including a screenshot of
itself and voicemails stored on the flash memory.
The conclusion in this thesis highlights the fact that the decisions taken for obtaining the best
results on the implementation of the forensic image were correct. However, several challenges
were also found. The main big problem was the physical encryption of the iPhone 4, which the
image was impossible to read or to crack the encryption by any method, forcing to do a physical
image of an iPhone 3GS and use the other one for a logical acquisition. Finally, the conclusion
shows that there is still a lot of work to be done in the mobile forensic area, especially with the
new iPhone 4S and iOS 5 going to be released or the physical encryption problem to be resolved.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 5
Contents
1 INTRODUCTION .................................................................................................................. 12
1.1 Context ................................................................................................................................................. 12
1.2 Aim and Objectives ............................................................................................................................ 13
1.3 Document Structure ........................................................................................................................... 13
2 LITERATURE REVIEW ...................................................................................................... 14
2.1 Mobile Phone Market ......................................................................................................................... 14
2.2 Mobile Networks, cards and data storage ........................................................................................ 19
2.3 Knowing the iPhone Architecture and System ................................................................................ 23
2.4 Mobile Forensics Methodology ......................................................................................................... 28
2.5 iPhone Acquisition .............................................................................................................................. 33
2.6 Tools in The Market ........................................................................................................................... 34
2.7 Chapter Conclusions .......................................................................................................................... 37
3 TOOL ANALYSIS .................................................................................................................. 41
3.1 iPhone Encryption and acquisition steps to follow .......................................................................... 41
3.2 Databases Infrastructure ................................................................................................................... 42
3.3 Property list tools ................................................................................................................................ 44
3.4 Mail Exporting .................................................................................................................................... 44
3.5 Forensic Tools ..................................................................................................................................... 45
3.6 Other Tools .......................................................................................................................................... 45
3.7 Chapter Conclusions .......................................................................................................................... 46
4 DEVELOPMENT ................................................................................................................... 47
4.1 iOS disk analysis ................................................................................................................................. 47
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 6
4.2 iPhone logical acquisition .................................................................................................................. 47
4.3 Physical acquisition ............................................................................................................................ 54
4.4 iOS System partition .......................................................................................................................... 57
4.5 iOS Data partition .............................................................................................................................. 59
4.6 Library Folder .................................................................................................................................... 62
4.7 Media Folder ....................................................................................................................................... 69
4.8 Chapter Conclusions .......................................................................................................................... 71
5 CONCLUSIONS ..................................................................................................................... 72
6 REFERENCES ........................................................................................................................ 77
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 7
List of Tables
Table 1-1 iPhone 4 Components Specification (Apple Inc.) .......................................................... 25
Table 2-2 Mobile Phone System Comparison ................................................................................. 37
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 8
List of Figures
Figure 2-1 Mobile Phone Market (Pinto, 2010) .............................................................................. 15
Figure 2-2 Smart Phones Mobile Market Comparison (Gunther, 2011) ......................................... 15
Figure 2-3 GSM Architecture (Imran) ............................................................................................ 19
Figure 2-4 UMTS Architecture (Mauritius) ................................................................................... 20
Figure 2-5 Type of USIM Card (Mobile Whack, 2008) ................................................................. 20
Figure 2-6 SMS System (Deloitte, 2011) ........................................................................................ 21
Figure 2-7 SIM Serial ...................................................................................................................... 22
Figure 2-8 IMEI Number Format .................................................................................................... 23
Figure 2-10 Faraday Bag (Data Duplication Ltd) ........................................................................... 31
Figure 2-12 Cellebrite Kit (Hoog & Strzempka, Cellebrite UFED, 2010) ..................................... 35
Figure 2-13 XRY (Hoog & Strzempka, Micro Systemation XRY, 2010) ...................................... 35
Figure 2-14 Oxygen Program (Hoog & Strzempka, Oxygen Forensic Suite 2010 PRO, 2010) .... 36
Figure 3-1 iOS Database structure .................................................................................................. 42
Figure 3-2 SQLite Database Browser interface .............................................................................. 43
Figure 3-3 Froq interface ................................................................................................................. 43
Figure 3-4 Difference reading XML format and .plist format ........................................................ 44
Figure 3-5 Open With option .......................................................................................................... 44
Figure 4-1 iOS disk information ..................................................................................................... 47
Figure 4-2 Setting up password for the backup ............................................................................... 49
Figure 4-3 Information from the device .......................................................................................... 49
Figure 4-4 Backup RAW files ......................................................................................................... 50
Figure 4-5 Problems extracting encrypted backup .......................................................................... 50
Figure 4-6 Elcomsoft Phone Password Breaker .............................................................................. 51
Figure 4-7 Cracking the password .................................................................................................. 52
Figure 4-8 Decrypting the backup ................................................................................................... 52
Figure 4-9 Juice Phone device information ..................................................................................... 53
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 9
Figure 4-10 Backup extracted files ................................................................................................. 54
Figure 4-11 Restoring option while jailbreaking ............................................................................ 55
Figure 4-12 Redsn0w ...................................................................................................................... 55
Figure 4-13 Redsn0w installing options ......................................................................................... 55
Figure 4-14 iPhone general configuration ....................................................................................... 56
Figure 4-15 OpenSSH and Netcat installation ................................................................................ 56
Figure 4-16 Ping to the device ........................................................................................................ 57
Figure 4-17 DD Process using Netcat pipe and SSH connection ................................................... 57
Figure 4-18 System partition ........................................................................................................... 58
Figure 4-19 Passwd file from system partition ............................................................................... 58
Figure 4-21 Information from the Address Book daemon .............................................................. 59
Figure 4-23 Last network connection settings ................................................................................ 60
Figure 4-24 Accounts & passwords from keychain-2db ................................................................. 60
Figure 4-26 General Log ................................................................................................................. 61
Figure 4-27 Facebook app information ........................................................................................... 61
Figure 4-28 Facebook app package content .................................................................................... 62
Figure 4-30 Cache of last searches and Safari Websites ................................................................. 63
Figure 4-31 Calendar Events ........................................................................................................... 63
Figure 4-32 Call Log database ........................................................................................................ 64
Figure 4-33 Cookies from the iTunes store ..................................................................................... 64
Figure 4-34 Emailchemy, email type .............................................................................................. 64
Figure 4-35 Emailchemy, email path .............................................................................................. 65
Figure 4-36 Emailchemy, saving path and format .......................................................................... 65
Figure 4-37 Extracted email example ............................................................................................. 65
Figure 4-38 Searches in Google Maps ............................................................................................ 66
Figure 4-39 Notes.app information ................................................................................................. 66
Figure 4-40 AT&T Carrier configuration file ................................................................................. 67
Figure 4-41 Safari history ............................................................................................................... 68
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 10
Figure 4-42 Safari suspended state websites ................................................................................... 68
Figure 4-43 Safari Bookmarks ........................................................................................................ 68
Figure 4-44 SMS Database ............................................................................................................. 69
Figure 4-45 100APPLE Folder and Files ........................................................................................ 69
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 11
Acknowledgements
I want to acknowledge the help given by the Professor Bill Buchanan. In addition, my girlfriend
Maitane who has read this work and help me with her suggestions. Also, to my brother, sister,
parents and friends, for their support in the worst moments that I have experienced. Finally, I
would like to thank Mike Dickson from the Scottish Police Department for his help and advices.
Without all these people, this document would not have been possible.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 12
1 Introduction
This thesis investigates the acquisition from an iPhone since the moment is seized and sealed until the
whole information is been processed. The main problem regarding mobile forensics is that there is not
much information around Internet, blogs or books. Therefore, all the little pieces of evidence that are
in Internet, come from investigators that have experimented with the devices and acquire that
experience through the practice.
Another problem is that there are many mobile phone fabricants. Obviously, each maker has its own
operating system and the main problem is that for gathering the information, the investigator needs to
know how the operating system works and where is the data stored. This is a problem, because it
means that there are not standards.
1.1 Context
People are living these days in the information age. Important information such as financial data,
health care data and other personal assets are managed by computers or accessed by mobile devices.
Therefore, the cyber-crime is one of the most profit areas for the criminals. Some of the top major
issues that can be found are: Financial fraud, Identity Theft, Computer crimes, Paedophilia and
Viruses. These kinds of attacks are happening more and more often and there has been an increase
from 16,838 complaints at 2000 to 303,809 complaints at 2010 and just in USA. (Internet Crime
Complaint Centre - IC3, 2011)
Hence, for supporting evidences to the prosecution to these kinds of crimes the law enforcement
makes use of the computer and mobile forensic disciplines. The computer and mobile forensics allow
the law enforcement to acquire evidences and artefacts in electronic devices such as computers, cell
phones, GPS or Internet for analysing them. These evidences can give important information for
resolving a case or solving a problem. (McGrath, 2005)
Furthermore, keep in mind that today having a cell phone is common. Due to, the cost of having a
mobile is not very expensive; the most usual type of cell phone that can be found is a smartphone. The
smartphones allow installing applications and more things apart from calling or sending SMS like
navigating through Internet, watching movies, playing games, chatting via Skype, using it as a
calendar, checking the e-mail, and so on. People bring the cell phone with them everywhere and
because the previous advantages, it has become a necessary tool for every day. (Bodged, 2009)
Recently, that some companies like Apple store the GPS signal coordinates from the phone, for been
able to track in every moment where the user is or has been. (BBC News, 2011)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 13
1.2 Aim and Objectives
The aim of this project is to cover the physical and logical acquisition process of the iPhone and
finally analyse all the data extracted to look for sensible information. To match this aim, the objectives
are the following:
1. Acquire a range of possible data from an iPhone. This data is not only SMS, call logs or voice
mail, but artefacts like web based chat, Skype chat or any possible footprint produced by any
of the applications running on the smartphone.
2. Evaluate that the extracted data is correct and is not missed or modified somehow by the
software used.
3. Investigate the obtained data for categorizing the most important and provide an analysis of
the obtained results compared with the expected ones.
4. Determine how much information can be obtained from the iPhone and which use can be done
with the extracted data.
1.3 Document Structure
This document is divided into four main chapters:
• Chapter 1 - Literature Review: This first part covers the studio of the different tools in the
market and methodologies for capturing the information from the phone. It starts with a brief
overview about the mobile systems on the market. Next, continues with an introduction to the
different iPhone devices and the different iOS systems and their features. Finally, it will
explain the acquisition methodology and the main different tools to use.
• Chapter 2 - Design: This chapter focuses on the planning of the whole development. First, it
will show an overview of every acquisition methodology. Next, it will analyse the possible
data categories and how to access them. Finally, there is a study of the applications that will
be used in the development.
• Chapter 3 - Development: This is the practical chapter, which will cover the physical and
logical acquisition of the information from the device. After the acquisition, the data obtained
will be analysed for trying to gather any important piece of it.
• Chapter 4 - Conclusions: The last part will cover the current situation in computer forensics,
problems encountered in the development or information research. The end of the chapter will
cover the future focus for iPhone forensics and what are the possibilities around it.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 14
2 Literature Review
This chapter will investigate and review the literature in the area of iPhone operating system, mobile
forensics methodologies, mobile forensics approaches and imaging tools in the market. First, it will
provide a background on how the current global cell phone market is structured and explaining briefly
each operating system for each mobile phone maker specified (Section 2.1). It then focuses on the
networks GSM and UMTS for explaining later how the SMS system work and what kind of data can
be found on the SIM cards or in mobile phones (Section 2.2). Next, to understand the basic concepts
from the iPhone handsets and what features can be found on iOS operating systems for obtaining
information, as well as, how the system works or stores the data, a study of these topics is carried out
(Section 2.3).
Furthermore, the main part of the review, forensic processes to follow and documentation that should
be fill out while acquiring a forensic image from a handset; will be explained (Section 2.4). In
addition, the next section outlines the different approaches and methodologies that an examiner could
use for getting a forensic image depending on the handset or the circumstances (Section 2.5). Finally,
tools used by law enforcement or important companies while doing mobile forensics investigations
will be introduced, explaining how they work and the differences between them.
2.1 Mobile Phone Market
This chapter will introduce information about the current situation of the mobile phone companies in
the market. Next, it will explain some of the most important mobile phone systems and what are their
features. These systems are Android, Windows Phone, Symbian, BlackBerry and iOS.
Having a good understanding not only about the different systems but also about how the market is
distributed is very important. This helps understanding why one system does things the way it does
compare to the other ones from the competency. Furthermore, having a good knowledge about the
current features of every brand helps to anticipate the future enhancements that will bring the devices.
2.1.1 Distribution of the most used mobile phone brands in the market
The five most common operating systems for smartphones are: (Gartner Group, 2010)
• Windows Phone (Previously Windows Mobile) by Microsoft
• Symbian, maintained by Accenture (Outsource by Nokia)
• Android from Google
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 15
• BlackBerry OS by Research In Motion (RIM)
• iOS by Apple
Figure 2-1 Mobile Phone Market (Pinto, 2010)
The figure 2-1 shows that most people use a smart phone, more exactly 94% of the mobile phone
market population. However, even if the other 6% does not use a smartphone, interesting information
can be still obtained while doing a forensic investigation. (Pinto, 2010)
Figure 2-2 Smart Phones Mobile Market Comparison (Gunther, 2011)
Figure 2-2 highlights the results of many surveys done by “ChangeWave” company while asking for
the favourite mobile phone system between Android, iOS or BlacBerry from 2008 to 2011. Hence,
iOS operating system has been most of the time the favourite one compared to Blackberry, which
during 2008 was very well claimed but not anymore. (Gunther, 2011)
2.1.2 Android
Is an operating system for mobile phones and tablets based on Linux and created by Google. The
applications can be developed either in C either in Java. Moreover, the operating system has a free and
open source license. Android system has been implemented in many handsets and it is not attached
just to a unique mobile phone brand. Samsung, HTC, Sony Ericsson, Motorola, LG, Huawei, ZTE,
Nokia are some of the companies that are using Android on their telephones. Android is not only used
in telephones but also in Tablets or even Netbooks. The operating system uses as its main hardware
platform ARM, which is a 32 bits based architecture. (Android Developers)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 16
The first version on Android was released in September 2008. Afterwards the new upgrades have
fancy names like Cupcake for 1.5, Gingerbread for 2.3, Honeycomb for 3.x and Ice Cream Sandwich
for 4.0. (Morrill, 2008)
It has an application Market known as Google Play (Previously was Android Market) that comes by
default with the operating system. This market is an online software store that contains applications
and games for the android platform. Every user can have access to it and they can use it for
downloading and installing the desired applications. Many applications found on the market are free.
However, the profit for a paid application is not 100% for the developer, 30% of the money obtained y
given to Google. (Google)
2.1.3 Windows Phone / Windows Mobile
Microsoft develops this operating system. Similar to the rest of the advanced operating systems, it is
oriented to smartphones. The original system, Windows Mobile, was launched in April 2000 but it was
discontinued in 2010 at version 6.5.5. Afterwards, the new version was released into the market in the
second quarter of 2010. It was called Windows Phone. Not many companies have decided to install
this operating system into their handsets. However, HTC has show to be Windows Phone main host
with handsets like HTC Titan, Radar, HD7, Mozart and more. (Pocket PC Central, 2008)
Thought a technical point of view, Windows Phone it is based in a core “Windows Embedded CE 6.0”
and it is developed in C++. The operating system is under a Microsoft EULA (End User License
Agreement). The applications for Windows Phone can be developed with Microsoft Silverlight or
XNA framework. XNA is a native implementation of .NET can allows the developers to create
programs or games for Windows Phone, XBOX and Windows 7. Silverlight allows creating very
visual applications using a version of .NET. (Microsoft)
The system uses a mosaic interface with dynamic cubes. It uses a concept called “HUBS”, which it is
used for classifying actions and applications that corresponds with a specific activity. Therefore, some
of the hubs that can be found are contacts, images, music, office (without outlook mailbox), games and
marketplace. (Ziegler, 2010)
The marketplace is called “Hub Marketplace”. Here users can buy films, music, podcasts, programs
and games. Some programs have a demos version, so the users can test them before using them. The
market is accessible not only from the mobile phone but also from the computer. Hub Marketplace
allows paying with the credit card or even in some cases with through a telephone bill. (Microsoft)
2.1.4 Symbian
It is another proprietary mobile phone operating system that Nokia released in 1997. Currently, since
June 2011, has been developed by Accenture as outsourcing services by Nokia. Symbian is the new
version of Symbian OS system with better user interface between other enhancements. The current last
version of the system is called Nokia Belle.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 17
Symbian can be found not only in Nokia handsets but also in Samsung, Siemens, Panasonic, LG, Sony
Ericsson and Lenovo mobile phones. Nokia Belle supports 48 languages including dialects. The web
browser has been improved the web browser with higher speed as well as the user interface, which is
friendlier. Between other features, it can be found multitasking, memory protection and clean up the
memory of idle processes. Furthermore, for maximizing the optimization of the CPU, when
applications are not using the CPU, the process unit will enter into a low power state for saving
energy. (Molen, 2011)
The operating system supports ARM and x86 architectures and it was developed in C++. Applications
are also developed in C++ using the framework Qt. However, other languages such as Python, .NET
or Ruby can also be used. Because Symbian does not have a proper market for applications, these ones
are deployed via PC connection, Bluetooth or installed on a memory card. (Williams)
On 2011 Nokia did an agreement with Microsoft and decided to use in all their new handsets
Microsoft’s operating system « Windows Phone 7 ». The repercussions of this decision showed that
the number of devices released with Symbian dropped down. However, Symbian will continue under
maintenance and updates at least until 2016. (Epstein, 2011)
2.1.5 BlackBerry
BlackBerries use a proprietary operating system programmed by Research In Motion (RIM). The first
smartphone handset was released in 2003. It gave the opportunity to check the email via push
notifications, text messaging, Internet navigation, calls and more. The last version of Blackberry is 7.1
and it was release in May 2011.
Most of the blackberries have in the middle a track wheel, track ball or track pad that allows the user
to move and select items around the system. Furthermore, every model except for “Storm” had a
keyboard.
Its main advantage is wireless synchronization with mail servers like Microsoft Exchange Server or
Lotus Domino from IBM. This feature allows the user to have in every moment his emails, tasks,
notes, contacts and calendar appointments.
Programs can be developed using its API in Java or C++ languages and signed digitally for uploading
it with a RIM developer account. These applications can be downloaded from the BlackBerry
application store called “BlackBerry App World” using a wireless connection or with the desktop
manager through the computer. (Perez, 2008)
From a technical point of view, the BlackBerries are between the most secure handsets. All the data in
the BlackBerry is encrypted and every time the hand set is started up needs to enter a PIN and a
Password. If the password is entered wrong ten times, the phone will be wiped and no data will be able
to be recovered. (Reasearch In Motion)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 18
These phone are business oriented and are usually configured against a BlackBerry Enterprise Server
(BES). The BES manages an organization mail system allowing the users to have access every time to
their emails. (Reasearch In Motion)
2.1.6 iOS
It is Apple’s operating system, which is used originally on their smartphones called iPhones. However,
with time, the system has been implemented also for iPod Touch, iPad and Apple TV. The system was
first launched in June 2007 for iPhone. Currently the last version is 5.1, which it was released in
March 2012. (Honan, 2007)
iOS has been written in C/C++/Objective-C and it is based for ARM platform that support touch
interfaces. It works on a Darwin BSD core (small version of Unix) and a graphical interface API
called Cocoa Touch. Applications have to been developed for ARM architecture and using Objective-
C language. Once the applications are finished, they can be uploaded into the App Store, which is
Apple’s application market.
The main characteristics of the system are (Apple):
• It has an intuitive GUI. The interface is very friendly and easy to use, with good feedback as
soon as the user does an action.
• Organize the software in folders.
• Notifications are easily reachable when sliding the top status bar to the bottom.
• Safari is the main web browsing. Safari has been developed and maintained through many
years. Therefore, it is a very stable and reliable program.
• Music player completely synchronize with iTunes library on the computer.
• Multitasking of games and applications, allow the user to have several applications open at
the same time.
• Game Center is a gaming community that allows finding other players or play with your
friends to your favourite games.
• iMessage allows the user to send free SMS without cost using the data plan.
• Another good feature is the App Store. It contains many applications and games and the users
can find almost anything they need.
iOS is a closed operating system and can be only installed in Apple’s devices, not in other third party
handsets. In addition, one of the downsides is that Java and Adobe Flash are not supported by iOS and
in the future, they will never be.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 19
2.2 Mobile Networks, cards and data storage
The following chapter will contain information about the current networks used, such as GSM and
UMTS. After, the cards that use these networks will be explained. Finally, a general explanation of the
types of data that can be found on most of the mobile phone devices and networks cards will be
presented.
Is important to highlight the relevance of this chapter, due to every data contained in the mobile
phones can be stored not only in the handset but also in the network SIM card. Therefore, it is
indispensable to know how these elements work for their forensic analysis afterwards.
2.2.1 GSM and UMTS Networks
GSM means Global System for Mobile communications and is a second-generation cellular
telecommunication system, which was first planned in the early 1980s. Unlike the first generation
systems working at that time, GSM was digital, meaning that it introduced greater enhancements like
security, quality, capacity and the ability to support integrated services. The specifications that define
GSM are done by the ETSI (European Telecommunications Standards Institute). Image 2-3 shows the
architecture used in the communication GSM. (Mouly & Pautet, 1992)
Figure 2-3 GSM Architecture (Imran)
UMTS is the Universal Mobile Telecommunications System. Is a 3G (3rd Generation) wireless
communication system that provides an improved range of multimedia services, such as sending
pictures, video calls etc. The main objective of UMTS is to deliver low cost, high capacity mobile
communications, offering data rates as high as 2Mbps under stationary conditions with global roaming
and other advanced capabilities. The entity that specifies UMTS is 3GPP (3rd Generation Partnership
Project). (Kaaranen, Ahtiainen, Laitinen, Naghian, & Niemi, 2005)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 20
Image 2-4 Highlights the architecture used in the communication UMTS:
Figure 2-4 UMTS Architecture (Mauritius)
2.2.2 SIM & USIM Cards
Two of the most used cards with the mobile phones are the SIM and USIM cards.
• SIM Card (Subscriber Identity Module) is the subscription of the user to the mobile network.
This card contains important information that gives access onto the subscripted operator’s
network using compatible devices like mobile phones.
• USIM Card (UMTS Subscriber Identity Module) is the subscription of the user to the UMTS
mobile network previously explained. It works similar to a GSM SIM card but is newer (3rd
Generation). However, the main difference between these two cards is that USIM operating
system and file structure are more complex.
Figure 2-5 Type of USIM Card (Mobile Whack, 2008)
2.2.3 Type of data that can be found at SIM or USIM cards.
The following data types are some of the most common amongst SIM and USIM cards (Savoldi &
Gubian, 2007):
• Abbreviated Dialling Number: All the SIM cards are able to store names and telephone
numbers. Depending on the type of card, more users can be stored. There are many different
ways to insert this data, but the most usual one is via handset GUI. The main difference
between the USIM and SIM cards is that the new cards like USIM, allow to store more
advanced information such as business details, emails etc.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 21
• Last Numbers Dialled: Is a list of the last called numbers but nether date or time is
registered. The standard number of entries is 10. However, the list stored on the card doesn’t
need to have any relation with the last dialled numbers list stored in the mobile device.
• Fixed Dialled Numbers: Restricts the SIM card to only been able to call these numbers. The
usual amount of fixed dialled numbers is 10. When this service is activated, no other numbers
can be called outside this list.
• Service Dialled Numbers: Network specific numbers such as traffic reports, weather reports
etc.
• SMS Text and Deleted SMS: Short Message Service is textual way of communication
allowed by the network provider. This service allows the user to send and receive text
messages on their devices. The capacity storage depends on the type of card. A message can
support 160 Latin alphabet characters and 70 non-Latin alphabet characters such as Chinese.
The deleted messages can be stored on the SIM card. However, the user does not have access
to them. The date and time stamp of the messages held in a SIM card is derived from the Short
Message Service Centre but not for the SMS in the mobile telephones.
Figure 2-6 outlines how the SMS system works:
Figure 2-6 SMS System (Deloitte, 2011)
SMS are not sent directly to the other handset. The message first goes through other nodes,
before reaching the other side. The SMSC is the SMS Service Centre Number, which allows a
user to send and receive messages. This numbers can be stored either in the SIM card or in the
handset and it is accessible by the user. (Deloitte, 2011)
• Mobile Station Integrated Services Digital Network: It is the identity number for the SIM
card. The user can edit the number and it is not always stored in the card. 11 numbers plus the
international prefix set up the number.
• Integrated Circuit Card Identity: It is a unique number for the SIM card and 19 digits form
it, even if some SIM cards only show 11 in the physical card. The first 4 numbers correspond
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 22
to the communication type and country code. The next 4 are the network provider identity.
The last 11 represent the subscriber number.
Figure 2-7 SIM Serial
2.2.4 Mobile Phones Data Type
As expected, the handset also contains information stored. Some of the relevant elements found are
(Iosif):
• Contact or Phonebook list: Most of the mobile phones have a memory where to store the
address book of the contacts. The number of contacts depends on the size of the handset.
Moreover, the phonebook not only contains names and telephone numbers but can also have
emails, additional numbers, pictures, birthdays, specific tones etc.
• SMS Text Messages: The handset can contain created, sent and received messages. The
archived messages on the handset will have different times and dates, depending if they are
sent, created and the time settings of the mobile phone.
• MMS Messages: Are the multi media short messages and they work in a similar way as the
SMS. The main difference is that these messages contain pictures, sounds or videos.
• Pictures or Images: The currents phones can store images on their memory from different
sources, such as the camera, MMS or WAP (Internet – Wireless Application Protocol). Some
telephones even have some pictures by default for using as wallpapers. The times or GPS
position of the pictures will differ depending on the configuration of the handset.
• Videos: Some phones have the possibility of recording digital videos with the camera or even
play videos with and without sound. Depending on the size and quality of the video can
occupy more or less space. Other phones may not have a digital camera for recording videos
but still can download or play videos.
• WAP Bookmarks: Phones that have Internet access, can store saved URL’s (Universal
Resource Locator) as favourite website for easier access.
• Voice or Sound Recordings: Another media found of the phone are the voice notes. That can
be recorded thanks to the handset microphone.
• IMEI Number: International Mobile Equipment Identity is the number that identifies the
mobile phone. This number is unique and specifies the Type Approval Code, a Final
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 23
Assembly Code and a Serial Number. However, this number can be modified by special
software. Can be found on the internal battery or on the manufacturer label.
Figure 2-8 IMEI Number Format
• WAP/GPRS Data Counter: Registers de data sent and received with Internet or GPRS
(General Packet Radio Service). Is registered in bytes.
• Call Logs: Every phone saves a record of the missed, received and outgoing calls in the
handset. The size of the list may vary depending on the mobile phone. Therefore, is better and
more precise to use the billing record from the network provider.
• Organiser information: Information related to the calendar notes, tasks to do or memos
assigned to a date and time.
• Emails: Some phones, store the emails received and sent on the handset. This service depends
on the emails configuration, subscription type and network.
• Date and Time configurations: This configuration can be change by the user. In some
mobile phones, when the phone is switch off or the battery is removed, the configuration can
be reset. It is an important field, because there are programs that may not work if the date and
time is not set.
• Memory Card: Are used for extending the storage space of the handset. Most of the
information that can be found in these cards is music, videos, pictures, documents etc. In the
market many types of memory cards can be found but the most used ones are SD (Secure
Digital), Sony Memory Stick and MMC (Multi Media Card).
• Documents: Some phones like the smartphones allow to create office documents such as
word, excel etc.
• Games: Most of the phones have some games installed. Most of the come already
preinstalled, however in other models, the user can download and install additional games.
• Music: Some handset can store music files like WMA, MP3 or even create or store ringtones.
2.3 Knowing the iPhone Architecture and System
The next chapter will specify information regarding to the latest versions of iPhone and iOS that
contain substantial changes like physical data encryption or system multitasking functions. Finally, an
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 24
explanation about the closed system environment to the user, jailbreak term explanation and how the
file system of iOS works.
This chapter helps understanding the features, advantages and differences between different iPhone
versions that are not always very clear. People usually know what is on the surface but there are more
important issues to bear in mind like to know which version of iPhone has what kind of encryption.
Also, important to highlight how iOS stores the information into the flash memory.
2.3.1 iOS Devices Specifications
iPhone 3GS
In June 2009, Apple released the new iPhone 3GS incorporating also the new iOS system 3.0. The
new iPhone was improved with new functionality such as a compass and a new camera with three
megapixels, which allowed finally recording videos apart from taking pictures. Another advantage was
that the iPhone 3GS gave access to third-party hardware using Bluetooth or USB connection like car
battery chargers or a hands free kit.
Regarding video recording, an interesting clue for the investigators was that when the user records a
video and then modifies it, the original is still be stored in the memory until it is deleted. Along with
the video recording improvement, the iPhone 3GS came also with voice recording, which allow
investigators to gather more evidences for the cases. (Morrissey, The 3G[S] iPhone, 2010; Morrissey,
The 3G[S] iPhone, 2010)
iPhone 4
The iPhone 4 was released on June 21, 2010 and is completely different from the previous iPhones and
was completely redesigned. It has a more resistant screen made of Gorilla glass and its borders are
made of stainless steel. The shape of the handset, compared with the 3GS, it looks more fashion. It has
two cameras: A back one with a good quality of 5Mpx and a front facing with less quality.
A new communication system was implemented for the iPhone 4 called “Face Time”. This protocol
allows the user to talk with other people and see them. Moreover, Is very similar to iChat in Mac but is
only available to use it by wireless. Despite this inconvenient, some developers have release tools like
“My3G” for connecting though 3G connections. (Redmond Pie, 2010) Other new specifications are its
high definition screen called “Retina”, greater speed with the A4 processor, bigger RAM memory and
the battery lasts longer. Each iOS device has a model number for differencing from the others, in this
case iPhone 4 Model Number is A1332.
Finally, the iPhone 4 is protected with a data level encryption that makes really difficult for the
investigators or thieves to obtain any information even with a physical acquisition. (Morrissey, The
iPhone 4, 2010)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 25
Table 2-1 iPhone 4 Components Specification (Apple Inc.)
Capability Manufacturer Equipment Size 115.2 x 58.6 x 9.3 mm Weight 137 gr Baseband Skyworks SKY77541GSM/GPRS front-end module Power amp Triqunt TQM666092 & TQM666901 power amp Radio/amplifier Skyworks SKY77452 W-CDMA FEM Radio/transmit and receiver Apple 338S0626GSM/CDMA transceiver Gyroscope Apple AGD1 STMicro three-axis gyroscope Processor Apple ARM Cortex A4 Processor Connectivity/802.11 Broadcom BCM4329KUGB 802.11n Connectivity/GPS Broadcom Bluetooth 2.1 + EDR antennae Memory Samsung K9DG08USM-LCB0 DRAM Memory Samsung K4XKG6432GB Display Wintek Capacitive glass Camera 5MPx autofocus
2.3.2 iOS System Evolution
iOS is the operating system for iPhones, iPods and iPads and it was release in June 2008 for the first
generation iPhones. This operating system made Apple competitors like HTC, Google, Motorola and
RIM to innovate their products and do intelligent smartphones.
iOS 3
The new version of iOS was released in Junes 2009. This new version included enhancements like
(Morrissey, iOS 3, 2010):
• Cut, copy & paste.
• Spotlight search.
• Call history.
• The ability to capture videos.
• Images including thumbnails of the original photos.
• Autofocus option on the camera.
• LDAP Support.
• Tethering.
• Encrypted backups.
• Hardware encryption.
• Voice control.
• Push notifications.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 26
iOS 4
The last version was released on April 7, 2010. The major improvement was to include the
multitasking on the running applications. Before this, the only application allowed to run on the
background was the Pod application. Some of the functionality that can run on the background is
(8BITJAY, 2010):
• Background music.
• Voice over IP.
• Push notifications.
• Local notifications.
• Task completion.
• Fast app switching.
Apart from these, more improvements have been included in the iOS 4 versions like:
• Folders.
• Wallpapers.
• iBooks.
• iAd.
• Enterprise features.
• Spell Checking.
• Faces in photos.
Finally, the iOS is improving considerably to the point that is the little brother of Mac OS X desktop
version. iOS system works with a modified version of Mac OS X kernel and it is developed in Xcode
and Cocoa (Morrissey, iOS 4, 2010).
2.3.3 Analysing the iOS System
Moreover, iOS operating system is not 100% available to the end user. By default, the entire iPhone
device is in a jailed environment. This jailed state is an environment, which is subordinate to the
administrative environment of a system where the administrator has complete control. While the
iPhone is in this virtual jail, there are many restrictions on what resources are accessible, generally
imposing additional restrictions on what resources are accessible. This means that it is only permitted
to access only certain files on the device. Usually the files that can be accessed freely are stored in
/private/var/mobile/Media folder, which contain all the user information.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 27
Another big issue is that because the iPhone is to completely accessible by default, there are a lot of
functionalities like network tethering, Bluetooth executing third party programs, Massive Storage
System (MSS)… that can’t be used or are limited.
The term jailbreaking or jailbreaked was originated from the first iPhone hacks to break out of this
restricted environment, allowing to execute third party programs, to read and write files anywhere on
the device...
Because of this, some hacker groups as “iPhone Dev Team” started exploiting the system showing to
Apple, the flaws that the system has. Some of the most famous programs for jailbreaking are: Pwnage,
RedSn0w, iLiberty, Blackra1n and Greenpoi0n. (Zdziarski, 2008)
2.3.4 iOS File System
All Apple mobile devices such as iPad, iPhone or iPod use a HFSX system partition. HFSX is quite
similar to HFS+. The main difference between these two partition systems is that HFSX is case
sensitive. For better knowledge is preferable to understand HFS+ system partition:
HFS+ Partition
Apple’s file system HFS was developed in 1996 because the physical disk space was increasing fast
and they decided to create a new system partition system to support these new disks. HFS partition is
divided in blocks of 512 bytes, similar to sectors size used in Windows. In HFS, two different types of
blocks can be differenced: Allocation blocks and logical blocks. The logical blocks are numbered from
the first to the last on a volume. Moreover, they are static and the same size of a physical block, 512
bytes. The allocation blocks work different, these are a group of logical blocks and they are used for
tracking data efficiently. The allocation blocks can be grouped also in clumps; this reduces the
fragmentation in the system. (Varsalone, et al., 2009)
The time format used by iOS is UNIX time or absolute time. These formats does not difference
between time zones. Therefore, the investigator has to be careful when recovering evidences and bear
in mind the location where the device is. In terms of data, HFS uses a balanced tree (B*tree) or
organizing files. In addition, this tree uses a catalog file and extents overflow in its organization
scheme. B*trees are comprised of nodes. These nodes are grouped in linear way for allowing faster
access data. When the data is removed or added, the extents are balanced keeping the efficiency fine.
Therefore, every file that is created is given a unique ID called Catalog ID number. Every time a file is
created or added, the Catalog ID number is increased by one. These numbers can be reused but the
HFS Volume header is the responsible for tracking them. (LeGault, 2009)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 28
The Figure 2-3 outlines the HFS+ file system structure, which is divided as (Morrissey, The iOS File
System, 2010):
• The first 1024 bytes are the responsible for the boot blocks.
• Volume Header: Is 1024 bytes big and has information about HFS volume
structure. At the end of the structure, there is a backup for the Volume
Header and it is used for most of the times for disk repair. There are also
volume header signatures known as H+ for HFS+ and HX for HFSX.
• Allocation File: Tracks the allocation files been used by the file system.
• Extents Overflow File: Tracks the allocation files that are part of a data
fork.
• Catalog File: Maintains all the information about the files and folders.
• Attribute Files: For future use of data forks.
• Startup File: Assist in booting the system without a built-in ROM support.
• After the start-up file is where all the data is stored.
• Last 512 bytes are manufacturer reserved.
2.4 Mobile Forensics Methodology
Because the evidence to image contains sensible information that is under the investigator custody and
also because the handset does not belong to him, is really important to be very careful with every step
done while processing the device and document the whole procedure. That is why this chapter will
explain the criteria to follow since the moment that the investigator goes to image the mobile phone
until the handset is inside a seal bag in evidence box.
This documentation does not only help to have a track of the evidence in every moment but also in
case that something unfortunate happens it will cover as much as possible the investigator while been
sued for negligence in front of a court.
2.4.1 On Site Process
Before arriving on site to process, the investigator should already know in which case is going to
work, where it is the place and the person to contact once he arrives there. Also, is not always possible
but it helps describing what type of collection (Scoping, imaging or server data extraction) is going to
be done, if photos are required when touching custodian assets and from which custodian is going to
Figure 2-9 HFS+ File System
Structure (Morrissey, The iOS
File System, 2010)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 29
be the data gathered. Usually this information will be given by the investigator superior and is good to
fill it in a form as well as a brief summary of the purpose and which evidences will be collected on site
for avoiding forget tasks once there. For each media collected is important to note the related
custodian, where it has been the image stored, image size, evidence number applied and if someone
has done a quality check to the task.
The place, forensic team members participating, times and dates are very important because situate the
investigators in a specific day, hour and place supporting their documentation. Therefore, whenever is
possible the embark time-date if taken a plane or train, arrival time-date to the destination if taken a
plane or train and enter time-date into the building are really important.
Finally, when the investigator is leaving site is important to make note if he has taken the recovered
kit, returned the passes, everything is working as it was and the depart time. Moreover, is important
give back the cell phone to the client or proprietary after reassembling it and testing that it boots
properly. The mobile phone should be given back in the same conditions that it was received. All this
information is not mandatory but it is very advisable to fill it when applicable. (Deloitte, 2011)
2.4.2 Mobile Forensics Triage
Triage is the process of acquiring important evidences on-scene in a limited period but also in an
accurate way. However, triage is not a replacement for an in-depth examination later in the lab.
Every triage starts with search warrant. This search warrant happens due to one of the many lawful
exceptions that can go from an incident to an arrest. Some of the main objectives when performing a
triage are:
1. Locate all the devices that are related to the crime.
2. Identify the devices that are not relevant to the crime. Each crime lab has a months-long
investigation for completing forensic analysis. Therefore, it is practical to ignore these devices
avoiding unneeded work.
3. Interviewing the suspects in the crime scene. These interviews are more effective when the
evidence, which has been found at the crime scene, it can be shown to the interviewed person.
4. Determine leads for future investigations.
5. Examine and extract sensible information from the different devices seized.
Moreover, phone triage should be complementary with gathering information directly from carriers.
The main reason is that obtaining information from carriers can take several weeks or even months
and the amount of data stored by them is limited. Most of them keep call logs for a year. However,
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 30
other information like text message content that is only kept for a week. The assigned IP address is
stored for a couple of days.
The time matter is important on a triage. Hence, the main goal is to extract as much information as
quickly as possible. An average time should be around 20 minutes regardless from the phone brand or
model. The results should be limited to information that is common to phones but also stored
differently by each device (Walls, Learned-Miller, & Levine, 2011).
2.4.3 Seizure and Chain of Custody Process
Once on site, the investigator should make note of every device that is going to image. The best way
will be to grab it from the custodian for asking him if there is any password, PIN, PUK or lock pattern
and which ones are. This is not always possible, but if it is you should make note of them for avoiding
hacking passwords.
The chain of custody is probably the most important information regarding to the responsibility of the
handset. Therefore, the forensic team should give an evidence name to each device and make note of
the description of the device (If it is a SIM card, mobile phone or satellite phone), phone brand, phone
model, IMEI of the telephone and the SIM card number. Furthermore, more useful information could
be the mobile phone number, if it was power on or power off. Is good to write as much information as
possible.
Furthermore, the investigator has to make note of the date and time when he is receiving the evidence,
the location where the exchange has been done, from who he has received it and who has receive it,
usually the investigator himself. The signature of each person next to their names will show the
conformity of both sides. Sometimes, when a forensic member is putting the evidence into the
evidence box or when it is taken from a place and not form a person, instead of specifying a person the
investigator should put the place name.
Finally, a good practice to specify the reasons why the evidence is moving from one custodian to
other, if it is going to be sealed inside a new seal bag and its seal bug number and if the evidence was
not already inside a seal bag, if it was, which is the seal number.
Once the custody chain form is done, the investigator can process to put the telephone or SIM card
inside the seal bag or faraday bag. Faraday bags shown in Figure 2-10, which allows to isolate the
device from the network or external signals communications, preventing the data to be modified or
corrupted. (Deloitte, 2011)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 31
Figure 2-10 Faraday Bag (Data Duplication Ltd)
The main problem of the faraday bags is that sometimes the examiners have to manipulate the phone
and they have to take it out from the bag, exposing the telephone to the external threats and risks. Due
to this problem, there are special rooms called Faraday Rooms or Faraday Cages. These rooms are
often used as appointment rooms or cinemas and work as huge faraday bags, avoiding any external
signal contacting any device inside. The main issue about the Faraday Cages is their cost. Constructing
a Faraday room is more expensive that buying a Faraday bag. However, this optimal solution, allows
the investigators to manipulate the phone without any risk and with the advantage that is more
comfortable than a Faraday Bag. (Faraday Bag)
2.4.4 Imaging Process
While acquiring a mobile phone image, exists many software and tools to use. Some of the most used
tools and methodologies such as XRY, Cellebrite, Oxygen and Zdziarski will be explain later.
However, even if the process is quite similar in most of them, they have one key point in common, the
documentation of the process.
The imaging process can be done at the forensic office, which will be less time restricted or on client
site. When investigators are working at the client office or crime scene, they don’t have the same
amount of time to work due to the deadlines or because of the client timetable. Therefore is important
to make any minute worth.
When imaging a mobile phone, SIM card or memory card the forensic member should create two
exact copies of the evidence using tools like a caddy or Robocopy for maintaining the metadata. One
will be sealed inside a seal bag and stored in the evidence box without manipulation. The other one
will be the working copy, this image is the one that will be use for further investigation in case data
needs to be recovered or tracked.
Regarding to the software used. Usually every kit comes with many connectors for the different
mobile devices. This way any mobile can be connected into destination though an imager if used. The
destination depends on the capacity of the mobile phone to image. If is a big flash memory like the
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 32
iPhone, the investigator should use a dongle. The imaging tools allow to copy not only the information
from the mobile devices but also information from the SIM card and even the external memory cards
depending on the software used. Imaging kits like XRY, Cellebrite or Oxigen are quite straight
forward, once the mobile phone is connected is just necessary to follow the instructions on the screen
and in few steps the imaging process is done.
In the documentation the forensic member should note what action would take for preventing signals
to the phone such as using a Faraday Bag or switching off the mobile phone. More information that
can be acquired from the phone is the brand, model, IMEI number and password used for unlocking it.
Specifying the mobile phone date-time and the actual date-time and the reliable source against which
it has been compared is very important for knowing the time zone difference. While doing the imaging
copy, the investigator should note which software or tool is he using, the version of the software, what
kind of connection is using, where is the destination of the images, the starting time of the process and
when it is done, the results.
The SIM card data is usually smaller than the data that can be found on the handset. Again, is
important to make note of the card number after comparing it with the number given by the imaging
tool, forensic software used, brand from the card, the destination of the image, and starting process
time.
Finally, the most important thing about the destination drive is that is has to be encrypted. The
investigator can use tools such as TrueCrypt that are free and very powerful. This way, the information
will be safe and in the worst-case scenario that the destination is lost or stolen will be more difficult to
access the sensible data from the case. (Deloitte, 2011)
2.4.5 Additional Media
Additional media are memory cards or external evidences that belong to the custodian and are part of
the mobile phone containing relevant information.
The imaging process for the additional media is similar to a hard drive imaging process. Once the
memory card is inserted into a read only reader device, the investigator can create an image with the
desired forensic tool into the destination volume. The destination volume should be encrypted and the
image compressed whenever is possible to avoid the slack spaces inside the media. When the image is
finished, is important to check that the image has been done properly verifying it with the MD5.
Furthermore, the documentation should contain the brand, model, serial number and size of the
additional media. In addition, the kind of storage memory card is, it could be SD, XD, MicroSD or
other. The investigator should make note of which type of write blocker is it using for avoiding
modifying information as well as the software used for creating the image, sectors imaged, starting
date and the hash obtained for later verification. (Deloitte, 2011)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 33
2.5 iPhone Acquisition
This chapter will explain the different approaches to acquire an iPhone image as also the differences,
advantages and disadvantages. There are three main ways to do an image from an iPhone Logical
acquisition, physical acquisition and dumping the memory, which mean extracting the information
directly from the memory itself.
Understanding all of them is important because each one is more difficult than the previous one and
requires more knowledge.
2.5.1 Different Methodologies
Exist many ways for obtaining data from an iPhone but the most common ones are: (Hoog &
Strzempka, iPhone Forensics Overview and Techniques, 2010)
1. Logical acquisition: Captures all the live information on the device although the erased
information cannot be recovered. It is the easier method to follow because requires less
technical knowledge.
2. Physical acquisition: Is a bit-to-bit copy from the device, capturing all the information
contained in it. The physical image does not only acquire live information but also deleted
data inside the imaged device.
3. Disassembling the phone: This technique is based on opening the handset and access directly
into the memory. The investigator will have to dump the memory, which requires big
understanding of that he is doing.
The next chapters will enter more in depth in each method.
2.5.2 Logical Acquisition
Apple provides a backup system via iTunes, which stores information such as call logs, contacts,
SMS, music, videos, configuration and other binary data imported by iTunes. This data is stored into
the backups that can be encrypted. When the encryption is setup by the user also the passwords are
stored inside the backup. If the backup is not encrypted the passwords will not be saved. However, this
encryption can be crack easily with tools like Elcomsoft Password Cracker giving free access to the
image. Therefore, the logical acquisition can be done to the backups themselves or to the iPhone
device if the investigator has the proper tools.
Some of the tools that can be found on the market that allow doing this technique are XRY, Cellebrite
or Oxygen between others. However, the price of these tools is quite expensive and only big forensic
teams can afford them.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 34
As explained before, one of the main issues is that the logical acquisition, obtains the information from
live data. Therefore, all the information erased by the custodian will be lost. The main advantage is
doing a logical acquisition is quite easy compare with the other methods. Some of the tools mentioned
tell in the display the steps to follow quite precisely. (Hoog & Strzempka, Logical Acquisition, 2010)
2.5.3 Physical Acquisition
This technique is copies the information from the flash memory bit-to-bit. This means that every file,
deleted or alive inside the memory will be image. This image method takes really long time and
requires more technical knowledge than the logical acquisition.
The process can be done with commercial tools like Cellebrite or Elcomsoft. However, same reason as
before applies in these tools. This type of software is really expensive and not every company can pay
it if they do not have enough mobile forensic cases. Despite this, Zdziarski offers a methodology that
can be applied using open and free tools, even if they take more computer knowledge.
Finally, the iPhone 4 come with big news from the security perspective introducing the physical
encryption. When a bit-to-bit image is taken from the device it will finish properly, however, the
content of the image file will be unreadable and not possible to mount it. The solution to this problem
is hacking the encryption. This is a process that many hackers are currently working on it, but it will
take time. (Hoog & Strzempka, Physical Acquistion, 2010)
2.5.4 Dissembling Acquisition
This method also known as J-tagging is very dangerous and if the examiner is not an expert with the
hardware from the device, he can break it. Hence, not only will lose all the data and information but
also to destroy the handset. The basic technique for doing this is to remove the welding on the Read-
Only-Memory (ROM) from the phone and extract the information from the chip, performing a NAND
dump. Is important to have the right knowledge, but also to have the proper tools for dissembling the
chipset.
Many companies and agencies avoid this method because if something goes wrong and the phone is
damaged, they will not be able to recover the data and they will have to pay the suspect for the
damages done. (Keonwoo, Dowon, Kyoil, & Jae-Cheol, 2007)
2.6 Tools in The Market
This last chapter will introduce some of the different forensic tools that can be found on the market
and that are used by many forensic teams from law enforcement and consultancy companies.
This chapter is relevance to know what are the capacities of these forensic programs and what an
investigator can expect with other similar software.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 35
2.6.1 Cellebrite
This is a standalone kit composed by UFED Device and more than 100 cables for processing more
than 2,500 mobile phones. The kit can be seen in Figure 2-6. It can do quick acquisitions, and is user
friendly telling the investigator what to do in each step either in the device or in the UFED machine.
Apart from reading handset, information can gather information from the SIM cards or from the
system dump. Data can be extracted into a USB stick or into a PC, which has the software UFED
installed. The output is a report in .html of all the information gathered but it also creates a specific
output file that can only be open with its own tool. It is a good forensic tool in that can gather data in
different ways and not also has several acquisition methods but also can get a wide range of
information. Works well with a large range of phone types but does not currently support iOS 5.
(Hoog & Strzempka, Cellebrite UFED, 2010)
Figure 2-11 Cellebrite Kit (Hoog & Strzempka, Cellebrite UFED, 2010)
2.6.2 XRY
This forensic tools shown in Figure 2-7, contains both software and hardware for allowing doing a
physical and logical acquisition as the same way as Cellebrite. Moreover, it is friendlier than
Cellebrite and guides the investigator through every step with many details as highlighted in Figure 2-
13. The output format of the report is a file with .xry extension that can be opened with the same
application after the process is completed. The main advantage of this tool is that it can open almost
any kind of file. Another major advantage is that it is one of the only tools that show information from
the deleted notes. (Hoog & Strzempka, Micro Systemation XRY, 2010)
Figure 2-12 XRY (Hoog & Strzempka, Micro Systemation XRY, 2010)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 36
2.6.3 Oxygen
Oxygen, shown in Figure 2-8, is more oriented for logical acquisition; however, it uses a powerful
acquisition protocol, which allows it to have good performance. It is probably the best software for
doing logical acquisition and is quite simple and straightforward. It gives information such as the
handset retailer, brand, IMEI, boot loader, and if it is jailbreaked. Also has information about the
phonebook, SMS, messages, notes, and calendar. All of them with an MD5 hash. (Hoog & Strzempka,
Oxygen Forensic Suite 2010 PRO, 2010)
Figure 2-13 Oxygen Program (Hoog & Strzempka, Oxygen Forensic Suite 2010 PRO, 2010)
2.6.4 Zdziarski
This method comes from the investigator Jonathan Zdziarski who is a very important and famous
researcher in iOS forensics. His method is only available for law enforcement. However is considered
the best way for acquiring physical image from the iPhone and the knowledge required for using it is
bigger that other methods because has the risk of breaking the phone. It is basically the method that
will be followed in the development chapter and will be explained there. (Hoog & Strzempka,
Zdziarski Technique, 2010)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 37
2.7 Chapter Conclusions
The introduced systems are some of the most important and used on the world market. However, even
if a brief introduction from each one has been given, comparison between all of them is necessary.
Table 2-2 Mobile Phone System Comparison
Apps Many free applications
and approval process
not so restricted as
other platforms.
However, because not
standards are required
the quality of some
applications is affected.
The applications
market continues to be
small compare to the
rest of the
competitors.
Many applications under
the market and good
quality due to the
specific standards.
However, the
requirements for the
market sometimes are
too strict, rejecting
applications very
desirable
Small number of
applications on the
market and not
very good quality.
Email Complete integration
with Gmail account.
However, does not
support more than one
email account.
Good integration with
emails such as
Microsoft exchange,
Gmail, Windows Live
Messenger and more.
Multiple accounts can be
configured for email
exchange.
The best interface
and access control
system to the
email. However,
does not support
more than one
email account.
Internet
Browsing
Excellent browser and
very fast processing
speed. Also, supports
Adobe Flash.
The browser supports
HTML 5 but not
Flash. Internet
explorer is not very
well supported by
developers turning
into errors.
Very fluent web browser
with the possibility to
show just text, reducing
the data cost. Although,
does not support Adobe
Flash. For this purpose,
it uses HTML 5.
Browser supports
Flash and has very
good accessibility
thanks to the
shortcuts.
However, the
displayed screen is
too small.
Texting Precise voice input Good implementation Free messages with Easier to text with
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 38
service. More difficult
to type, due to the
absence of physical
keyboard.
of features that allow
you to read the text
message itself. Also,
is possible to text
messages via voice.
iMessage, including
videos, pictures, sounds
and group chat. More
difficult to type, due to
the absence of physical
keyboard.
the physical
keyboard. Also,
has its own instant
messaging system
very useful
between business
colleagues.
Music Supports many music
formats and in the
market the user can
find many applications
for listening to music.
It also allows Syncing
the music with the
computer thanks to
“Google Music”.
Zune music player has
improved compare to
the previous one. Can
sync via wireless
Very good for music.
Perfect and comfortable
synchronization with
iTunes. However, it
forces the user to use
iTunes for loading
music.
Is not very good
for listening to
music but it has
improve
considerably
regarding to the
previous versions.
Videos &
Photos
Good quality pictures
and videos. The
performance of the
camera is good,
without lag. Panoramic
shots and the
possibility to upload
pictures to Google+. 5’
Screens.
Not very good
camera. The quality of
the pictures and
videos taken is not
good.
Very good quality
pictures and videos.
Possibility to use
Facetime for video
calling. The colours
brightness is not 100%
realistic.
4.3’ Screens. Easy
to share pictures in
social medias. Can
recognize text in
the pictures.
Games Due to the variety of
handsets is not possible
to create high quality
games for every device.
However, the system
has the power for it.
Thanks to Xbox live
integration in
Windows Phone, the
experience has
improved.
Many games with high
quality graphics. Funny
and good feedback
Small library of
games. Bad quality
graphics.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 39
Handset Many mobile phone
models for every kind
of person. There are
cheap, expensive, with
or without keyboard
between others.
Many mobile phone
models for every kind
of person. There are
cheap, expensive,
with or without
keyboard between
others.
There is only one device
for choosing. However,
the smart design and hi-
tech are worthy.
Good and durable
cell phones with a
business style
looking. However,
the quality is not as
good as the rest of
the competitors.
Battery &
External
Memory
The battery life does
not last long. Scalable
memory.
Average battery life.
Scalable memory.
Does not have a
removable battery and
does not last long either.
The memory has a
similar problem, is not
removable, therefore, it
is not scalable.
The battery life is
very good. Scalable
memory.
The main reason why the forensic methodologies will be applied to the iOS system in this document
and not to the other ones is that as outlines in figure 2-1, iOS is one of the most successful mobile
phone systems currently. However, because of its license and protection, it is difficult to extract
information from the iPhone because it does not offer 100% of its usability. This is one of the main
challenges to experience, to see how much information can be obtained digging inside the handset.
Chapter 2.2, showed what information can be expected to find on the cell phones, highlighting at least
two main sources of data. The first one is the handset itself and the other one is SIM card.
Even if most of the data can be obtained from the main device, if the user erases the information, the
investigator can still found pieces of information stored on the SIM card. This data such as SMS or
numbers called can be useful to the case.
Most of the information, as explained before, is stored in the handset. However, the data can be stored
not only in the flash memory of the telephone but also on external media like Mini SD cards or other
type of external memory. Most of the information found on the first pass will be pictures, videos,
music and documents. However, if the investigator digs deeper, he will find the rest of the information
such as calls, SMS, network settings, applications, games, emails between others, stored in databases
or configuration files like the iPhone does.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 40
Even if the iPhones look like there are quite similar between each other, another issue to bear in mind
and to understand while an iPhone handset is been process is its version. The biggest difference as
explain before, is the physical encryption on iPhone 4. Therefore, acquire an image physically prior to
iPhone 4 is easier because is not necessary to hack it. However, iOS 3 bring logical backup encryption.
When trying to analyse a backup from iOS 3 ahead is important to know that it could exist the
possibility to decrypt it if necessary.
Furthermore, after introducing iOS file system, it is possible to understand that when the iOS is first
time turned on, it goes through the memory in sequential order until it finds the “boot blocks”. Here, is
where the jailbreak payload resides and allows executing third party software.
Doing a good image is vital to the case, because if not done properly, it can be cause of an
unsuccessful investigation. That is why is important to keep every step well documented and be extra
cautious during the process. It is not just for the sake of the forensic member while is on a trial but also
for the whole team if in the future they want to learn how to do things properly. Moreover, is a good
practice for when the investigator is in a trial and others have to redo the same steps reaching to the
same solution.
The most important ideas to keep in mind out of this chapter are to create whenever it is possible one
master copy and one working copy from each evidence, verify it to know that it works properly and
document every single step done.
Regarding the tools in the market and the different acquisition methodologies, most of them are very
easy use and have a friendly user interface guiding the investigator through every step leaving small
change to do mistakes. This is helpful when the future investigation is going to be depending on the
quality and output of the image. However, they cost a lot of many and not many companies or services
can afford to buy these tools if they don’t have many mobile forensic related cases. This could make
the investigator to choose open and free tools such as DD for creating the image, OpenSSH for
transferring it into the laboratory and JuicePhone for extracting the information from the image done.
These tools can be used complementary with Zdziarski methodology, obtaining a good quality image
bit-to-bit.
Finally, is completely unadvisable to perform a disassembling acquisition on an iPhone. The risks that
need to be assume for using this technique are too high and the consequences unexpected.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 41
3 Tool Analysis
This chapter will introduce the tools that will be used in the future development chapter through an
analysis of the iPhone that is going to be acquired. Another important fact to bear in mind is that the
development will be done with one iPhone 3GS and one iPhone 4.
Therefore, the first challenge will be how to proceed with the physical encrypted iPhone and what
steps should the investigator follow for doing a physical or logical acquisition (Section 3.1). The next
section will highlight how are some of the tables inside the iPhone databases related, what kind of
databases can the examiner found and how to interrogate them (Section 3.2). After, the property list
files will be introduced and how to read them with a friendlier method (Section 3.3).
Most of the forensic tools used during the acquisition for imaging, cracking the encryption, extracting
the information from the backups or mailboxes will be explained afterwards (Section 3.4 and 3.5).
Finally, other tools such as iTunes for synchronization, QuickTime for pictures and video metadata
reading between others will be presented and explained for what will be used (Section 3.6).
3.1 iPhone Encryption and acquisition steps to follow
As the iPhone 4 is encrypted, the physical acquisition will be done using an iPhone 3, installing all the
needed tools there and showing the process done until the data is stored on the lab computer and it is
readable. The steps will be:
1. Install support tools into the iPhone and into the computer.
a. Exploit
b. SSH connection
c. Forensic tools
d. Cydia
2. Do an image of the whole device.
For the logical acquisition, an iPhone 4 will be used. First, a backup password protected of the phone
will be done with iTunes. This will allow the recovery of data such as keychain’s passwords. After
that, the backup will be decrypted for been able to process it with the extraction tool File Juicer. This
tool, will extract the information as the same way as it is organized in the host’s phone.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 42
Once the data from the phone is extracted with any of the two previous options, it can be analysed.
However, the data is divided in two different partitions: System partition and User partition. Hence,
needs to be investigated separately.
The analysis of the data will try to gather everything that is possible using free tools or demos that are
enough for the purposes of this dissertation. Main tools are very expensive or are only accessible by
law enforcement, so will not be used. Is not only a matter of money, is good to understand how to use
different tools separately instead of using a unique tool where the investigator clicks two buttons and
does not know what is happening on the background.
3.2 Databases Infrastructure
3.2.1 Databases structure
iOS stores information in tiny databases with file extension .db or .sqlite. First, is interesting to have a
look at this example just to know how some of the databases are related. As seen in the Figure 3-1, one
example is in the calls log database on the top right. On the phone, when users take a look at the log,
they can see the name of the caller and when taping the name, they can have access to the rest of the
information of the address book. This is shown in the previous picture by a relational link between the
addressbook.db and call.db. The SMS service is another example of how the information is correlated
between the calls, address book and the SMS services.
Figure 3-1 iOS Database structure
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 43
3.2.2 Databases tools
There are applications for interrogating the databases and extracting information from these ones.
However, one of the most used software and freeware is “SQLite Database Browser” shown in Figure
3-2. SQLite is user friendly and allows the investigator to see the database structure or taking a look at
the table’s information with just few clicks. Also, gives the possibility to execute queries or move the
databases easily from one place to other due to their portability. However, its engine is not very
powerful and is not a good idea to execute long time-consuming queries.
Figure 3-2 SQLite Database Browser interface
Another application for people who do not mind to pay for it is Froq shown in Figure 3-3. This tool is
developed by Alwin Troost. Is more powerful than SQLite Database Browser and allows the user to
export the result to another format such as PDF or Excel for doing reports. However, is not as friendly
to use as SQLite Database Browser and is necessary to configure previously a connection to the
databases.
Figure 3-3 Froq interface
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 44
3.3 Property list tools
These are XML files in iOS system. These files are stored in the iPhone device for configuration
purposes using the “.plist” format. For been able to see this documents, the MacBook has a tool
installed called “Property List Editor”. This tool is optional but can be found on the developer tools
CD or downloaded from Apple’s website. Property list editor allows the examiner to read the XML
format in a readable way. Figure 3-4 reflects how the file is shown with this tool.
Figure 3-4 Difference reading XML format and .plist format
Another program apart from the Native from Apple property list editor is “Omnioutliner”. Some of the
advantages of Omnioutliner are that it allows the user to export the data and to expand all the keys.
Once installed the property list editor or Omnioutliner, the best thing is to right click one of those
“.plist” files and select the option “Get info”. There, on the “Open with” section, select the preferred
application to open the property list file and select the option “Change All…” as shown in Figure 3-5.
Figure 3-5 Open With option
3.4 Mail Exporting
The key packages that will be used for email exporting are Emailchemy and File Juicer.
Emailchemy can convert the email boxes from the mobile phone proprietary format into a more
standard format. It works in Windows, Linux and Mac. Is not a free product but the demo allows
extracting the information blurring the subject and the sender information (Weird Kid Software)
File Juicer can be used for opening the IMAP email. Takes the IMAP folders and parse the mail and
the attachments embedded in it. Therefore, the most useful feature of this tool is the extraction of the
attachments that can incriminate the suspect or been sensible for the investigation. (File Juicer)
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 45
3.5 Forensic Tools
The key packages that will be used for email exporting are RedSn0w, Cydia, dd, Netcat, OpenSSH,
Elcomsoft Phone Password Breaker and JuicePhone.
RedSn0w is an exploit that allows the user to use the vulnerability on the iOS device. This exploit
installs a payload on the booting system that once restarted up will give the user free accessibility to
the device resources. Other software like Redsn0w is greenpois0n and limera1n.
Cydia is an application for the iPhone, iPad or iPod that allows the user to install more applications
that do not need to pass Apple application filtering. Also allows the user to modify the look of the
device such as icons, docks, status bars and so on. For finding these applications, Cydia links them
adding repository sources.
Dd gives the possibility of copying RAW data, allowing the investigator to create a duplicate of the
forensic evidence. It does not have a GUI and has to be used in a terminal window specifying the input
file, the output file and how big are going to be the chunks of the copy.
Netcat allows reading and writing data across the network using the TCP/IP protocol. This tool works,
listening to a port on one of the sides and specifying the output. On the other point, the investigator
has to say what is going to be sent through the pipe with the direction and port of the listening server.
This will set up a tunnel between both points and transfer the data. However, the client will be
installed on the phone and needs to be downloaded from Cydia repository.
OpenSSH is a free tool, which allows the user to connect via SSH protocol. SSH protocol encrypts all
the traffic, been difficult to read the content of the transmission. Therefore is a very secure protocol.
Finally, this program sets up an agent, which listens on port 22 and can be accessed by putty or any
other client. (OpenSSH)
Elcomsoft Phone Password Breaker allows the investigator to access encrypted backups from mobile
phones such as iPhones, iPads, iPods or BlackBerrys. Even if the backup is protected with a password,
this software can hack it doing a dictionary attack and brute force attack, showing it at the end of the
process. This tool is not free. However the demo version allows to crack the backup password and to
decrypt it. (Elcomsoft).
JuicePhone extracts the information from the logical backups done from iTunes. Some of the
information that can be extracted is: Notes, emails, applications, games, pictures, videos and more…
Also, shows information from the device like the version or username. Does not work very well with
encrypted backups. Therefore, these need to be decrypted before using JuicePhone. This tool is free
and does not cost any money. (AddPod, 2011)
3.6 Other Tools
The other tools used are: Keith’s iPod Photo Reader, iTunes, Preview and QuickTime.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 46
Keith’s iPod Photo Reader allows the view of photos stored on the iPhone transferred with iTunes and
that are related to music such as album covers. These images are stored in file with extension .ithmb.
This tool can read this file format and present a library of thumbnails, which each of these can be
expanded to Full Size. (Wiley, 2011)
iTunes is the media player from Apple. This can be used for playing, downloading and organizing
music and video files. More important, it manages the contents of the Apple devices such as iPhones,
iPods, iPads, and so on. This tool is used for transferring most of the information, which is stored on
the device such as, purchases, programs, pictures and videos. Also allows creating backups of the
whole device creating a logical image of the live information in the iPhone. This software is
multiplatform, therefore can be used in Windows and in Mac. (Apple)
Preview is the default one by mac to display pictures, portable document format known as PDF or
other documents. Is mostly used in the investigation for opening the pictures and showing the
information related to the pictures like the GPS annotations or other. (Wikipedia, 2011)
QuickTime is the proprietary software from Apple for visualizing different video formats. In the
development stage is going to be used for visualizing information about the videos and their metadata,
such as the location where it was recorded. It has a version for Windows and Mac OS X. (Apple)
3.7 Chapter Conclusions
Apparently, the information contained in the iPhone is divided into property lists and databases apart
from the multimedia one. The databases will allow significant amount of information even if it is
erased from the device. The link maybe is erased but the information could still be there.
All the tools that are going to be used are freeware or demo versions that work similar to a free tool.
For this research is enough using these kinds of tools but in a proper case will be better using a
certified or standardized tool. Some of the tools are maybe not the best option like iTunes for doing an
acquisition of the device. This software if used properly can synchronize with the investigators
computer and erase all the information from the phone. However, it creates logical backups and these
backups can be hacked for analysing the information contained on them.
Even if, in this example, one of the payloads will be installed using an exploit. Jailbreak in USA is
completely legal and even certified tools such as Oxigen, Cellebrite between some of them, install also
a payload on the system partition that allow them to execute their homebrew on the iPhone when
started up. Hence, there is no problem on jailbreaking the phone or using a payload. In addition, using
redsn0w will show the complete process about what is happening on the background when an iPhone
is jailbroken.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 47
4 Development
iPhone mobiles devices contain many data or sensible information. Not only address books, history
calls or text messages but also information from the third-party applications. Moreover, users have the
possibility of creating files in the mobile phone with applications like iWork, iMovie or many others.
Therefore, this chapter will first start analysing the disk structure of the flash memory of the handset
(Section 4.1). It will also explain how the logical acquisition process has been done (Section 4.2) as
the physical acquisition for the iPhone 3GS, doing a copy bit-to-bit from the data partition (Section
4.3). Next, the iOS System partition will be analysed for checking what kind of information has been
found (Section 4.4) as the same for the iOS Data partition, which contains all the data stored by the
user such as pictures, music or videos (Section 4.5).
Finally the Library folder and Media folder from the second partition will be analyse separately due to
the big amount of information that contain (Section 4.6 and Section 4.7 respectively).
4.1 iOS disk analysis
Figure 4-1 shows that the device volume disk is divided into two disk partitions in HFSX format. The
first line refers to the Master Boot Record (MBR). This is one sector long and is the responsible of
starting up the operating system on the iPhone. After that, there is a free space of about 62 sectors. The
main partition is after this free space. This partition has the files from the operating system. Finally,
the second main partition stores user data information like applications, passwords, and so on.
Figure 4-1 iOS disk information
4.2 iPhone logical acquisition
iTunes can be used to do a logical copy of the iPhone data. The main problem is that is not possible to
retrieve deleted data or folders using this method. Another big issue is that if the examiner
synchronizes the iPhone with a computer different from the host’s, all the information, movies and
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 48
music will be erased due to the Digital Rights Management (DRM). Therefore, all the purchases from
the Apple Store, music, data and videos will be lost and the only possibility will be to inspect the
host’s computer.
iTunes creates a backup of the phone when the computer is been synchronized with the device, when a
software update is installed or when the mobile phone is restored to its original settings.
This type of backup as previously said, only stores information, which has not been deleted. This data
is the same information that can be found in the second partition of the device.
The information that can be found in the backups are the stored contacts, the application settings,
preferences, auto fill for the webpages, calendar accounts, calendar events, calls log, photos,
screenshots taken, saves images, saved videos, recent searches, bookmarks for the favourite websites,
network settings, saved Wi-Fi spots, VPN settings, notes taken, databases used by the applications,
configuration from the paired Bluetooth devices, SMS, MMS including the videos or pictures
embedded, voice recordings, wallpapers, web clips, recently opened pages with safari, YouTube
bookmarks or history and passwords used.
iTunes gives the option in the summary preferences of encrypting the backup. When selected the
encrypting option, a password has to be set up. This password has to be written while restoring the
device with the encrypted backup. If the password is forgotten, the device will not be able to be
restored with that backup but still can be able to continue doing new backups and be restored from
other backups done. In Mac OS X gives the option to remember the password in the system keychain.
Therefore, if the host keychain is cracked is possible to gather the passwords. Is important to know
that the passwords stored on the device, are only back up when the “encrypted backup” option is
selected. If this option is not selected, the passwords will have to be entered again. Figure 4-2 shows
how to encrypt a logical backup in iTunes.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 49
Figure 4-2 Setting up password for the backup
Is important to know where iTunes stores all the information. On a Mac OS X system, iTunes uses a
different path than windows for storing all the music, ringtones, applications which is:
/Users/*username*/Music/iTunes/. On Windows depends on the version. On XP this information is
stored in \Documents and Settings\*username*\My Documents\My Music\iTunes\ on Vista or 7 it can
be found in Windows Vista or 7: \Users\*username*\My music\iTunes\
4.2.1 Backup creation
For creating the backup manually, the iPhone needs to be connected to the host’s computer. Is
important to avoid steps like renewing the firmware, synchronizing libraries and so on. This could
modify the information inside the phone or even lost it. After connecting the iPhone, the user can
information such as: Name of the mobile phone, the capacity that it has, the software version which is
using, serial number and the phone number running on the phone as shown in Figure 4-3. After that,
the investigator has to select the option “Back Up” after right clicking the device name on the left
panel.
Figure 4-3 Information from the device
This option will perform an incremental backup adding data that was changed compared to the
previous backup done the last sync. These backups are stored in the iTunes Sync folder, which
depending on the system can be located different places. Mac OS X uses the path
~/Library/Application Support/MobileSync/Backup/ while in Windows XP it can be found at
\Documents and Settings\*username*Application Data\Apple Computer\MobileSync\Backup\.
Furthermore, Windows Vista or 7 stores it in \Users\*username*\AppData\Roaming\Apple
Computer\MobileSync\Backup\. Figure 4-5 shows the Mac OS X containing folder for the created
backups.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 50
Figure 4-4 Backup RAW files
4.2.2 Backup processing
Most of the data found on the backup folder are RAW files. Because of the nature of these files, it is
difficult to understand sensible information without prior processing. Therefore, the investigator can
use different tools for extracting the information from the backup such as Lantern, Susteen Secure
View 2, Oxygen Forensic Suite 2010, FTK Imager, iPhone Backup Extractor or JuicePhone.
Because the investigation is ran in a Mac laboratory and using free tools, the chosen program has been
JuicePhone. At this point, the biggest difference between the backups is if it was encrypted while the
creation process or not. As said before, the major advantage of doing an encrypted backup is that the
passwords are stored and in the non-encrypted one not. If the investigator tries to extract information
from an encrypted backup, he will find that it is not possible or that he needs tools that are more
sophisticated. Figure 4-6 shows an encryption problem message while trying to extract the data.
Hence, one of the possible ways of processing the encrypted backups is cracking the password from
the logical image and stores it as non-encrypted. The tool used for this purpose is called “Elcomsoft
Phone Password Breaker”.
Figure 4-5 Problems extracting encrypted backup
The new version of this program can even break the physical encryption from the new iPhone 4, which
is a huge advantage. The free version, allows the investigator to crack the password that has been
setup on the backup creation process.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 51
4.2.3 Breaking the password
When the program is launched, the investigator will show the path of the logical image. The program
will identify the Device name, type of product (iPhone 4, iPad, iPod and so on), phone number and if
it is encrypted or not (This is shown on the left of the selected image with a lock icon) Figure 4-7.
After selecting the target image, the program gives the possibility of cracking the password via an
advance dictionary attack or brute-force attack in case that the first one fails. In this example, because
the password was not implemented following strong standards, it did not take more than one second
but usually, a difficult password with special characters, long, upper case characters, and so on, will
take long time even days. Figure 4-8 shows the successful cracking of the password and how many
seconds did it take. After the password is cracked, the program will decrypt the files and put them in
the output directory. Figure 4-9 shows the extraction progress and the status. This process can be
followed with any kind of logical backup, which is encrypted, allowing the investigator to pass the
encryption difficulty.
Figure 4-6 Elcomsoft Phone Password Breaker
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 52
Figure 4-7 Cracking the password
Figure 4-8 Decrypting the backup
4.2.4 Non-encrypted backup extraction
After the investigator has a logical non-encrypted image, he can continue extracting all the
information stored on the RAW files with the selected tool, JuicePhone in this case. In the previous
tool, the investigator can choose between the logical images previously loaded. This will show some
details from the device image such as the device name, size, type of device, date of the backup,
firmware version running, iTunes version used for the backup, serial number of the device, identifier
and number of applications installed on the device. Figure 4-10 shows the general information of the
device in JuicePhone.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 53
Figure 4-9 Juice Phone device information
The software, gives the possibilities to select the device date instead of the computer date when
showing the files in “Finder”. It has two main types of extractions:
• Custom: The user can select which information to include from the application, information
from the keychain like passwords and information from the home folder like user information,
general files, and so on.
• Complete: This will extract all the information from the applications, keychain and home
directory.
After the extraction process is finished, JuicePhone will store the output on the selected destination
path, under a folder with the device name.
Figure 4-11 shows the folder structure saved. There are four main folders:
• Application Data: Information from all the applications stored in the device such as cookies,
preferences, logs, databases.
• Home: Information from the device like: Contacts, emails, SMS, photos, music…
• Keychains: Contains passwords that are stored in databases.
• System Preferences: Preferences saved from the phone.
Finally, the investigator has all the sensible information stored and in a readable format. The next
phase will focus on gathering information from these databases and different files that have been
extracted.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 54
Figure 4-10 Backup extracted files
4.3 Physical acquisition
This is based on a jailbraking technique that allows the examiner to install some UNIX tools for
extracting a bit-to-bit image from the iPhone. This technique involves altering the firmware of the
phone. Hence, in courtrooms some attorneys or lawyers may use this point as an attack against the
examiner defence.
4.3.1 Setting up the iPhone
Because the iOS system is an operating system, which is closed, does not allow the user to do what he
wants. It is restricted software based in NUIX that could give more of possibilities but currently is
“virtual jail”. That is why the term “jailbreak” allows the user to break those fictional walls that will
allow the investigator to install third party not signed software like Cydia or SSH listener, and so on.
4.3.2 Jailbreaking the iPhone
First, is important to know the basic difference between Original Firmware (OFW) and Custom
Firmware (CFW). The main difference is that the OFW is a kernel released by the software provider
and the CFW is a modified version of a specific OFW. Therefore, depending on the device that the
investigator has between hands and the version of the OFW running will use a corresponding CFW.
For this example, an iPhone 4 with iOS 4.3.4 will be used. Some tools need to be downloaded before
starting:
• 4.3.3 OFW: http://appldnld.apple.com/iPhone4/041-
1011.20110503.q7fGc/iPhone3,1_4.3.3_8J2_Restore.ipsw.
• Redsn0w version 0.9.6rc17:
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 55
o MAC:https://sites.google.com/a/iphone-
dev.com/files/home/redsn0w_mac_0.9.6rc17.zip?attredirects=0
o Redsn0w Windows: https://sites.google.com/a/iphone-
dev.com/files/home/redsn0w_win_0.9.6rc17.zip?attredirects=0
• ITunes: www.apple.com/es/itunes/download/
After extracting Redsn0w, the iPhone needs to be updated to the last version 4.3.3 if it is not.
Therefore, select the device on iTunes left panel and holding the shift key click on restore button as in
Figure 4-12. This will show a window for selecting the downloaded .ipsw. When the restore process
has finish, Redsn0w can be executed as shown in Figure 4-13. Later, select the downloaded .ipsw and
in the next screen select “Install Cydia” like in Figure 4-14.
Figure 4-11 Restoring option while jailbreaking
Figure 4-12 Redsn0w
Figure 4-13 Redsn0w installing options
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 56
After that, the user will have to switch off the device and put it into Device Firmware upgrade (DFU)
mode, which is like a recovery mode. For entering into DFU, just hold the “Power” button for 3
seconds, then hold “Power” and “Home” button at the same time for 10 seconds and finally release the
“Power” button but continue pushing the “Home” button for 15 seconds.
In the end, the program will restart the device and it will tell that the process is done and completed.
When the phone is restarted, it will show a new application call Cydia. The first thing to do after the
phone has been restarted is going to the “General Settings” and set to “Never” the “Auto Lock” option
and to disable the “Passcode Lock”, Figure 4-15. The reason why this is done is because while the
physical image is being created, if the device goes to into “Sleep mode” could happen that the transfer
would be cancelled.
Figure 4-14 iPhone general configuration
4.3.3 Installing OpenSSH and Netcat
The investigator needs to connect to the device from his computer for creating an image and sending it
back to it. Therefore, a remote daemon will be installed on the iPhone called OpenSSH that will allow
the connection thought the port 22 which has also de advantage of been encrypted. Because the image
cannot be send by default, Netcat will be also installed for creating a pipe, which will be listening into
the investigators computer into a different port, Figure 4-16.
Figure 4-15 OpenSSH and Netcat installation
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 57
4.3.4 Setting up an internal Network
The best way to connect the investigators computer to the device is via a Wi-Fi access point. Once
both and on the same network the investigator can try to ping the iPhone for testing the connection
(The iPhone IP can be found on the connected network values). This will mean that the computer can
reach the device, Figure 4-17. After that, the investigator can proceed doing the image of the device.
As commented before, the iPhone disk is divided in two partitions in this case disk0s1 is the whole
disk, the first partition is disk0s1s1 and the second partition is disk0s1s2. Therefore, this example will
image the whole partition disk0s1 and send it by a pipe, which has been created in the computer with
Netcat.
Figure 4-16 Ping to the device
When attempting to connect via SSH the system will ask for a password. Apple uses two passwords:
“Alpine” which is the most common one and “dottie”. The file will be created where the Netcat was
executed on the user computer. Once the connection has been proved that can be established, the data
partition needs to be unmounted and mounted as read-only for avoiding changes. This can be done
using the commands mount and umount proportionated by the system. Next, a hash of the partition
needs to be calculated for future verification of the data. In this case MD5 hash has been used. Finally,
the raw image is created with .dd extension can be mounted by further analyse as shown in Figure 4-
18.
Figure 4-17 DD Process using Netcat pipe and SSH connection
Before mounting the image, it has been verified that the imaging copy integrity is the same as the
original calculating again the MD5 and comparing it with the original. The comparison was successful
showing that the copy and the original were duplicates.
4.4 iOS System partition
The first partition has a size between 0.5 and 1 GB depending on the phone model. However, if the
phone is jailbreaked, this size can be manipulated. Usually Apple labels the first partition with a name
and a number that references the firmware version. The partition is based on HFSX file system and is
where the operating system is stored. The structure folder is as follows in Figure 4-19.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 58
Figure 4-18 System partition
Explaining in detail the folder structure, the first difference that comes ahead is that files such as
“Applications”, “etc”, “tmp”, “User” or “var” are links to the real folders that are stored on the second
and first data partition. These are where those files are pointing:
• Applications: /var/stash/ on second partition.
• etc: /private/etc. The folder contains the passwords file named “passwd”. This file is the one
that contains the two most important users used for connecting to the device: root and Mobile.
In the same folder, can be found another file called “master.passwd” that is an exact copy of
“passwd”. Mobile has a user id and a group id of 501. Also has the same encrypted password
in DES as root “smx7MYTQIi2M” which is “Alpine”, Figure 4-20. Mobile is a restricted user
that has access, for example to contacts, SMS and call logs. It is also the responsible of
synchronising iPhone and iTunes.
Figure 4-19 Passwd file from system partition
Therefore, these are what the main folders have:
• bin: Contains binaries with the commands for the console. This folder is created and populated
when jailbreaking. These binaries (dd, nc, mount…) are what allow the investigator doing the
images.
• boot, cores, and Developer: are empty folders.
• lib: Is the library folder and it is empty.
• Library: Is the local library folder for the system. Most of the files contained by this folder are
system settings. Hence, there is nothing sensible for an investigation.
• sbin: Here are found more command line binaries that are also used in OS X. The jailbreaking
process installs some of the commands residing here.
• System: Inside this folder some of the most important files are:
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 59
o /Library/CoreServices/SystemVersion.plist: Gives the build version of the device,
Figure 4-21.
o /Library/DataClassMigrator: Has the executable for the Calendar and Address Book
migration. Moreover, references libraries that are related with the syncing process of
the Address Book and Calendar.
o /Library/LaunchDaemons: This folder storages items that start automatically like
AddressBook.plist, Figure 4-22.
Figure 4-21 Information from the Address Book daemon
As can be seen, the user “Mobile” is related with the daemon “AddressBook” automated started up
process while it is synchronizing with iTunes. Therefore, this proves the previously information told
about the “Mobile” user and his restricted values.
There is not much sensible information on the first partition for a forensic investigation. There are
many .plist files but the most important information is the one already told.
4.5 iOS Data partition
The second partition is where all the important information resides and where the investigators are
going to spend most of the time because contains all the live info.
Figure 4-23 shows the folder structure from the second partition:
Figure 4-20 Information about the device build version
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 60
A better explanation is required:
• db: Under this folder, there are 2 important folders where can be found with important
information:
o dhcpclient: File that contains the last network settings where the device was connected
like the IP
given, lease length and when it was given and from whom, Figure 4-24.
Figure 4-23 Last network connection settings
o timezone: Here the investigator can found time zone settings. However, the local time
file is just a pointer to /usr/share/zoneinfo/ where can be found the rest of the zones.
• Keychain: Contains databases with the passwords. Most of these file are encrypted and is
difficult to gather information from them:
o Keychain-2db: When this file is opened with a database browser such as SQLite
browser in mac, shows encrypted information about accounts, services and the
associated passwords for those accounts as shown in Figure 4-24.
Figure 4-24 Accounts & passwords from keychain-2db
• logs:
o Apple Support: This folder contains a file called “general.log” that specifies the iOS
version and the build number, model of the device, serial number and when was the
log created. Also shows a big list of services and when they were run, Figure 4-25.
Figure 4-22 Second partition folder structure
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 61
Figure 4-25 General Log
o CrashReporter: The folder contains logs about crashes from services like MobileSafari
for example when it runs out of memory. However, this information is not very useful
for an investigation.
• Mobile: This folder contains most of the important information about the devices:
o Applications: In this folder can be found all the applications loaded on the device via
iTunes or the ones downloaded paying or not from the App store. Each application is
related with GUID such as “0A001300-DF26-4CF4-A935-6797DD40E491” for
Adobe Reader for example. Moreover, each application can have the following folder
structure inside:
§ library: Preferences for the applications and its cache into .plist format.
§ documents: Files important for an investigation such as databases, music files
and videos between others. In general, sensible data for the application.
§ tmp: Usually is empty
§ iTunesMetadata.plist: Contains information about the application name,
purchase information, username, e-mail addresses as shown in Figure 4-27.
Figure 4-26 Facebook app information
§ iTunesArtwork: Dock icon of the application.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 62
§ application.app: The software package. For been able to see the content of the
application just right click it and select the option “Show Package contents”.
This will show the items used by the application like pictures, music files and
commands, Figure 4-28.
Figure 4-27 Facebook app package content
o Library: This folder contains huge significant information for an investigator.
Therefore, will be deeply explained later.
• Folders such as “cache”, “Empty”, “folders”, “lib”, “local”, “lock”, “log”, “Managed
Preferences” and “log” are empty or there are not evidences to gather.
4.6 Library Folder
This folder contains important information:
Figure 4-28 Address book contacts
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 63
Addressbook: Inside this folder can be found two SQLite databases, AddressBookimages and
AddressBook. AdressBook: This file contains the contacts that are synchronizing with the suspect’s
computer. Here the investigator can see information like: Contact names, phone numbers, birthday,
business, notes, when it was created or modified. Figure 4-29 outlines one example.
Caches: This folder contains recently information that has been accessed for each application. For
example, for “Safari”, the web browser from iPhone, here can be found a .plist with the most recently
searches done and pictures under the thumbnail folder from the last visited websites, Figure 4-30.
Apart from that, there is also data from the last searches done in Google Maps, icons cached during the
searches…
Figure 4-29 Cache of last searches and Safari Websites
Calendar: There is a database inside that shows information about all the events registered including
alarms, when was happening, notes… Figure 4-31.
Figure 4-30 Calendar Events
Call History: There is a database inside this folder called “call_history.db” which contains
information about phone numbers called, duration of these ones. The data contained does not
difference between incoming or outgoing calls as the same way for received or missed ones, Figure 4-
32. However, the date can be converted into a readable one with software like
“CFAbsoluteTimeConverter” or other online tools.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 64
Figure 4-31 Call Log database
Cookies: There is a property list file with the name “com.apple.itunesstored.plist” which gives
information about the domain name and the expiration date of cookies, Figure 4-33.
Figure 4-32 Cookies from the iTunes store
Mail: This folder contains information about the e-mail account configuration. The first file that can
be found, is the account configuration contained in a file named Account.plist
Apart from that, all the mailboxes are stored inside this folder. Therefore, they can be extracted with
the proper software, which is Emailchemy. Once the program is opened, the user has to choose which
type of email is going to import. In this case, the mailbox type is “Apple Mail”, Figure 4-34.
Figure 4-33 Emailchemy, email type
Next step is to select where are the mailboxes that are going to be extracted. For this purpose, the
program will ask for a path, Figure 4-35.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 65
Figure 4-34 Emailchemy, email path
Finally, it will ask for a saving path and the most important thing, the format in which the investigator
wants to save the extracted emails. This will decide with program will be able to be opened, Figure 4-
36.
Figure 4-35 Emailchemy, saving path and format
After all the mailboxes are extracted. The emails can be opened with the desired program as shown in
figure 4-37.
Figure 4-36 Extracted email example
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 66
Maps: Some important property lists resides here. History .plist contains information from the
searches done in Google Maps or routes plan. Some of the information displayed here is what the user
was searching, the location where the search was done and the level. Another important property list is
Bookmarks, which has the favourite places from the user, Figure 4-38.
Figure 4-37 Searches in Google Maps
Notes: All the information recorded on the Notes.app on the cell phone is stored on a database called
notes.sqlite. Some of the values found there are the title notes, date created and contents… However,
the notes contents could be not very readable and is a good option to export them into a csv file,
Figure 4-39.
Figure 4-38 Notes.app information
Preferences: Under this folder remain the configuration property lists of recent searches, time zone
information and bookmarked videos in YouTube, favourite cell phone numbers…
Some of the most important property lists are:
• Com.apple.accountsettings.plist: Information about the accounts showing the username,
email, hosts, type of account.
• com.apple.locationd.plist: Shows if the GPS location services are enabled.
• com.apple.Maps.plist: When was the Wi-Fi alert, last used latitude, longitude and zoom. The
starting and ending point of the last route plan.
• com.apple.mobilecal.plist: Information about the time zone where the phone was configured
showing the country name, city name, latitude, longitude and date.
• com.apple.mobilephone.plist: Device phone number.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 67
• com.apple.mobilesafari.plist: Deleted bookmarks and last used search engines date.
• com.apple.Preferences.plist: Language settings from the keyboard.
• com.apple.springboard.plist: Settings from the Springboard like applications identifiers and
sounds, settings status for device lock or wipe…
• com.apple.stocks.plist: List of the stocks that are tacked down by the user.
• com.apple.youtube.dp.plist: Last search done in YouTube. Codes from the videos that were
the user searched in the past. Bookmarks.
One of the property lists, “com.apple.carrier.plist” is just a link to the main file residing in the first
partition. The path to the original file is /System/Library/Carrier Bundles/iPhone/*. Inside this folder,
there is a list of all the carriers and with their configurations, custom service numbers, user account
website, tethering info… Figure 4-40.
Figure 4-39 AT&T Carrier configuration file
However, this property list from the carrier is pointing to the bundle in the same folder, which in this
case is “ATT_US.bundle”, which is a package. As every package, can be opened right clicking and
selecting the option “Show Package Contents”.
Safari: Safari is the default browser from Apple and its configuration files are stored in this folder.
Here, five files can be found:
• History.plist: This shows the websites that have been accessed, when, how many times and the
title of this one, Figure 4-41.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 68
Figure 4-40 Safari history
• SearchEngines.plist: Is a list of the search engines that have been used.
• SuspendState.plist: Show information of the websites that are opened on the background,
Figure 4-42.
Figure 4-41 Safari suspended state websites
• Bookmarks.db: Database that shows the bookmarked websites with the respective URL and
parent item as shown in Figure 4-43.
Figure 4-42 Safari Bookmarks
SMS: Everything is recorded by a database named “sms.db”. All the messages are together in table
“message”, outgoing and ingoing but can be difference by the column “Flag” which shows “2” if is an
ingoing SMS and “3” if is an outgoing SMS. The table shows information such as SMS sender, date in
which was sent, from which country, if it was read and the content of this one. Check Figure 4-44.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 69
Figure 4-43 SMS Database
Inside the SMS folder can be found several “Draft” folders. These folders save the content and
destination of the SMS that have not been sent but there is still information because the user left it half
done and closed the SMS application.
Voicemail: iPhone stores the voicemails locally inside the flash memory. Therefore, it is possible to
recover the messages left. The file type used to store them is .amr, which are speech encoding format
files that can be opened with program like Real Player, QuickTime or VLC.
Moreover, there is another file “voicemail.db” which contains on the table “voicemail” all the
messages recorded by the voicemail including the date that was recorded, the time, the phone number
that left it and also the time and date that was erased if it was.
4.7 Media Folder
This folder is located just under the folder “mobile” at the same level as “Library”. All the multimedia
information such as pictures, videos, books and recordings… is stored under this folder. Let’s start
reviewing each folder inside “Media”:
DCIM: Here, the investigator can found the folder “100APPLE”. This folders contains all the pictures
and videos that have been taken with the camera, screenshots that have been save while pushing
“HOME” button and “POWER” button at the same time and images or videos downloaded into the
flash memory, Figure 4-45.
Figure 4-44 100APPLE Folder and Files
These files can be opened with programs like Picasa, iPhoto, preview… After opening one example
photo in Preview, the investigator can have a look at the properties of the picture or video opening the
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 70
inspector window. This window shows information such as picture height, width and orientation…
But more important than that is the GPS, Exif and TIFF tab:
• GPS: Shows coordinates like the latitude and longitude
where the image was taken. Altitude and the reference from
this one (In the example can be seen that the picture is
above the sea level 422 metres). Another important piece of
information is the time stamp that allows the investigator to
know when the picture was taken, Figure 4-46.
• Exif: This information is not as important as the GPS
one. However, here can be found the frames number,
exposure, if the flash was fired or not. Also, is possible to
see the date and time in a readable format, Figure 4-47.
• TIFF: Again, here is possible to see the date and time in a
clean and readable format. Apart from that, another
important fact is the possibility of knowing the maker,
format and version of the device and the orientation in
which the picture was taken, Figure 4-48.
Regarding to the videos stored on this folder, they can be visualized with a video player like VLAN or
QuickTime. If opened with QuickTime for example, can be seen that the metadata such as the original
location can be shown as the same way with the pictures.
iTunes_Control: The following folder stores information about the synchronization between the
iPhone device and the host computer.
• The “Ringtones” folder contains music files in format .m4r music files that have been used as
ringtones for the device.
• Music folder contains all the music that has been send from the iTunes to the iPhone. These
music files are stored in folders named “FXX” where XX is a number. The order stabilised for
where to store each music file, seems completely random.
Figure 4-45 Picture GPS information
Figure 4-46 Picture Exif information
Figure 4-47 Picture TIFF information
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 71
• iTunes: Preferences for the iTunes application like the ringtones information, playlists or if it
is protected or not.
• Artwork: Contains a file called ArtworkDB. This file can be opened with a program called
“Keith’s iPod Photo Reader”. This will show the artworks stored in the file.
4.8 Chapter Conclusions
As said before, the information contained in a smartphone is huge and each mobile telephone is
different from each other. This means that every time a phone is going to be analysed, the case will be
completely different to another one done before. Does not matter if the phone model is the same as
one processed before. Many other variables can intervene in play changing the case completely such
as the firmware running on the telephone, making the data partition encrypted. The most common fact
to bear in mind is that the data found on the handset is always going to be different in each mobile
phone. The simple reason is that each handset will have different applications, configuration files or
games installed.
The phone used in this example contained many erased information such as SMS, pictures, call logs,
application logs or applications preferences. These pieces of evidence could be enough for
incriminating a suspect but as shown on this chapter the live data has the same importance than the
erased data.
On the databases extracted from the logical acquisition, there were appointments, chats, SMS half
written, screens or logs from the web browser. More important than this is the possibility of locating
the suspect at an exact moment in an exact place if the GPS signal was activated. This is one of the
most powerful evidences extracted because the suspect cannot negate that he can be there at that time.
The aims and objectives of the project have been covered. Every piece of information has been
obtained from the cell phone with two different methods, one in a logical way and the other in a
physical one. The information extracted has been categorized into different families like music, web
browser, history, images, logs, preferences and SMS. Finally, an analysis of the data evaluating it,
showing what can be done and what information does each evidence contain.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2011. 72
5 Conclusions
The aim of this project is to cover the physical and logical acquisition process of the iPhone and
finally analyse all the data extracted to look for sensible information. A physical image was realized
from an iPhone 3GS with tools like dd, Netcat, md5, openSSH as well as a logical image from an
iPhone 4 with tools like iTunes, Elcomsoft Phone Password Breaker and JuicePhone. In previous
chapters, methodologies to follow and tools to use during the implementation chapter were chosen for
obtaining the best results possible and acquire as much information as possible.
This chapter will first show how the objectives of the thesis were accomplished (Section 5.1). Next, it
will explain the reflections about the project and the difficulties encountered in it (Section 5.2).
Finally, some ideas for future works will be proposed for improving the iPhone forensics area (Section
5.3).
5.1 Meeting the Objectives
Four objectives were defined at the beginning of the thesis:
1. Acquire a range of possible data from an iPhone. This data is not only SMS, call logs or voice
mail, but artefacts like web based chat, Skype chat or any possible footprint produced by any
of the applications running on the smartphone.
2. Evaluate that the extracted data is correct and is not missed or modified somehow by the
software used.
3. Investigate the obtained data for categorizing the most important and provide an analysis of
the obtained results compared with the expected ones.
4. Determine how much information can be obtained from the iPhone and which use can be done
with the extracted data.
5.1.1 Objective 1 - Acquire a range of possible data from an iPhone
First objective was met in the development chapter. Not only simple information about SMS logs, call
received or sent but also voicemail recordings, databases with data about all the cell phone
configuration, searches done with the web browser, metadata from taken pictures and videos done.
Most of the information was stored in small databases that needed to be interrogated by queries with
specific programs.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2011. 73
Each program or game save its configuration in property list files as well as the searches done or logs
from the different usage of the software. Finally, the GPS position allows setting the suspect in a
specific place at a specific time and date through the different mobile phone applications such as
navigators, web browser, Google Maps or Wi-Fi spots saved.
The literature review helped to identify the key kinds of data that an examiner could find in a cell
phone or SIM card, allowing to categorize the extracted data in different areas.
5.1.2 Objective 2 - Check the extracted data is correct and is not missed or modified
While acquiring the physical image on the iPhone 3GS, an MD5 command could be executed for
calculating the hash of the partition that was going to be image. Before imaging, the user data partition
/dev/rdisk0s2 needed to be unmounted and mounted as read-only for avoiding any modification.
Afterwards, the hash could be calculated for later verification.
Because the partitions were setup as read-only was impossible to modified the data that was going to
be copied into the destination drive. This helped maintaining the integrity of the forensic image. After
the imaging job was finished. The hash verification process begun for checking that the MD5 was
exactly the same as the one calculated before imaging. The results were successful, demonstrating that
the data and information copied from the cell phone were not only unmodified but also complete and
without missing any piece of information, were equal.
5.1.3 Objective 3 - Categorizing the most important data and provide an analysis
Objective 3 was accomplished trough the development chapter. All the information gathered was
categorized into 3 different main areas:
1. Media data.
2. System data.
3. Library data.
Media data stored pictures, videos, programs or games that have been used, music files and the covers
from the songs. System data, contain all the information related with the operating system such as
passwords inside a keychain, configuration for networks, GPS locations. Finally library data, had
address books, call histories, mailboxes with the emails. Each area, contain many subfolders were the
information was saved but chapter 4 explains in details all of them.
In addition, the development highlights an analysis of the information imaged, explaining what type of
data it is, how it has been obtained, how can be read and how it is useful for the investigator,
positioning the suspect in space and time or showing what actions the custodian has taken with that
specific application or function.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2011. 74
5.1.4 Objective 4 – Determine how much information can be obtained and which use can be done with it
Literature review chapter, section 2.2 outlined what sources of information could be obtained from a
mobile device. The iPhone is not different and the data that could be obtained it was found handset.
For technical reasons and resources, it was impossible to access the information on the SIM card.
However it is an easy task once the examiner has the proper equipment because the SIM or USIM
cards are not encrypted. Hence, it is not a difficult task.
Through the whole thesis have been given examples and definitions of what the data found was and
what usages could and investigator give to it. The development chapter focuses more on what the
examiner can do with this information how can use it on the investigation.
5.2 Reflection
While doing the forensic investigation of the iPhone 4, most of the difficulties found while trying to
acquire all the pieces of information were that the partitions were physically encrypted and there was
no way to decrypt it for extracting the information. The physical encryption requires more technical
skill about cracking than compared with cracking the encryption of the logical image. Moreover, just
the law enforcement or big companies have access to these kinds of tools that allow them to pick up a
phone, acquire the whole disk and decrypt the information with just a few clicks.
This was a turnover and mobile that was going to be used for physical imaging had to changes for an
old iPhone 3GS. The great advantage of this version was that it does not have any kind of physical
encryption apart from the logical image encryption. After that, the iPhone 3GS was going to be used
for doing the physical acquisition and the iPhone 4 for the logical acquisition. This decision helped for
creating a clean image of the whole device, the first and the second partition without having to worry
about how to decrypt or to find a program for hacking the security system of the new iPhone 4.
Another problem encountered while trying to physical imaging the iPhone device was that the system
partition was always been used. Therefore, was impossible to create an image of that partition without
unmounting it. Hence, first thing to be done was to unmount that partition and mount it apart with
special rights. This was not possible because the command “umount” was not installed into the iPhone
commands. The solution was to do just a physical image of the second partition and access the first
partition through SSH with a client called CyberDuck.
After the whole development part was finished, the first thing to do was to compare the obtained
output against what it was expected. It was a surprise to obtain so much information. The smartphone
contains big amount of data that when an expert investigator has access to it, allows him to create a
perfect picture from the owner of the phone. It is scary that because of the big usage that is given to
the phone, how much information can be obtained. Some of the examples are where the user has been
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2011. 75
and in which exact moment thanks to the pictures. In addition, the last GPS location, searches done in
Google Maps or Google search engine, the chat logs, SMS sent and received, Skype logs or purchased
applications stored on the flash memory was another important piece of information.
One of the most surprising discovers was that the voicemails were stored on the phone itself and not
on a server or just a log. This could ben an important fact to track in an investigation in case that a
suspect leaves a voicemail on the suspect’s phone.
In addition, the possibility to download all the email contained inside mailboxes on the device and
extract it into an easier readable format was quite interesting. Any account configured on the iPhone
and all the emails sent or received could be exported and ingested into another system for future
processing.
Regarding to mobile live forensics, which is the part of computer forensics, which focuses on the
volatile data, some useful evidences were found. When the owner of the phone writes a message and
does not send it, the SMS is still stored on the databases. The same thing happens while visiting
websites; screenshots of these last accessed pages are stored in the flash memory. These are very
important clues to bear in mind because when an investigation is been run and if the suspects have
knowledge about it, they tend to erase all their incriminatory records. Moreover, usual suspect do not
how much information can be stored apart from what they see and they can still leave some footprints
that can allow an investigator to track them back and find needed incriminatory or exculpatory
evidences.
5.3 Future Work
When this document was written the iOS 5 and the iPhone 4S were about to be release. This are two
this that will be very interesting to work on because the systems continue evolving and is important to
be up to date with them. Is too soon to know what information can be acquired from iPhone 4S or how
does iOS 5 process the information. However, one of the new features that will include and will be
really interesting to work on is Siri. It is an advance voice control system that hopefully will maintain
a record of every command that is been told.
Another improvement were the investigators can focus is the new notification system. The
notifications system that was already present on Android has been implemented in iPhone devices
running the last firmware iOS 5. If there is a log, record or database for all the notifications or at least
the latest ones, it could help the investigator to figure out what were the last events received on the
system and do an image of the suspect. It would be similar to a graphical log of the last events: Last
posted message in Facebook including its content, SMS received and sent, call received and from
whom…
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2011. 76
Last but not less important, the physical encryption of the iPhone 4 and probably present on iPhone 4S
has given many headaches. Apparently, some investigators and experts have been working on how to
decrypt it and after a while during this summer, Elcomsoft has released a tool that can manage this
encryption. However, looks like although the live data can be recovered quite nicely, when trying to
recover deleted information on the unallocated space, most of the recovered information is garbage or
unreadable. Other software tools like Oxigen are updating their programs for been up to date with this.
Therefore, looks like this area needs a push from the mobile forensic community for improving and
fixing those problems.
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2011. 77
6 References
AddPod. (2011, 10 25). addPod - JuicePhone. From JuicePhone: http://www.addpod.de/juicephone
Apple. (n.d.). Apple - iTunes - Todo lo que necesitas para divertirte. Retrieved 09 10, 2011 from
Apple: http://www.apple.com/es/itunes/
Apple. (n.d.). Apple - QuickTime - Download. Retrieved 11 15, 2011 from Apple:
http://www.apple.com/quicktime/download/
Apple Inc. (n.d.). Apple - iPhone 4S - Technical Specifications. Retrieved 07 25, 2011 from Apple Inc:
http://www.apple.com/iphone/specs.html
Data Duplication Ltd. (n.d.). Mobile Phone Faraday Bags. Retrieved 08 13, 2011 from
Dataduplication:
http://www.dataduplication.co.uk/details/mobile_phone_faraday_bag_faraday_bags.html
Elcomsoft. (n.d.). Recover passwords protecting iPhone/iPod and BlackBerry backups. Retrieved 10
15, 2011 from Elcomsoft Proactive Software: http://www.elcomsoft.com/eppb.html
File Juicer. (n.d.). File Juicer - Extract images from PDF, PowerPoint, Word, Excel and other Files
on Mac OS X. Retrieved 10 26, 2011 from File Juicer - Extract images from PDF, PowerPoint, Word,
Excel and other Files on Mac OS X: http://echoone.com/filejuicer/
Freeman, J. (2011, 08 23). Cydia application icon - Mac OS X 10.6.6 to Meet Cydia 'Within Weeks' -
Softpedia. Retrieved 08 29, 2011 from news.softpedia.com:
http://news.softpedia.com/newsImage/Mac-OS-X-10-6-6-to-Meet-Cydia-Within-Weeks-2.jpg/
Gunther, C. (2011, 07 18). Apple iOS vs Google Android in Latest ChangeWave Research Report |
Android Community. Retrieved 08 20, 2011 from Android Community:
http://androidcommunity.com/apple-ios-vs-google-android-in-latest-changewave-research-report-
20110718/
Hoog, A., & Strzempka, K. (2010, 11). iPhone Forensics White Paper «viaForensics. Retrieved 07
16, 2011 from ViaForensics: http://viaforensics.com/education/white-papers/iphone-forensics/
iphone-release. (2011, 11 11). Untethered Jailbreak iOS 5 on iphone 4S with Redsn0w, Limera1n,
sn0wbreeze, GreenPoison, GullRa1n Tutorial | iphone 5 Release Date,News,Rumor | Untethered
Jailbreak iOS 5 on iPhone 4S, 4, 3GS, ipad. Retrieved 11 13, 2011 from www.iphone-release.com:
http://www.iphone-release.com/untethered-jailbreak-iphone-4s-with-redsn0w-limera1n-sn0wbreeze-
greenpoison-gullra1n-tutorial/
Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2011. 78
Iwayar. (2011, 10 28). Breve historia de OpenSSH | RetroNet. From RetroNet:
http://www.retronet.com.ar/wp-content/uploads/2011/06/openssh_logo.jpg.png
Morrisey, S. (2010). iOS Forensic Analysis for iPhone, iPad and iPod touch. New York, USA:
Apress.
OpenSSH. (n.d.). OpenSSH. Retrieved 10 28, 2011 from OpenSSH: http://www.openssh.com/
Pinto, M. (2010, 11 29). Fanboy. Retrieved 08 15, 2011 from 7 Ways That Windows Mobile 7 Could
Win » Fanboy.com: http://www.fanboy.com/2010/11/7-ways-that-the-windows-7-mobile-can-
win.html
Redmond Pie. (2010, 08 02). Enable iPhone 4 FaceTime Video Calls Over 3G Network with My3G |
Redmond Pie. Retrieved 07 25, 2011 from Redmond Pie: http://www.redmondpie.com/enable-iphone-
4-facetime-video-call-over-3g-network-with-my3g/
Savoy Place. (n.d.). Faraday Room - IET London: Savoy Place - IET Venues. From Savot Place:
http://savoyplace.theiet.org/rooms/faraday/index.cfm
Varsalone, J., Morrissey, S., Kubasiak, R. R., Barr, W., Chasman, M., Cornell, J., et al. (2009). Mac
OS X, iPod, and iPhone Forensic Analysis DVD Toolkit. Burlington: Syngress Publishing.
Weird Kid Software. (n.d.). Emailchemy - Convert, Export, Import, Migrate, Manage and Archive all
your Email. Retrieved 10 23, 2011 from Emailchemy - Convert, Export, Import, Migrate, Manage and
Archive all your Email: http://www.weirdkid.com/products/emailchemy/
Wikipedia. (2011, 11 14). Preview (Mac OS) - Wikipedia, the free encyclopedia. Retrieved 11 20,
2011 from Wikipedia: http://en.wikipedia.org/wiki/Preview_(Mac_OS)
Wiley, K. (n.d.). Keith's iPod Photo Reader. Retrieved 11 02, 2011 from Keith's IPod Photo Reader:
http://keithwiley.com/software/keithsIPodPhotoReader.shtml
Zdziarski, J. (2008). iPhone Forensics. Sebastopol: O'Reilly Media.