iPhone Data Acquisition and Analysis · Figure 2-7 SIM Serial ... Figure 2-14 Oxygen Program (Hoog & Strzempka, Oxygen Forensic Suite 2010 PRO, 2010) ... Complaint Centre - IC3, 2011)

iPhone Data Acquisition and Analysis

Israel Les Garcia

Submitted in partial fulfilment of

the requirements of Edinburgh Napier University

for the Degree of

MSc Advanced Security and Digital Forensics

In collaboration with the Scottish Police Department

School of Computing

April 2012

Israel Les Garcia, MSc Advanced Security and Digital Forensics, 2012. 2

Authorship Declaration

I, Israel Les Garcia, confirm that this dissertation and the work presented in it are my own

achievement.

Where I have consulted the published work of others this is always clearly attributed;

Where I have quoted from the work of others the source is always given. With the exception of

such quotations this dissertation is entirely my own work;

I have acknowledged all main sources of help;

If my research follows on from previous work or is part of a larger collaborative research project I

have made clear exactly what was done by others and what I have contributed myself;

I have read and understand the penalties associated with Academic Misconduct.

I also confirm that I have obtained informed consent from all people I have involved in the work

in this dissertation following the School's ethical guidelines

Signed:

Date:

Matriculation no: 10015988


Data Protection Declaration

Under the 1998 Data Protection Act, The University cannot disclose your grade to an

unauthorised person. However, other students benefit from studying dissertations that have their

grades attached.

Please sign your name below one of the options below to state your preference.

The University may make this dissertation, with indicative grade, available to others.

The University may make this dissertation available to others, but the grade may not be disclosed.

The University may not make this dissertation available to others.


Abstract

The number of issues regarding to economic fraud and cyber-crime is increasing quickly each

day. The number of people who is avoiding taxes related to litigation cases, using computers for

gathering information in an illegal way or stealing money from digital transactions is rising every

day. Computer forensics gives investigators and law enforcement the tools and methodologies to

gather incriminatory or exculpatory evidences for a case.

Mobile forensics goes one-step further and focuses on gathering live or deleted information from

portable telephones. This technique is becoming relevant, because most of the people have a

mobile phone. Moreover, these devices cannot only store contact information or SMS’s, but also

pictures, emails, videos, footprints or documents.

The main aim of this document is to describe how to acquire as much data as possible from an

iPhone in different possible ways. This data can go from usual information such as call logs, SMS

or voice mails, to footprints left by web browsers or metadata from pictures. Finally, this

information will be categorized for determining which information is sensible for an investigation.

For achieving these goals, a process of parallel physical acquisition and logical acquisition has

been followed, extracting later the information from the backups created. This information has

been analysed showing what kind of artefacts can be found in an iPhone. The tools used in the

development were Froq for database analysis, Emailchemy for email extraction, SSH, DD,

JuicePhone for extracting data from the backups and Elcomsoft Phone Password Breaker for

cracking the encrypted backups. Finally, some of the most interesting findings are GPS location

and metadata in pictures and videos, footprints on every website visited including a screenshot of

itself and voicemails stored on the flash memory.

The conclusion in this thesis highlights the fact that the decisions taken for obtaining the best

results on the implementation of the forensic image were correct. However, several challenges

were also found. The main big problem was the physical encryption of the iPhone 4, which the

image was impossible to read or to crack the encryption by any method, forcing to do a physical

image of an iPhone 3GS and use the other one for a logical acquisition. Finally, the conclusion

shows that there is still a lot of work to be done in the mobile forensic area, especially with the

new iPhone 4S and iOS 5 going to be released or the physical encryption problem to be resolved.


Contents

1 INTRODUCTION .................................................................................................................. 12

1.1 Context ................................................................................................................................................. 12

1.2 Aim and Objectives ............................................................................................................................ 13

1.3 Document Structure ........................................................................................................................... 13

2 LITERATURE REVIEW ...................................................................................................... 14

2.1 Mobile Phone Market ......................................................................................................................... 14

2.2 Mobile Networks, cards and data storage ........................................................................................ 19

2.3 Knowing the iPhone Architecture and System ................................................................................ 23

2.4 Mobile Forensics Methodology ......................................................................................................... 28

2.5 iPhone Acquisition .............................................................................................................................. 33

2.6 Tools in The Market ........................................................................................................................... 34

2.7 Chapter Conclusions .......................................................................................................................... 37

3 TOOL ANALYSIS .................................................................................................................. 41

3.1 iPhone Encryption and acquisition steps to follow .......................................................................... 41

3.2 Databases Infrastructure ................................................................................................................... 42

3.3 Property list tools ................................................................................................................................ 44

3.4 Mail Exporting .................................................................................................................................... 44

3.5 Forensic Tools ..................................................................................................................................... 45

3.6 Other Tools .......................................................................................................................................... 45


4 DEVELOPMENT ................................................................................................................... 47

4.1 iOS disk analysis ................................................................................................................................. 47


4.2 iPhone logical acquisition .................................................................................................................. 47

4.3 Physical acquisition ............................................................................................................................ 54

4.4 iOS System partition .......................................................................................................................... 57

4.5 iOS Data partition .............................................................................................................................. 59

4.6 Library Folder .................................................................................................................................... 62

4.7 Media Folder ....................................................................................................................................... 69


5 CONCLUSIONS ..................................................................................................................... 72

6 REFERENCES ........................................................................................................................ 77


List of Tables

Table 1-1 iPhone 4 Components Specification (Apple Inc.) .......................................................... 25

Table 2-2 Mobile Phone System Comparison ................................................................................. 37


List of Figures

Figure 2-1 Mobile Phone Market (Pinto, 2010) .............................................................................. 15

Figure 2-2 Smart Phones Mobile Market Comparison (Gunther, 2011) ......................................... 15

Figure 2-3 GSM Architecture (Imran) ............................................................................................ 19

Figure 2-4 UMTS Architecture (Mauritius) ................................................................................... 20

Figure 2-5 Type of USIM Card (Mobile Whack, 2008) ................................................................. 20

Figure 2-6 SMS System (Deloitte, 2011) ........................................................................................ 21

Figure 2-7 SIM Serial ...................................................................................................................... 22

Figure 2-8 IMEI Number Format .................................................................................................... 23

Figure 2-10 Faraday Bag (Data Duplication Ltd) ........................................................................... 31

Figure 2-12 Cellebrite Kit (Hoog & Strzempka, Cellebrite UFED, 2010) ..................................... 35

Figure 2-13 XRY (Hoog & Strzempka, Micro Systemation XRY, 2010) ...................................... 35

Figure 2-14 Oxygen Program (Hoog & Strzempka, Oxygen Forensic Suite 2010 PRO, 2010) .... 36

Figure 3-1 iOS Database structure .................................................................................................. 42

Figure 3-2 SQLite Database Browser interface .............................................................................. 43

Figure 3-3 Froq interface ................................................................................................................. 43

Figure 3-4 Difference reading XML format and .plist format ........................................................ 44

Figure 3-5 Open With option .......................................................................................................... 44

Figure 4-1 iOS disk information ..................................................................................................... 47

Figure 4-2 Setting up password for the backup ............................................................................... 49

Figure 4-3 Information from the device .......................................................................................... 49

Figure 4-4 Backup RAW files ......................................................................................................... 50

Figure 4-5 Problems extracting encrypted backup .......................................................................... 50

Figure 4-6 Elcomsoft Phone Password Breaker .............................................................................. 51

Figure 4-7 Cracking the password .................................................................................................. 52

Figure 4-8 Decrypting the backup ................................................................................................... 52

Figure 4-9 Juice Phone device information ..................................................................................... 53


Figure 4-10 Backup extracted files ................................................................................................. 54

Figure 4-11 Restoring option while jailbreaking ............................................................................ 55

Figure 4-12 Redsn0w ...................................................................................................................... 55

Figure 4-13 Redsn0w installing options ......................................................................................... 55

Figure 4-14 iPhone general configuration ....................................................................................... 56

Figure 4-15 OpenSSH and Netcat installation ................................................................................ 56

Figure 4-16 Ping to the device ........................................................................................................ 57

Figure 4-17 DD Process using Netcat pipe and SSH connection ................................................... 57

Figure 4-18 System partition ........................................................................................................... 58

Figure 4-19 Passwd file from system partition ............................................................................... 58

Figure 4-21 Information from the Address Book daemon .............................................................. 59

Figure 4-23 Last network connection settings ................................................................................ 60

Figure 4-24 Accounts & passwords from keychain-2db ................................................................. 60

Figure 4-26 General Log ................................................................................................................. 61

Figure 4-27 Facebook app information ........................................................................................... 61

Figure 4-28 Facebook app package content .................................................................................... 62

Figure 4-30 Cache of last searches and Safari Websites ................................................................. 63

Figure 4-31 Calendar Events ........................................................................................................... 63

Figure 4-32 Call Log database ........................................................................................................ 64

Figure 4-33 Cookies from the iTunes store ..................................................................................... 64

Figure 4-34 Emailchemy, email type .............................................................................................. 64

Figure 4-35 Emailchemy, email path .............................................................................................. 65

Figure 4-36 Emailchemy, saving path and format .......................................................................... 65

Figure 4-37 Extracted email example ............................................................................................. 65

Figure 4-38 Searches in Google Maps ............................................................................................ 66

Figure 4-39 Notes.app information ................................................................................................. 66

Figure 4-40 AT&T Carrier configuration file ................................................................................. 67

Figure 4-41 Safari history ............................................................................................................... 68


Figure 4-42 Safari suspended state websites ................................................................................... 68

Figure 4-43 Safari Bookmarks ........................................................................................................ 68

Figure 4-44 SMS Database ............................................................................................................. 69

Figure 4-45 100APPLE Folder and Files ........................................................................................ 69


Acknowledgements

I want to acknowledge the help given by the Professor Bill Buchanan. In addition, my girlfriend

Maitane who has read this work and help me with her suggestions. Also, to my brother, sister,

parents and friends, for their support in the worst moments that I have experienced. Finally, I

would like to thank Mike Dickson from the Scottish Police Department for his help and advices.

Without all these people, this document would not have been possible.


1 Introduction

This thesis investigates the acquisition from an iPhone since the moment is seized and sealed until the

whole information is been processed. The main problem regarding mobile forensics is that there is not

much information around Internet, blogs or books. Therefore, all the little pieces of evidence that are

in Internet, come from investigators that have experimented with the devices and acquire that

experience through the practice.

Another problem is that there are many mobile phone fabricants. Obviously, each maker has its own

operating system and the main problem is that for gathering the information, the investigator needs to

know how the operating system works and where is the data stored. This is a problem, because it

means that there are not standards.

1.1 Context

People are living these days in the information age. Important information such as financial data,

health care data and other personal assets are managed by computers or accessed by mobile devices.

Therefore, the cyber-crime is one of the most profit areas for the criminals. Some of the top major

issues that can be found are: Financial fraud, Identity Theft, Computer crimes, Paedophilia and

Viruses. These kinds of attacks are happening more and more often and there has been an increase

from 16,838 complaints at 2000 to 303,809 complaints at 2010 and just in USA. (Internet Crime

Complaint Centre - IC3, 2011)

Hence, for supporting evidences to the prosecution to these kinds of crimes the law enforcement

makes use of the computer and mobile forensic disciplines. The computer and mobile forensics allow

the law enforcement to acquire evidences and artefacts in electronic devices such as computers, cell

phones, GPS or Internet for analysing them. These evidences can give important information for

resolving a case or solving a problem. (McGrath, 2005)

Furthermore, keep in mind that today having a cell phone is common. Due to, the cost of having a

mobile is not very expensive; the most usual type of cell phone that can be found is a smartphone. The

smartphones allow installing applications and more things apart from calling or sending SMS like

navigating through Internet, watching movies, playing games, chatting via Skype, using it as a

calendar, checking the e-mail, and so on. People bring the cell phone with them everywhere and

because the previous advantages, it has become a necessary tool for every day. (Bodged, 2009)

Recently, that some companies like Apple store the GPS signal coordinates from the phone, for been

able to track in every moment where the user is or has been. (BBC News, 2011)


1.2 Aim and Objectives

The aim of this project is to cover the physical and logical acquisition process of the iPhone and

finally analyse all the data extracted to look for sensible information. To match this aim, the objectives

are the following:

1. Acquire a range of possible data from an iPhone. This data is not only SMS, call logs or voice

mail, but artefacts like web based chat, Skype chat or any possible footprint produced by any

of the applications running on the smartphone.

2. Evaluate that the extracted data is correct and is not missed or modified somehow by the

software used.

3. Investigate the obtained data for categorizing the most important and provide an analysis of

the obtained results compared with the expected ones.

4. Determine how much information can be obtained from the iPhone and which use can be done

with the extracted data.

1.3 Document Structure

This document is divided into four main chapters:

• Chapter 1 - Literature Review: This first part covers the studio of the different tools in the

market and methodologies for capturing the information from the phone. It starts with a brief

overview about the mobile systems on the market. Next, continues with an introduction to the

different iPhone devices and the different iOS systems and their features. Finally, it will

explain the acquisition methodology and the main different tools to use.

• Chapter 2 - Design: This chapter focuses on the planning of the whole development. First, it

will show an overview of every acquisition methodology. Next, it will analyse the possible

data categories and how to access them. Finally, there is a study of the applications that will

be used in the development.

• Chapter 3 - Development: This is the practical chapter, which will cover the physical and

logical acquisition of the information from the device. After the acquisition, the data obtained

will be analysed for trying to gather any important piece of it.

• Chapter 4 - Conclusions: The last part will cover the current situation in computer forensics,

problems encountered in the development or information research. The end of the chapter will

cover the future focus for iPhone forensics and what are the possibilities around it.


2 Literature Review

This chapter will investigate and review the literature in the area of iPhone operating system, mobile

forensics methodologies, mobile forensics approaches and imaging tools in the market. First, it will

provide a background on how the current global cell phone market is structured and explaining briefly

each operating system for each mobile phone maker specified (Section 2.1). It then focuses on the

networks GSM and UMTS for explaining later how the SMS system work and what kind of data can

be found on the SIM cards or in mobile phones (Section 2.2). Next, to understand the basic concepts

from the iPhone handsets and what features can be found on iOS operating systems for obtaining

information, as well as, how the system works or stores the data, a study of these topics is carried out

(Section 2.3).

Furthermore, the main part of the review, forensic processes to follow and documentation that should

be fill out while acquiring a forensic image from a handset; will be explained (Section 2.4). In

addition, the next section outlines the different approaches and methodologies that an examiner could

use for getting a forensic image depending on the handset or the circumstances (Section 2.5). Finally,

tools used by law enforcement or important companies while doing mobile forensics investigations

will be introduced, explaining how they work and the differences between them.

2.1 Mobile Phone Market

This chapter will introduce information about the current situation of the mobile phone companies in

the market. Next, it will explain some of the most important mobile phone systems and what are their

features. These systems are Android, Windows Phone, Symbian, BlackBerry and iOS.

Having a good understanding not only about the different systems but also about how the market is

distributed is very important. This helps understanding why one system does things the way it does

compare to the other ones from the competency. Furthermore, having a good knowledge about the

current features of every brand helps to anticipate the future enhancements that will bring the devices.

2.1.1 Distribution of the most used mobile phone brands in the market

The five most common operating systems for smartphones are: (Gartner Group, 2010)

• Windows Phone (Previously Windows Mobile) by Microsoft

• Symbian, maintained by Accenture (Outsource by Nokia)

• Android from Google


• BlackBerry OS by Research In Motion (RIM)

• iOS by Apple

Figure 2-1 Mobile Phone Market (Pinto, 2010)

The figure 2-1 shows that most people use a smart phone, more exactly 94% of the mobile phone

market population. However, even if the other 6% does not use a smartphone, interesting information

can be still obtained while doing a forensic investigation. (Pinto, 2010)

Figure 2-2 Smart Phones Mobile Market Comparison (Gunther, 2011)

Figure 2-2 highlights the results of many surveys done by “ChangeWave” company while asking for

the favourite mobile phone system between Android, iOS or BlacBerry from 2008 to 2011. Hence,

iOS operating system has been most of the time the favourite one compared to Blackberry, which

during 2008 was very well claimed but not anymore. (Gunther, 2011)

2.1.2 Android

Is an operating system for mobile phones and tablets based on Linux and created by Google. The

applications can be developed either in C either in Java. Moreover, the operating system has a free and

open source license. Android system has been implemented in many handsets and it is not attached

just to a unique mobile phone brand. Samsung, HTC, Sony Ericsson, Motorola, LG, Huawei, ZTE,

Nokia are some of the companies that are using Android on their telephones. Android is not only used

in telephones but also in Tablets or even Netbooks. The operating system uses as its main hardware

platform ARM, which is a 32 bits based architecture. (Android Developers)


The first version on Android was released in September 2008. Afterwards the new upgrades have

fancy names like Cupcake for 1.5, Gingerbread for 2.3, Honeycomb for 3.x and Ice Cream Sandwich

for 4.0. (Morrill, 2008)

It has an application Market known as Google Play (Previously was Android Market) that comes by

default with the operating system. This market is an online software store that contains applications

and games for the android platform. Every user can have access to it and they can use it for

downloading and installing the desired applications. Many applications found on the market are free.

However, the profit for a paid application is not 100% for the developer, 30% of the money obtained y

given to Google. (Google)

2.1.3 Windows Phone / Windows Mobile

Microsoft develops this operating system. Similar to the rest of the advanced operating systems, it is

oriented to smartphones. The original system, Windows Mobile, was launched in April 2000 but it was

discontinued in 2010 at version 6.5.5. Afterwards, the new version was released into the market in the

second quarter of 2010. It was called Windows Phone. Not many companies have decided to install

this operating system into their handsets. However, HTC has show to be Windows Phone main host

with handsets like HTC Titan, Radar, HD7, Mozart and more. (Pocket PC Central, 2008)

Thought a technical point of view, Windows Phone it is based in a core “Windows Embedded CE 6.0”

and it is developed in C++. The operating system is under a Microsoft EULA (End User License

Agreement). The applications for Windows Phone can be developed with Microsoft Silverlight or

XNA framework. XNA is a native implementation of .NET can allows the developers to create

programs or games for Windows Phone, XBOX and Windows 7. Silverlight allows creating very

visual applications using a version of .NET. (Microsoft)

The system uses a mosaic interface with dynamic cubes. It uses a concept called “HUBS”, which it is

used for classifying actions and applications that corresponds with a specific activity. Therefore, some

of the hubs that can be found are contacts, images, music, office (without outlook mailbox), games and

marketplace. (Ziegler, 2010)

The marketplace is called “Hub Marketplace”. Here users can buy films, music, podcasts, programs

and games. Some programs have a demos version, so the users can test them before using them. The

market is accessible not only from the mobile phone but also from the computer. Hub Marketplace

allows paying with the credit card or even in some cases with through a telephone bill. (Microsoft)

2.1.4 Symbian

It is another proprietary mobile phone operating system that Nokia released in 1997. Currently, since

June 2011, has been developed by Accenture as outsourcing services by Nokia. Symbian is the new

version of Symbian OS system with better user interface between other enhancements. The current last

version of the system is called Nokia Belle.


Symbian can be found not only in Nokia handsets but also in Samsung, Siemens, Panasonic, LG, Sony

Ericsson and Lenovo mobile phones. Nokia Belle supports 48 languages including dialects. The web

browser has been improved the web browser with higher speed as well as the user interface, which is

friendlier. Between other features, it can be found multitasking, memory protection and clean up the

memory of idle processes. Furthermore, for maximizing the optimization of the CPU, when

applications are not using the CPU, the process unit will enter into a low power state for saving

energy. (Molen, 2011)

The operating system supports ARM and x86 architectures and it was developed in C++. Applications

are also developed in C++ using the framework Qt. However, other languages such as Python, .NET

or Ruby can also be used. Because Symbian does not have a proper market for applications, these ones

are deployed via PC connection, Bluetooth or installed on a memory card. (Williams)

On 2011 Nokia did an agreement with Microsoft and decided to use in all their new handsets

Microsoft’s operating system « Windows Phone 7 ». The repercussions of this decision showed that

the number of devices released with Symbian dropped down. However, Symbian will continue under

maintenance and updates at least until 2016. (Epstein, 2011)

2.1.5 BlackBerry

BlackBerries use a proprietary operating system programmed by Research In Motion (RIM). The first

smartphone handset was released in 2003. It gave the opportunity to check the email via push

notifications, text messaging, Internet navigation, calls and more. The last version of Blackberry is 7.1

and it was release in May 2011.

Most of the blackberries have in the middle a track wheel, track ball or track pad that allows the user

to move and select items around the system. Furthermore, every model except for “Storm” had a

keyboard.

Its main advantage is wireless synchronization with mail servers like Microsoft Exchange Server or

Lotus Domino from IBM. This feature allows the user to have in every moment his emails, tasks,

notes, contacts and calendar appointments.

Programs can be developed using its API in Java or C++ languages and signed digitally for uploading

it with a RIM developer account. These applications can be downloaded from the BlackBerry

application store called “BlackBerry App World” using a wireless connection or with the desktop

manager through the computer. (Perez, 2008)

From a technical point of view, the BlackBerries are between the most secure handsets. All the data in

the BlackBerry is encrypted and every time the hand set is started up needs to enter a PIN and a

Password. If the password is entered wrong ten times, the phone will be wiped and no data will be able

to be recovered. (Reasearch In Motion)


These phone are business oriented and are usually configured against a BlackBerry Enterprise Server

(BES). The BES manages an organization mail system allowing the users to have access every time to

their emails. (Reasearch In Motion)

2.1.6 iOS

It is Apple’s operating system, which is used originally on their smartphones called iPhones. However,

with time, the system has been implemented also for iPod Touch, iPad and Apple TV. The system was

first launched in June 2007 for iPhone. Currently the last version is 5.1, which it was released in

March 2012. (Honan, 2007)

iOS has been written in C/C++/Objective-C and it is based for ARM platform that support touch

interfaces. It works on a Darwin BSD core (small version of Unix) and a graphical interface API

called Cocoa Touch. Applications have to been developed for ARM architecture and using Objective-

C language. Once the applications are finished, they can be uploaded into the App Store, which is

Apple’s application market.

The main characteristics of the system are (Apple):

• It has an intuitive GUI. The interface is very friendly and easy to use, with good feedback as

soon as the user does an action.

• Organize the software in folders.

• Notifications are easily reachable when sliding the top status bar to the bottom.

• Safari is the main web browsing. Safari has been developed and maintained through many

years. Therefore, it is a very stable and reliable program.

• Music player completely synchronize with iTunes library on the computer.

• Multitasking of games and applications, allow the user to have several applications open at

the same time.

• Game Center is a gaming community that allows finding other players or play with your

friends to your favourite games.

• iMessage allows the user to send free SMS without cost using the data plan.

• Another good feature is the App Store. It contains many applications and games and the users

can find almost anything they need.

iOS is a closed operating system and can be only installed in Apple’s devices, not in other third party

handsets. In addition, one of the downsides is that Java and Adobe Flash are not supported by iOS and

in the future, they will never be.


2.2 Mobile Networks, cards and data storage

The following chapter will contain information about the current networks used, such as GSM and

UMTS. After, the cards that use these networks will be explained. Finally, a general explanation of the

types of data that can be found on most of the mobile phone devices and networks cards will be

presented.

Is important to highlight the relevance of this chapter, due to every data contained in the mobile

phones can be stored not only in the handset but also in the network SIM card. Therefore, it is

indispensable to know how these elements work for their forensic analysis afterwards.

2.2.1 GSM and UMTS Networks

GSM means Global System for Mobile communications and is a second-generation cellular

telecommunication system, which was first planned in the early 1980s. Unlike the first generation

systems working at that time, GSM was digital, meaning that it introduced greater enhancements like

security, quality, capacity and the ability to support integrated services. The specifications that define

GSM are done by the ETSI (European Telecommunications Standards Institute). Image 2-3 shows the

architecture used in the communication GSM. (Mouly & Pautet, 1992)

Figure 2-3 GSM Architecture (Imran)

UMTS is the Universal Mobile Telecommunications System. Is a 3G (3rd Generation) wireless

communication system that provides an improved range of multimedia services, such as sending

pictures, video calls etc. The main objective of UMTS is to deliver low cost, high capacity mobile

communications, offering data rates as high as 2Mbps under stationary conditions with global roaming

and other advanced capabilities. The entity that specifies UMTS is 3GPP (3rd Generation Partnership

Project). (Kaaranen, Ahtiainen, Laitinen, Naghian, & Niemi, 2005)


Image 2-4 Highlights the architecture used in the communication UMTS:

Figure 2-4 UMTS Architecture (Mauritius)

2.2.2 SIM & USIM Cards

Two of the most used cards with the mobile phones are the SIM and USIM cards.

• SIM Card (Subscriber Identity Module) is the subscription of the user to the mobile network.

This card contains important information that gives access onto the subscripted operator’s

network using compatible devices like mobile phones.

• USIM Card (UMTS Subscriber Identity Module) is the subscription of the user to the UMTS

mobile network previously explained. It works similar to a GSM SIM card but is newer (3rd

Generation). However, the main difference between these two cards is that USIM operating

system and file structure are more complex.

Figure 2-5 Type of USIM Card (Mobile Whack, 2008)

2.2.3 Type of data that can be found at SIM or USIM cards.

The following data types are some of the most common amongst SIM and USIM cards (Savoldi &

Gubian, 2007):

• Abbreviated Dialling Number: All the SIM cards are able to store names and telephone

numbers. Depending on the type of card, more users can be stored. There are many different

ways to insert this data, but the most usual one is via handset GUI. The main difference

between the USIM and SIM cards is that the new cards like USIM, allow to store more

advanced information such as business details, emails etc.


• Last Numbers Dialled: Is a list of the last called numbers but nether date or time is

registered. The standard number of entries is 10. However, the list stored on the card doesn’t

need to have any relation with the last dialled numbers list stored in the mobile device.

• Fixed Dialled Numbers: Restricts the SIM card to only been able to call these numbers. The

usual amount of fixed dialled numbers is 10. When this service is activated, no other numbers

can be called outside this list.

• Service Dialled Numbers: Network specific numbers such as traffic reports, weather reports

etc.

• SMS Text and Deleted SMS: Short Message Service is textual way of communication

allowed by the network provider. This service allows the user to send and receive text

messages on their devices. The capacity storage depends on the type of card. A message can

support 160 Latin alphabet characters and 70 non-Latin alphabet characters such as Chinese.

The deleted messages can be stored on the SIM card. However, the user does not have access

to them. The date and time stamp of the messages held in a SIM card is derived from the Short

Message Service Centre but not for the SMS in the mobile telephones.

Figure 2-6 outlines how the SMS system works:

Figure 2-6 SMS System (Deloitte, 2011)

SMS are not sent directly to the other handset. The message first goes through other nodes,

before reaching the other side. The SMSC is the SMS Service Centre Number, which allows a

user to send and receive messages. This numbers can be stored either in the SIM card or in the

handset and it is accessible by the user. (Deloitte, 2011)

• Mobile Station Integrated Services Digital Network: It is the identity number for the SIM

card. The user can edit the number and it is not always stored in the card. 11 numbers plus the

international prefix set up the number.

• Integrated Circuit Card Identity: It is a unique number for the SIM card and 19 digits form

it, even if some SIM cards only show 11 in the physical card. The first 4 numbers correspond


to the communication type and country code. The next 4 are the network provider identity.

The last 11 represent the subscriber number.

Figure 2-7 SIM Serial

2.2.4 Mobile Phones Data Type

As expected, the handset also contains information stored. Some of the relevant elements found are

(Iosif):

• Contact or Phonebook list: Most of the mobile phones have a memory where to store the

address book of the contacts. The number of contacts depends on the size of the handset.

Moreover, the phonebook not only contains names and telephone numbers but can also have

emails, additional numbers, pictures, birthdays, specific tones etc.

• SMS Text Messages: The handset can contain created, sent and received messages. The

archived messages on the handset will have different times and dates, depending if they are

sent, created and the time settings of the mobile phone.

• MMS Messages: Are the multi media short messages and they work in a similar way as the

SMS. The main difference is that these messages contain pictures, sounds or videos.

• Pictures or Images: The currents phones can store images on their memory from different

sources, such as the camera, MMS or WAP (Internet – Wireless Application Protocol). Some

telephones even have some pictures by default for using as wallpapers. The times or GPS

position of the pictures will differ depending on the configuration of the handset.

• Videos: Some phones have the possibility of recording digital videos with the camera or even

play videos with and without sound. Depending on the size and quality of the video can

occupy more or less space. Other phones may not have a digital camera for recording videos

but still can download or play videos.

• WAP Bookmarks: Phones that have Internet access, can store saved URL’s (Universal

Resource Locator) as favourite website for easier access.

• Voice or Sound Recordings: Another media found of the phone are the voice notes. That can

be recorded thanks to the handset microphone.

• IMEI Number: International Mobile Equipment Identity is the number that identifies the

mobile phone. This number is unique and specifies the Type Approval Code, a Final


Assembly Code and a Serial Number. However, this number can be modified by special

software. Can be found on the internal battery or on the manufacturer label.

Figure 2-8 IMEI Number Format

• WAP/GPRS Data Counter: Registers de data sent and received with Internet or GPRS

(General Packet Radio Service). Is registered in bytes.

• Call Logs: Every phone saves a record of the missed, received and outgoing calls in the

handset. The size of the list may vary depending on the mobile phone. Therefore, is better and

more precise to use the billing record from the network provider.

• Organiser information: Information related to the calendar notes, tasks to do or memos

assigned to a date and time.

• Emails: Some phones, store the emails received and sent on the handset. This service depends

on the emails configuration, subscription type and network.

• Date and Time configurations: This configuration can be change by the user. In some

mobile phones, when the phone is switch off or the battery is removed, the configuration can

be reset. It is an important field, because there are programs that may not work if the date and

time is not set.

• Memory Card: Are used for extending the storage space of the handset. Most of the

information that can be found in these cards is music, videos, pictures, documents etc. In the

market many types of memory cards can be found but the most used ones are SD (Secure

Digital), Sony Memory Stick and MMC (Multi Media Card).

• Documents: Some phones like the smartphones allow to create office documents such as

word, excel etc.

• Games: Most of the phones have some games installed. Most of the come already

preinstalled, however in other models, the user can download and install additional games.

• Music: Some handset can store music files like WMA, MP3 or even create or store ringtones.

2.3 Knowing the iPhone Architecture and System

The next chapter will specify information regarding to the latest versions of iPhone and iOS that

contain substantial changes like physical data encryption or system multitasking functions. Finally, an


explanation about the closed system environment to the user, jailbreak term explanation and how the

file system of iOS works.

This chapter helps understanding the features, advantages and differences between different iPhone

versions that are not always very clear. People usually know what is on the surface but there are more

important issues to bear in mind like to know which version of iPhone has what kind of encryption.

Also, important to highlight how iOS stores the information into the flash memory.

2.3.1 iOS Devices Specifications

iPhone 3GS

In June 2009, Apple released the new iPhone 3GS incorporating also the new iOS system 3.0. The

new iPhone was improved with new functionality such as a compass and a new camera with three

megapixels, which allowed finally recording videos apart from taking pictures. Another advantage was

that the iPhone 3GS gave access to third-party hardware using Bluetooth or USB connection like car

battery chargers or a hands free kit.

Regarding video recording, an interesting clue for the investigators was that when the user records a

video and then modifies it, the original is still be stored in the memory until it is deleted. Along with

the video recording improvement, the iPhone 3GS came also with voice recording, which allow

investigators to gather more evidences for the cases. (Morrissey, The 3G[S] iPhone, 2010; Morrissey,

The 3G[S] iPhone, 2010)

iPhone 4

The iPhone 4 was released on June 21, 2010 and is completely different from the previous iPhones and

was completely redesigned. It has a more resistant screen made of Gorilla glass and its borders are

made of stainless steel. The shape of the handset, compared with the 3GS, it looks more fashion. It has

two cameras: A back one with a good quality of 5Mpx and a front facing with less quality.

A new communication system was implemented for the iPhone 4 called “Face Time”. This protocol

allows the user to talk with other people and see them. Moreover, Is very similar to iChat in Mac but is

only available to use it by wireless. Despite this inconvenient, some developers have release tools like

“My3G” for connecting though 3G connections. (Redmond Pie, 2010) Other new specifications are its

high definition screen called “Retina”, greater speed with the A4 processor, bigger RAM memory and

the battery lasts longer. Each iOS device has a model number for differencing from the others, in this

case iPhone 4 Model Number is A1332.

Finally, the iPhone 4 is protected with a data level encryption that makes really difficult for the

investigators or thieves to obtain any information even with a physical acquisition. (Morrissey, The

iPhone 4, 2010)


Table 2-1 iPhone 4 Components Specification (Apple Inc.)

Capability Manufacturer Equipment Size 115.2 x 58.6 x 9.3 mm Weight 137 gr Baseband Skyworks SKY77541GSM/GPRS front-end module Power amp Triqunt TQM666092 & TQM666901 power amp Radio/amplifier Skyworks SKY77452 W-CDMA FEM Radio/transmit and receiver Apple 338S0626GSM/CDMA transceiver Gyroscope Apple AGD1 STMicro three-axis gyroscope Processor Apple ARM Cortex A4 Processor Connectivity/802.11 Broadcom BCM4329KUGB 802.11n Connectivity/GPS Broadcom Bluetooth 2.1 + EDR antennae Memory Samsung K9DG08USM-LCB0 DRAM Memory Samsung K4XKG6432GB Display Wintek Capacitive glass Camera 5MPx autofocus

2.3.2 iOS System Evolution

iOS is the operating system for iPhones, iPods and iPads and it was release in June 2008 for the first

generation iPhones. This operating system made Apple competitors like HTC, Google, Motorola and

RIM to innovate their products and do intelligent smartphones.

iOS 3

The new version of iOS was released in Junes 2009. This new version included enhancements like

(Morrissey, iOS 3, 2010):

• Cut, copy & paste.

• Spotlight search.

• Call history.

• The ability to capture videos.

• Images including thumbnails of the original photos.

• Autofocus option on the camera.

• LDAP Support.

• Tethering.

• Encrypted backups.

• Hardware encryption.

• Voice control.

• Push notifications.


iOS 4

The last version was released on April 7, 2010. The major improvement was to include the

multitasking on the running applications. Before this, the only application allowed to run on the

background was the Pod application. Some of the functionality that can run on the background is

(8BITJAY, 2010):

• Background music.

• Voice over IP.

• Push notifications.

• Local notifications.

• Task completion.

• Fast app switching.

Apart from these, more improvements have been included in the iOS 4 versions like:

• Folders.

• Wallpapers.

• iBooks.

• iAd.

• Enterprise features.

• Spell Checking.

• Faces in photos.

Finally, the iOS is improving considerably to the point that is the little brother of Mac OS X desktop

version. iOS system works with a modified version of Mac OS X kernel and it is developed in Xcode

and Cocoa (Morrissey, iOS 4, 2010).

2.3.3 Analysing the iOS System

Moreover, iOS operating system is not 100% available to the end user. By default, the entire iPhone

device is in a jailed environment. This jailed state is an environment, which is subordinate to the

administrative environment of a system where the administrator has complete control. While the

iPhone is in this virtual jail, there are many restrictions on what resources are accessible, generally

imposing additional restrictions on what resources are accessible. This means that it is only permitted

to access only certain files on the device. Usually the files that can be accessed freely are stored in

/private/var/mobile/Media folder, which contain all the user information.


Another big issue is that because the iPhone is to completely accessible by default, there are a lot of

functionalities like network tethering, Bluetooth executing third party programs, Massive Storage

System (MSS)… that can’t be used or are limited.

The term jailbreaking or jailbreaked was originated from the first iPhone hacks to break out of this

restricted environment, allowing to execute third party programs, to read and write files anywhere on

the device...

Because of this, some hacker groups as “iPhone Dev Team” started exploiting the system showing to

Apple, the flaws that the system has. Some of the most famous programs for jailbreaking are: Pwnage,

RedSn0w, iLiberty, Blackra1n and Greenpoi0n. (Zdziarski, 2008)

2.3.4 iOS File System

All Apple mobile devices such as iPad, iPhone or iPod use a HFSX system partition. HFSX is quite

similar to HFS+. The main difference between these two partition systems is that HFSX is case

sensitive. For better knowledge is preferable to understand HFS+ system partition:

HFS+ Partition

Apple’s file system HFS was developed in 1996 because the physical disk space was increasing fast

and they decided to create a new system partition system to support these new disks. HFS partition is

divided in blocks of 512 bytes, similar to sectors size used in Windows. In HFS, two different types of

blocks can be differenced: Allocation blocks and logical blocks. The logical blocks are numbered from

the first to the last on a volume. Moreover, they are static and the same size of a physical block, 512

bytes. The allocation blocks work different, these are a group of logical blocks and they are used for

tracking data efficiently. The allocation blocks can be grouped also in clumps; this reduces the

fragmentation in the system. (Varsalone, et al., 2009)

The time format used by iOS is UNIX time or absolute time. These formats does not difference

between time zones. Therefore, the investigator has to be careful when recovering evidences and bear

in mind the location where the device is. In terms of data, HFS uses a balanced tree (B*tree) or

organizing files. In addition, this tree uses a catalog file and extents overflow in its organization

scheme. B*trees are comprised of nodes. These nodes are grouped in linear way for allowing faster

access data. When the data is removed or added, the extents are balanced keeping the efficiency fine.

Therefore, every file that is created is given a unique ID called Catalog ID number. Every time a file is

created or added, the Catalog ID number is increased by one. These numbers can be reused but the

HFS Volume header is the responsible for tracking them. (LeGault, 2009)


The Figure 2-3 outlines the HFS+ file system structure, which is divided as (Morrissey, The iOS File

System, 2010):

• The first 1024 bytes are the responsible for the boot blocks.

• Volume Header: Is 1024 bytes big and has information about HFS volume

structure. At the end of the structure, there is a backup for the Volume

Header and it is used for most of the times for disk repair. There are also

volume header signatures known as H+ for HFS+ and HX for HFSX.

• Allocation File: Tracks the allocation files been used by the file system.

• Extents Overflow File: Tracks the allocation files that are part of a data

fork.

• Catalog File: Maintains all the information about the files and folders.

• Attribute Files: For future use of data forks.

• Startup File: Assist in booting the system without a built-in ROM support.

• After the start-up file is where all the data is stored.

• Last 512 bytes are manufacturer reserved.

2.4 Mobile Forensics Methodology

Because the evidence to image contains sensible information that is under the investigator custody and

also because the handset does not belong to him, is really important to be very careful with every step

done while processing the device and document the whole procedure. That is why this chapter will

explain the criteria to follow since the moment that the investigator goes to image the mobile phone

until the handset is inside a seal bag in evidence box.

This documentation does not only help to have a track of the evidence in every moment but also in

case that something unfortunate happens it will cover as much as possible the investigator while been

sued for negligence in front of a court.

2.4.1 On Site Process

Before arriving on site to process, the investigator should already know in which case is going to

work, where it is the place and the person to contact once he arrives there. Also, is not always possible

but it helps describing what type of collection (Scoping, imaging or server data extraction) is going to

be done, if photos are required when touching custodian assets and from which custodian is going to

Figure 2-9 HFS+ File System

Structure (Morrissey, The iOS

File System, 2010)


be the data gathered. Usually this information will be given by the investigator superior and is good to

fill it in a form as well as a brief summary of the purpose and which evidences will be collected on site

for avoiding forget tasks once there. For each media collected is important to note the related

custodian, where it has been the image stored, image size, evidence number applied and if someone

has done a quality check to the task.

The place, forensic team members participating, times and dates are very important because situate the

investigators in a specific day, hour and place supporting their documentation. Therefore, whenever is

possible the embark time-date if taken a plane or train, arrival time-date to the destination if taken a

plane or train and enter time-date into the building are really important.

Finally, when the investigator is leaving site is important to make note if he has taken the recovered

kit, returned the passes, everything is working as it was and the depart time. Moreover, is important

give back the cell phone to the client or proprietary after reassembling it and testing that it boots

properly. The mobile phone should be given back in the same conditions that it was received. All this

information is not mandatory but it is very advisable to fill it when applicable. (Deloitte, 2011)

2.4.2 Mobile Forensics Triage

Triage is the process of acquiring important evidences on-scene in a limited period but also in an

accurate way. However, triage is not a replacement for an in-depth examination later in the lab.

Every triage starts with search warrant. This search warrant happens due to one of the many lawful

exceptions that can go from an incident to an arrest. Some of the main objectives when performing a

triage are:

1. Locate all the devices that are related to the crime.

2. Identify the devices that are not relevant to the crime. Each crime lab has a months-long

investigation for completing forensic analysis. Therefore, it is practical to ignore these devices

avoiding unneeded work.

3. Interviewing the suspects in the crime scene. These interviews are more effective when the

evidence, which has been found at the crime scene, it can be shown to the interviewed person.

4. Determine leads for future investigations.

5. Examine and extract sensible information from the different devices seized.

Moreover, phone triage should be complementary with gathering information directly from carriers.

The main reason is that obtaining information from carriers can take several weeks or even months

and the amount of data stored by them is limited. Most of them keep call logs for a year. However,


other information like text message content that is only kept for a week. The assigned IP address is

stored for a couple of days.

The time matter is important on a triage. Hence, the main goal is to extract as much information as

quickly as possible. An average time should be around 20 minutes regardless from the phone brand or

model. The results should be limited to information that is common to phones but also stored

differently by each device (Walls, Learned-Miller, & Levine, 2011).

2.4.3 Seizure and Chain of Custody Process

Once on site, the investigator should make note of every device that is going to image. The best way

will be to grab it from the custodian for asking him if there is any password, PIN, PUK or lock pattern

and which ones are. This is not always possible, but if it is you should make note of them for avoiding

hacking passwords.

The chain of custody is probably the most important information regarding to the responsibility of the

handset. Therefore, the forensic team should give an evidence name to each device and make note of

the description of the device (If it is a SIM card, mobile phone or satellite phone), phone brand, phone

model, IMEI of the telephone and the SIM card number. Furthermore, more useful information could

be the mobile phone number, if it was power on or power off. Is good to write as much information as

possible.

Furthermore, the investigator has to make note of the date and time when he is receiving the evidence,

the location where the exchange has been done, from who he has received it and who has receive it,

usually the investigator himself. The signature of each person next to their names will show the

conformity of both sides. Sometimes, when a forensic member is putting the evidence into the

evidence box or when it is taken from a place and not form a person, instead of specifying a person the

investigator should put the place name.

Finally, a good practice to specify the reasons why the evidence is moving from one custodian to

other, if it is going to be sealed inside a new seal bag and its seal bug number and if the evidence was

not already inside a seal bag, if it was, which is the seal number.

Once the custody chain form is done, the investigator can process to put the telephone or SIM card

inside the seal bag or faraday bag. Faraday bags shown in Figure 2-10, which allows to isolate the

device from the network or external signals communications, preventing the data to be modified or

corrupted. (Deloitte, 2011)


Figure 2-10 Faraday Bag (Data Duplication Ltd)

The main problem of the faraday bags is that sometimes the examiners have to manipulate the phone

and they have to take it out from the bag, exposing the telephone to the external threats and risks. Due

to this problem, there are special rooms called Faraday Rooms or Faraday Cages. These rooms are

often used as appointment rooms or cinemas and work as huge faraday bags, avoiding any external

signal contacting any device inside. The main issue about the Faraday Cages is their cost. Constructing

a Faraday room is more expensive that buying a Faraday bag. However, this optimal solution, allows

the investigators to manipulate the phone without any risk and with the advantage that is more

comfortable than a Faraday Bag. (Faraday Bag)

2.4.4 Imaging Process

While acquiring a mobile phone image, exists many software and tools to use. Some of the most used

tools and methodologies such as XRY, Cellebrite, Oxygen and Zdziarski will be explain later.

However, even if the process is quite similar in most of them, they have one key point in common, the

documentation of the process.

The imaging process can be done at the forensic office, which will be less time restricted or on client

site. When investigators are working at the client office or crime scene, they don’t have the same

amount of time to work due to the deadlines or because of the client timetable. Therefore is important

to make any minute worth.

When imaging a mobile phone, SIM card or memory card the forensic member should create two

exact copies of the evidence using tools like a caddy or Robocopy for maintaining the metadata. One

will be sealed inside a seal bag and stored in the evidence box without manipulation. The other one

will be the working copy, this image is the one that will be use for further investigation in case data

needs to be recovered or tracked.

Regarding to the software used. Usually every kit comes with many connectors for the different

mobile devices. This way any mobile can be connected into destination though an imager if used. The

destination depends on the capacity of the mobile phone to image. If is a big flash memory like the


iPhone, the investigator should use a dongle. The imaging tools allow to copy not only the information

from the mobile devices but also information from the SIM card and even the external memory cards

depending on the software used. Imaging kits like XRY, Cellebrite or Oxigen are quite straight

forward, once the mobile phone is connected is just necessary to follow the instructions on the screen

and in few steps the imaging process is done.

In the documentation the forensic member should note what action would take for preventing signals

to the phone such as using a Faraday Bag or switching off the mobile phone. More information that

can be acquired from the phone is the brand, model, IMEI number and password used for unlocking it.

Specifying the mobile phone date-time and the actual date-time and the reliable source against which

it has been compared is very important for knowing the time zone difference. While doing the imaging

copy, the investigator should note which software or tool is he using, the version of the software, what

kind of connection is using, where is the destination of the images, the starting time of the process and

when it is done, the results.

The SIM card data is usually smaller than the data that can be found on the handset. Again, is

important to make note of the card number after comparing it with the number given by the imaging

tool, forensic software used, brand from the card, the destination of the image, and starting process

time.

Finally, the most important thing about the destination drive is that is has to be encrypted. The

investigator can use tools such as TrueCrypt that are free and very powerful. This way, the information

will be safe and in the worst-case scenario that the destination is lost or stolen will be more difficult to

access the sensible data from the case. (Deloitte, 2011)

2.4.5 Additional Media

Additional media are memory cards or external evidences that belong to the custodian and are part of

the mobile phone containing relevant information.

The imaging process for the additional media is similar to a hard drive imaging process. Once the

memory card is inserted into a read only reader device, the investigator can create an image with the

desired forensic tool into the destination volume. The destination volume should be encrypted and the

image compressed whenever is possible to avoid the slack spaces inside the media. When the image is

finished, is important to check that the image has been done properly verifying it with the MD5.

Furthermore, the documentation should contain the brand, model, serial number and size of the

additional media. In addition, the kind of storage memory card is, it could be SD, XD, MicroSD or

other. The investigator should make note of which type of write blocker is it using for avoiding

modifying information as well as the software used for creating the image, sectors imaged, starting

date and the hash obtained for later verification. (Deloitte, 2011)


2.5 iPhone Acquisition

This chapter will explain the different approaches to acquire an iPhone image as also the differences,

advantages and disadvantages. There are three main ways to do an image from an iPhone Logical

acquisition, physical acquisition and dumping the memory, which mean extracting the information

directly from the memory itself.

Understanding all of them is important because each one is more difficult than the previous one and

requires more knowledge.

2.5.1 Different Methodologies

Exist many ways for obtaining data from an iPhone but the most common ones are: (Hoog &

Strzempka, iPhone Forensics Overview and Techniques, 2010)

1. Logical acquisition: Captures all the live information on the device although the erased

information cannot be recovered. It is the easier method to follow because requires less

technical knowledge.

2. Physical acquisition: Is a bit-to-bit copy from the device, capturing all the information

contained in it. The physical image does not only acquire live information but also deleted

data inside the imaged device.

3. Disassembling the phone: This technique is based on opening the handset and access directly

into the memory. The investigator will have to dump the memory, which requires big

understanding of that he is doing.

The next chapters will enter more in depth in each method.

2.5.2 Logical Acquisition

Apple provides a backup system via iTunes, which stores information such as call logs, contacts,

SMS, music, videos, configuration and other binary data imported by iTunes. This data is stored into

the backups that can be encrypted. When the encryption is setup by the user also the passwords are

stored inside the backup. If the backup is not encrypted the passwords will not be saved. However, this

encryption can be crack easily with tools like Elcomsoft Password Cracker giving free access to the

image. Therefore, the logical acquisition can be done to the backups themselves or to the iPhone

device if the investigator has the proper tools.

Some of the tools that can be found on the market that allow doing this technique are XRY, Cellebrite

or Oxygen between others. However, the price of these tools is quite expensive and only big forensic

teams can afford them.


As explained before, one of the main issues is that the logical acquisition, obtains the information from

live data. Therefore, all the information erased by the custodian will be lost. The main advantage is

doing a logical acquisition is quite easy compare with the other methods. Some of the tools mentioned

tell in the display the steps to follow quite precisely. (Hoog & Strzempka, Logical Acquisition, 2010)

2.5.3 Physical Acquisition

This technique is copies the information from the flash memory bit-to-bit. This means that every file,

deleted or alive inside the memory will be image. This image method takes really long time and

requires more technical knowledge than the logical acquisition.

The process can be done with commercial tools like Cellebrite or Elcomsoft. However, same reason as

before applies in these tools. This type of software is really expensive and not every company can pay

it if they do not have enough mobile forensic cases. Despite this, Zdziarski offers a methodology that

can be applied using open and free tools, even if they take more computer knowledge.

Finally, the iPhone 4 come with big news from the security perspective introducing the physical

encryption. When a bit-to-bit image is taken from the device it will finish properly, however, the

content of the image file will be unreadable and not possible to mount it. The solution to this problem

is hacking the encryption. This is a process that many hackers are currently working on it, but it will

take time. (Hoog & Strzempka, Physical Acquistion, 2010)

2.5.4 Dissembling Acquisition

This method also known as J-tagging is very dangerous and if the examiner is not an expert with the

hardware from the device, he can break it. Hence, not only will lose all the data and information but

also to destroy the handset. The basic technique for doing this is to remove the welding on the Read-

Only-Memory (ROM) from the phone and extract the information from the chip, performing a NAND

dump. Is important to have the right knowledge, but also to have the proper tools for dissembling the

chipset.

Many companies and agencies avoid this method because if something goes wrong and the phone is

damaged, they will not be able to recover the data and they will have to pay the suspect for the

damages done. (Keonwoo, Dowon, Kyoil, & Jae-Cheol, 2007)

2.6 Tools in The Market

This last chapter will introduce some of the different forensic tools that can be found on the market

and that are used by many forensic teams from law enforcement and consultancy companies.

This chapter is relevance to know what are the capacities of these forensic programs and what an

investigator can expect with other similar software.


2.6.1 Cellebrite

This is a standalone kit composed by UFED Device and more than 100 cables for processing more

than 2,500 mobile phones. The kit can be seen in Figure 2-6. It can do quick acquisitions, and is user

friendly telling the investigator what to do in each step either in the device or in the UFED machine.

Apart from reading handset, information can gather information from the SIM cards or from the

system dump. Data can be extracted into a USB stick or into a PC, which has the software UFED

installed. The output is a report in .html of all the information gathered but it also creates a specific

output file that can only be open with its own tool. It is a good forensic tool in that can gather data in

different ways and not also has several acquisition methods but also can get a wide range of

information. Works well with a large range of phone types but does not currently support iOS 5.

(Hoog & Strzempka, Cellebrite UFED, 2010)

Figure 2-11 Cellebrite Kit (Hoog & Strzempka, Cellebrite UFED, 2010)

2.6.2 XRY

This forensic tools shown in Figure 2-7, contains both software and hardware for allowing doing a

physical and logical acquisition as the same way as Cellebrite. Moreover, it is friendlier than

Cellebrite and guides the investigator through every step with many details as highlighted in Figure 2-

13. The output format of the report is a file with .xry extension that can be opened with the same

application after the process is completed. The main advantage of this tool is that it can open almost

any kind of file. Another major advantage is that it is one of the only tools that show information from

the deleted notes. (Hoog & Strzempka, Micro Systemation XRY, 2010)

Figure 2-12 XRY (Hoog & Strzempka, Micro Systemation XRY, 2010)


2.6.3 Oxygen

Oxygen, shown in Figure 2-8, is more oriented for logical acquisition; however, it uses a powerful

acquisition protocol, which allows it to have good performance. It is probably the best software for

doing logical acquisition and is quite simple and straightforward. It gives information such as the

handset retailer, brand, IMEI, boot loader, and if it is jailbreaked. Also has information about the

phonebook, SMS, messages, notes, and calendar. All of them with an MD5 hash. (Hoog & Strzempka,

Oxygen Forensic Suite 2010 PRO, 2010)

Figure 2-13 Oxygen Program (Hoog & Strzempka, Oxygen Forensic Suite 2010 PRO, 2010)

2.6.4 Zdziarski

This method comes from the investigator Jonathan Zdziarski who is a very important and famous

researcher in iOS forensics. His method is only available for law enforcement. However is considered

the best way for acquiring physical image from the iPhone and the knowledge required for using it is

bigger that other methods because has the risk of breaking the phone. It is basically the method that

will be followed in the development chapter and will be explained there. (Hoog & Strzempka,

Zdziarski Technique, 2010)


2.7 Chapter Conclusions

The introduced systems are some of the most important and used on the world market. However, even

if a brief introduction from each one has been given, comparison between all of them is necessary.

Table 2-2 Mobile Phone System Comparison

Apps Many free applications

and approval process

not so restricted as

other platforms.

However, because not

standards are required

the quality of some

applications is affected.

The applications

market continues to be

small compare to the

rest of the

competitors.

Many applications under

the market and good

quality due to the

specific standards.

However, the

requirements for the

market sometimes are

too strict, rejecting

applications very

desirable

Small number of

applications on the

market and not

very good quality.

Email Complete integration

with Gmail account.

However, does not

support more than one

email account.

Good integration with

emails such as

Microsoft exchange,

Gmail, Windows Live

Messenger and more.

Multiple accounts can be

configured for email

exchange.

The best interface

and access control

system to the

email. However,

does not support

more than one

email account.

Internet

Browsing

Excellent browser and

very fast processing

speed. Also, supports

Adobe Flash.

The browser supports

HTML 5 but not

Flash. Internet

explorer is not very

well supported by

developers turning

into errors.

Very fluent web browser

with the possibility to

show just text, reducing

the data cost. Although,

does not support Adobe

Flash. For this purpose,

it uses HTML 5.

Browser supports

Flash and has very

good accessibility

thanks to the

shortcuts.

However, the

displayed screen is

too small.

Texting Precise voice input Good implementation Free messages with Easier to text with


service. More difficult

to type, due to the

absence of physical

keyboard.

of features that allow

you to read the text

message itself. Also,

is possible to text

messages via voice.

iMessage, including

videos, pictures, sounds

and group chat. More

difficult to type, due to

the absence of physical

keyboard.

the physical

keyboard. Also,

has its own instant

messaging system

very useful

between business

colleagues.

Music Supports many music

formats and in the

market the user can

find many applications

for listening to music.

It also allows Syncing

the music with the

computer thanks to

“Google Music”.

Zune music player has

improved compare to

the previous one. Can

sync via wireless

Very good for music.

Perfect and comfortable

synchronization with

iTunes. However, it

forces the user to use

iTunes for loading

music.

Is not very good

for listening to

music but it has

improve

considerably

regarding to the

previous versions.

Videos &

Photos

Good quality pictures

and videos. The

performance of the

camera is good,

without lag. Panoramic

shots and the

possibility to upload

pictures to Google+. 5’

Screens.

Not very good

camera. The quality of

the pictures and

videos taken is not

good.

Very good quality

pictures and videos.

Possibility to use

Facetime for video

calling. The colours

brightness is not 100%

realistic.

4.3’ Screens. Easy

to share pictures in

social medias. Can

recognize text in

the pictures.

Games Due to the variety of

handsets is not possible

to create high quality

games for every device.

However, the system

has the power for it.

Thanks to Xbox live

integration in

Windows Phone, the

experience has

improved.

Many games with high

quality graphics. Funny

and good feedback

Small library of

games. Bad quality

graphics.


Handset Many mobile phone

models for every kind

of person. There are

cheap, expensive, with

or without keyboard

between others.

Many mobile phone

models for every kind

of person. There are

cheap, expensive,

with or without

keyboard between

others.

There is only one device

for choosing. However,

the smart design and hi-

tech are worthy.

Good and durable

cell phones with a

business style

looking. However,

the quality is not as

good as the rest of

the competitors.

Battery &

External

Memory

The battery life does

not last long. Scalable

memory.

Average battery life.

Scalable memory.

Does not have a

removable battery and

does not last long either.

The memory has a

similar problem, is not

removable, therefore, it

is not scalable.

The battery life is

very good. Scalable

memory.

The main reason why the forensic methodologies will be applied to the iOS system in this document

and not to the other ones is that as outlines in figure 2-1, iOS is one of the most successful mobile

phone systems currently. However, because of its license and protection, it is difficult to extract

information from the iPhone because it does not offer 100% of its usability. This is one of the main

challenges to experience, to see how much information can be obtained digging inside the handset.

Chapter 2.2, showed what information can be expected to find on the cell phones, highlighting at least

two main sources of data. The first one is the handset itself and the other one is SIM card.

Even if most of the data can be obtained from the main device, if the user erases the information, the

investigator can still found pieces of information stored on the SIM card. This data such as SMS or

numbers called can be useful to the case.

Most of the information, as explained before, is stored in the handset. However, the data can be stored

not only in the flash memory of the telephone but also on external media like Mini SD cards or other

type of external memory. Most of the information found on the first pass will be pictures, videos,

music and documents. However, if the investigator digs deeper, he will find the rest of the information

such as calls, SMS, network settings, applications, games, emails between others, stored in databases

or configuration files like the iPhone does.


Even if the iPhones look like there are quite similar between each other, another issue to bear in mind

and to understand while an iPhone handset is been process is its version. The biggest difference as

explain before, is the physical encryption on iPhone 4. Therefore, acquire an image physically prior to

iPhone 4 is easier because is not necessary to hack it. However, iOS 3 bring logical backup encryption.

When trying to analyse a backup from iOS 3 ahead is important to know that it could exist the

possibility to decrypt it if necessary.

Furthermore, after introducing iOS file system, it is possible to understand that when the iOS is first

time turned on, it goes through the memory in sequential order until it finds the “boot blocks”. Here, is

where the jailbreak payload resides and allows executing third party software.

Doing a good image is vital to the case, because if not done properly, it can be cause of an

unsuccessful investigation. That is why is important to keep every step well documented and be extra

cautious during the process. It is not just for the sake of the forensic member while is on a trial but also

for the whole team if in the future they want to learn how to do things properly. Moreover, is a good

practice for when the investigator is in a trial and others have to redo the same steps reaching to the

same solution.

The most important ideas to keep in mind out of this chapter are to create whenever it is possible one

master copy and one working copy from each evidence, verify it to know that it works properly and

document every single step done.

Regarding the tools in the market and the different acquisition methodologies, most of them are very

easy use and have a friendly user interface guiding the investigator through every step leaving small

change to do mistakes. This is helpful when the future investigation is going to be depending on the

quality and output of the image. However, they cost a lot of many and not many companies or services

can afford to buy these tools if they don’t have many mobile forensic related cases. This could make

the investigator to choose open and free tools such as DD for creating the image, OpenSSH for

transferring it into the laboratory and JuicePhone for extracting the information from the image done.

These tools can be used complementary with Zdziarski methodology, obtaining a good quality image

bit-to-bit.

Finally, is completely unadvisable to perform a disassembling acquisition on an iPhone. The risks that

need to be assume for using this technique are too high and the consequences unexpected.


3 Tool Analysis

This chapter will introduce the tools that will be used in the future development chapter through an

analysis of the iPhone that is going to be acquired. Another important fact to bear in mind is that the

development will be done with one iPhone 3GS and one iPhone 4.

Therefore, the first challenge will be how to proceed with the physical encrypted iPhone and what

steps should the investigator follow for doing a physical or logical acquisition (Section 3.1). The next

section will highlight how are some of the tables inside the iPhone databases related, what kind of

databases can the examiner found and how to interrogate them (Section 3.2). After, the property list

files will be introduced and how to read them with a friendlier method (Section 3.3).

Most of the forensic tools used during the acquisition for imaging, cracking the encryption, extracting

the information from the backups or mailboxes will be explained afterwards (Section 3.4 and 3.5).

Finally, other tools such as iTunes for synchronization, QuickTime for pictures and video metadata

reading between others will be presented and explained for what will be used (Section 3.6).

3.1 iPhone Encryption and acquisition steps to follow

As the iPhone 4 is encrypted, the physical acquisition will be done using an iPhone 3, installing all the

needed tools there and showing the process done until the data is stored on the lab computer and it is

readable. The steps will be:

1. Install support tools into the iPhone and into the computer.

a. Exploit

b. SSH connection

c. Forensic tools

d. Cydia

2. Do an image of the whole device.

For the logical acquisition, an iPhone 4 will be used. First, a backup password protected of the phone

will be done with iTunes. This will allow the recovery of data such as keychain’s passwords. After

that, the backup will be decrypted for been able to process it with the extraction tool File Juicer. This

tool, will extract the information as the same way as it is organized in the host’s phone.


Once the data from the phone is extracted with any of the two previous options, it can be analysed.

However, the data is divided in two different partitions: System partition and User partition. Hence,

needs to be investigated separately.

The analysis of the data will try to gather everything that is possible using free tools or demos that are

enough for the purposes of this dissertation. Main tools are very expensive or are only accessible by

law enforcement, so will not be used. Is not only a matter of money, is good to understand how to use

different tools separately instead of using a unique tool where the investigator clicks two buttons and

does not know what is happening on the background.

3.2 Databases Infrastructure

3.2.1 Databases structure

iOS stores information in tiny databases with file extension .db or .sqlite. First, is interesting to have a

look at this example just to know how some of the databases are related. As seen in the Figure 3-1, one

example is in the calls log database on the top right. On the phone, when users take a look at the log,

they can see the name of the caller and when taping the name, they can have access to the rest of the

information of the address book. This is shown in the previous picture by a relational link between the

addressbook.db and call.db. The SMS service is another example of how the information is correlated

between the calls, address book and the SMS services.

Figure 3-1 iOS Database structure


3.2.2 Databases tools

There are applications for interrogating the databases and extracting information from these ones.

However, one of the most used software and freeware is “SQLite Database Browser” shown in Figure

3-2. SQLite is user friendly and allows the investigator to see the database structure or taking a look at

the table’s information with just few clicks. Also, gives the possibility to execute queries or move the

databases easily from one place to other due to their portability. However, its engine is not very

powerful and is not a good idea to execute long time-consuming queries.

Figure 3-2 SQLite Database Browser interface

Another application for people who do not mind to pay for it is Froq shown in Figure 3-3. This tool is

developed by Alwin Troost. Is more powerful than SQLite Database Browser and allows the user to

export the result to another format such as PDF or Excel for doing reports. However, is not as friendly

to use as SQLite Database Browser and is necessary to configure previously a connection to the

databases.

Figure 3-3 Froq interface


3.3 Property list tools

These are XML files in iOS system. These files are stored in the iPhone device for configuration

purposes using the “.plist” format. For been able to see this documents, the MacBook has a tool

installed called “Property List Editor”. This tool is optional but can be found on the developer tools

CD or downloaded from Apple’s website. Property list editor allows the examiner to read the XML

format in a readable way. Figure 3-4 reflects how the file is shown with this tool.

Figure 3-4 Difference reading XML format and .plist format

Another program apart from the Native from Apple property list editor is “Omnioutliner”. Some of the

advantages of Omnioutliner are that it allows the user to export the data and to expand all the keys.

Once installed the property list editor or Omnioutliner, the best thing is to right click one of those

“.plist” files and select the option “Get info”. There, on the “Open with” section, select the preferred

application to open the property list file and select the option “Change All…” as shown in Figure 3-5.

Figure 3-5 Open With option

3.4 Mail Exporting

The key packages that will be used for email exporting are Emailchemy and File Juicer.

Emailchemy can convert the email boxes from the mobile phone proprietary format into a more

standard format. It works in Windows, Linux and Mac. Is not a free product but the demo allows

extracting the information blurring the subject and the sender information (Weird Kid Software)

File Juicer can be used for opening the IMAP email. Takes the IMAP folders and parse the mail and

the attachments embedded in it. Therefore, the most useful feature of this tool is the extraction of the

attachments that can incriminate the suspect or been sensible for the investigation. (File Juicer)


3.5 Forensic Tools

The key packages that will be used for email exporting are RedSn0w, Cydia, dd, Netcat, OpenSSH,

Elcomsoft Phone Password Breaker and JuicePhone.

RedSn0w is an exploit that allows the user to use the vulnerability on the iOS device. This exploit

installs a payload on the booting system that once restarted up will give the user free accessibility to

the device resources. Other software like Redsn0w is greenpois0n and limera1n.

Cydia is an application for the iPhone, iPad or iPod that allows the user to install more applications

that do not need to pass Apple application filtering. Also allows the user to modify the look of the

device such as icons, docks, status bars and so on. For finding these applications, Cydia links them

adding repository sources.

Dd gives the possibility of copying RAW data, allowing the investigator to create a duplicate of the

forensic evidence. It does not have a GUI and has to be used in a terminal window specifying the input

file, the output file and how big are going to be the chunks of the copy.

Netcat allows reading and writing data across the network using the TCP/IP protocol. This tool works,

listening to a port on one of the sides and specifying the output. On the other point, the investigator

has to say what is going to be sent through the pipe with the direction and port of the listening server.

This will set up a tunnel between both points and transfer the data. However, the client will be

installed on the phone and needs to be downloaded from Cydia repository.

OpenSSH is a free tool, which allows the user to connect via SSH protocol. SSH protocol encrypts all

the traffic, been difficult to read the content of the transmission. Therefore is a very secure protocol.

Finally, this program sets up an agent, which listens on port 22 and can be accessed by putty or any

other client. (OpenSSH)

Elcomsoft Phone Password Breaker allows the investigator to access encrypted backups from mobile

phones such as iPhones, iPads, iPods or BlackBerrys. Even if the backup is protected with a password,

this software can hack it doing a dictionary attack and brute force attack, showing it at the end of the

process. This tool is not free. However the demo version allows to crack the backup password and to

decrypt it. (Elcomsoft).

JuicePhone extracts the information from the logical backups done from iTunes. Some of the

information that can be extracted is: Notes, emails, applications, games, pictures, videos and more…

Also, shows information from the device like the version or username. Does not work very well with

encrypted backups. Therefore, these need to be decrypted before using JuicePhone. This tool is free

and does not cost any money. (AddPod, 2011)

3.6 Other Tools

The other tools used are: Keith’s iPod Photo Reader, iTunes, Preview and QuickTime.


Keith’s iPod Photo Reader allows the view of photos stored on the iPhone transferred with iTunes and

that are related to music such as album covers. These images are stored in file with extension .ithmb.

This tool can read this file format and present a library of thumbnails, which each of these can be

expanded to Full Size. (Wiley, 2011)

iTunes is the media player from Apple. This can be used for playing, downloading and organizing

music and video files. More important, it manages the contents of the Apple devices such as iPhones,

iPods, iPads, and so on. This tool is used for transferring most of the information, which is stored on

the device such as, purchases, programs, pictures and videos. Also allows creating backups of the

whole device creating a logical image of the live information in the iPhone. This software is

multiplatform, therefore can be used in Windows and in Mac. (Apple)

Preview is the default one by mac to display pictures, portable document format known as PDF or

other documents. Is mostly used in the investigation for opening the pictures and showing the

information related to the pictures like the GPS annotations or other. (Wikipedia, 2011)

QuickTime is the proprietary software from Apple for visualizing different video formats. In the

development stage is going to be used for visualizing information about the videos and their metadata,

such as the location where it was recorded. It has a version for Windows and Mac OS X. (Apple)


Apparently, the information contained in the iPhone is divided into property lists and databases apart

from the multimedia one. The databases will allow significant amount of information even if it is

erased from the device. The link maybe is erased but the information could still be there.

All the tools that are going to be used are freeware or demo versions that work similar to a free tool.

For this research is enough using these kinds of tools but in a proper case will be better using a

certified or standardized tool. Some of the tools are maybe not the best option like iTunes for doing an

acquisition of the device. This software if used properly can synchronize with the investigators

computer and erase all the information from the phone. However, it creates logical backups and these

backups can be hacked for analysing the information contained on them.

Even if, in this example, one of the payloads will be installed using an exploit. Jailbreak in USA is

completely legal and even certified tools such as Oxigen, Cellebrite between some of them, install also

a payload on the system partition that allow them to execute their homebrew on the iPhone when

started up. Hence, there is no problem on jailbreaking the phone or using a payload. In addition, using

redsn0w will show the complete process about what is happening on the background when an iPhone

is jailbroken.


4 Development

iPhone mobiles devices contain many data or sensible information. Not only address books, history

calls or text messages but also information from the third-party applications. Moreover, users have the

possibility of creating files in the mobile phone with applications like iWork, iMovie or many others.

Therefore, this chapter will first start analysing the disk structure of the flash memory of the handset

(Section 4.1). It will also explain how the logical acquisition process has been done (Section 4.2) as

the physical acquisition for the iPhone 3GS, doing a copy bit-to-bit from the data partition (Section

4.3). Next, the iOS System partition will be analysed for checking what kind of information has been

found (Section 4.4) as the same for the iOS Data partition, which contains all the data stored by the

user such as pictures, music or videos (Section 4.5).

Finally the Library folder and Media folder from the second partition will be analyse separately due to

the big amount of information that contain (Section 4.6 and Section 4.7 respectively).

4.1 iOS disk analysis

Figure 4-1 shows that the device volume disk is divided into two disk partitions in HFSX format. The

first line refers to the Master Boot Record (MBR). This is one sector long and is the responsible of

starting up the operating system on the iPhone. After that, there is a free space of about 62 sectors. The

main partition is after this free space. This partition has the files from the operating system. Finally,

the second main partition stores user data information like applications, passwords, and so on.

Figure 4-1 iOS disk information

4.2 iPhone logical acquisition

iTunes can be used to do a logical copy of the iPhone data. The main problem is that is not possible to

retrieve deleted data or folders using this method. Another big issue is that if the examiner

synchronizes the iPhone with a computer different from the host’s, all the information, movies and


music will be erased due to the Digital Rights Management (DRM). Therefore, all the purchases from

the Apple Store, music, data and videos will be lost and the only possibility will be to inspect the

host’s computer.

iTunes creates a backup of the phone when the computer is been synchronized with the device, when a

software update is installed or when the mobile phone is restored to its original settings.

This type of backup as previously said, only stores information, which has not been deleted. This data

is the same information that can be found in the second partition of the device.

The information that can be found in the backups are the stored contacts, the application settings,

preferences, auto fill for the webpages, calendar accounts, calendar events, calls log, photos,

screenshots taken, saves images, saved videos, recent searches, bookmarks for the favourite websites,

network settings, saved Wi-Fi spots, VPN settings, notes taken, databases used by the applications,

configuration from the paired Bluetooth devices, SMS, MMS including the videos or pictures

embedded, voice recordings, wallpapers, web clips, recently opened pages with safari, YouTube

bookmarks or history and passwords used.

iTunes gives the option in the summary preferences of encrypting the backup. When selected the

encrypting option, a password has to be set up. This password has to be written while restoring the

device with the encrypted backup. If the password is forgotten, the device will not be able to be

restored with that backup but still can be able to continue doing new backups and be restored from

other backups done. In Mac OS X gives the option to remember the password in the system keychain.

Therefore, if the host keychain is cracked is possible to gather the passwords. Is important to know

that the passwords stored on the device, are only back up when the “encrypted backup” option is

selected. If this option is not selected, the passwords will have to be entered again. Figure 4-2 shows

how to encrypt a logical backup in iTunes.


Figure 4-2 Setting up password for the backup

Is important to know where iTunes stores all the information. On a Mac OS X system, iTunes uses a

different path than windows for storing all the music, ringtones, applications which is:

/Users/*username*/Music/iTunes/. On Windows depends on the version. On XP this information is

stored in \Documents and Settings\*username*\My Documents\My Music\iTunes\ on Vista or 7 it can

be found in Windows Vista or 7: \Users\*username*\My music\iTunes\

4.2.1 Backup creation

For creating the backup manually, the iPhone needs to be connected to the host’s computer. Is

important to avoid steps like renewing the firmware, synchronizing libraries and so on. This could

modify the information inside the phone or even lost it. After connecting the iPhone, the user can

information such as: Name of the mobile phone, the capacity that it has, the software version which is

using, serial number and the phone number running on the phone as shown in Figure 4-3. After that,

the investigator has to select the option “Back Up” after right clicking the device name on the left

panel.

Figure 4-3 Information from the device

This option will perform an incremental backup adding data that was changed compared to the

previous backup done the last sync. These backups are stored in the iTunes Sync folder, which

depending on the system can be located different places. Mac OS X uses the path

~/Library/Application Support/MobileSync/Backup/ while in Windows XP it can be found at

\Documents and Settings\*username*Application Data\Apple Computer\MobileSync\Backup\.

Furthermore, Windows Vista or 7 stores it in \Users\*username*\AppData\Roaming\Apple

Computer\MobileSync\Backup\. Figure 4-5 shows the Mac OS X containing folder for the created

backups.


Figure 4-4 Backup RAW files

4.2.2 Backup processing

Most of the data found on the backup folder are RAW files. Because of the nature of these files, it is

difficult to understand sensible information without prior processing. Therefore, the investigator can

use different tools for extracting the information from the backup such as Lantern, Susteen Secure

View 2, Oxygen Forensic Suite 2010, FTK Imager, iPhone Backup Extractor or JuicePhone.

Because the investigation is ran in a Mac laboratory and using free tools, the chosen program has been

JuicePhone. At this point, the biggest difference between the backups is if it was encrypted while the

creation process or not. As said before, the major advantage of doing an encrypted backup is that the

passwords are stored and in the non-encrypted one not. If the investigator tries to extract information

from an encrypted backup, he will find that it is not possible or that he needs tools that are more

sophisticated. Figure 4-6 shows an encryption problem message while trying to extract the data.

Hence, one of the possible ways of processing the encrypted backups is cracking the password from

the logical image and stores it as non-encrypted. The tool used for this purpose is called “Elcomsoft

Phone Password Breaker”.

Figure 4-5 Problems extracting encrypted backup

The new version of this program can even break the physical encryption from the new iPhone 4, which

is a huge advantage. The free version, allows the investigator to crack the password that has been

setup on the backup creation process.


4.2.3 Breaking the password

When the program is launched, the investigator will show the path of the logical image. The program

will identify the Device name, type of product (iPhone 4, iPad, iPod and so on), phone number and if

it is encrypted or not (This is shown on the left of the selected image with a lock icon) Figure 4-7.

After selecting the target image, the program gives the possibility of cracking the password via an

advance dictionary attack or brute-force attack in case that the first one fails. In this example, because

the password was not implemented following strong standards, it did not take more than one second

but usually, a difficult password with special characters, long, upper case characters, and so on, will

take long time even days. Figure 4-8 shows the successful cracking of the password and how many

seconds did it take. After the password is cracked, the program will decrypt the files and put them in

the output directory. Figure 4-9 shows the extraction progress and the status. This process can be

followed with any kind of logical backup, which is encrypted, allowing the investigator to pass the

encryption difficulty.

Figure 4-6 Elcomsoft Phone Password Breaker


Figure 4-7 Cracking the password

Figure 4-8 Decrypting the backup

4.2.4 Non-encrypted backup extraction

After the investigator has a logical non-encrypted image, he can continue extracting all the

information stored on the RAW files with the selected tool, JuicePhone in this case. In the previous

tool, the investigator can choose between the logical images previously loaded. This will show some

details from the device image such as the device name, size, type of device, date of the backup,

firmware version running, iTunes version used for the backup, serial number of the device, identifier

and number of applications installed on the device. Figure 4-10 shows the general information of the

device in JuicePhone.


Figure 4-9 Juice Phone device information

The software, gives the possibilities to select the device date instead of the computer date when

showing the files in “Finder”. It has two main types of extractions:

• Custom: The user can select which information to include from the application, information

from the keychain like passwords and information from the home folder like user information,

general files, and so on.

• Complete: This will extract all the information from the applications, keychain and home

directory.

After the extraction process is finished, JuicePhone will store the output on the selected destination

path, under a folder with the device name.

Figure 4-11 shows the folder structure saved. There are four main folders:

• Application Data: Information from all the applications stored in the device such as cookies,

preferences, logs, databases.

• Home: Information from the device like: Contacts, emails, SMS, photos, music…

• Keychains: Contains passwords that are stored in databases.

• System Preferences: Preferences saved from the phone.

Finally, the investigator has all the sensible information stored and in a readable format. The next

phase will focus on gathering information from these databases and different files that have been

extracted.


Figure 4-10 Backup extracted files

4.3 Physical acquisition

This is based on a jailbraking technique that allows the examiner to install some UNIX tools for

extracting a bit-to-bit image from the iPhone. This technique involves altering the firmware of the

phone. Hence, in courtrooms some attorneys or lawyers may use this point as an attack against the

examiner defence.

4.3.1 Setting up the iPhone

Because the iOS system is an operating system, which is closed, does not allow the user to do what he

wants. It is restricted software based in NUIX that could give more of possibilities but currently is

“virtual jail”. That is why the term “jailbreak” allows the user to break those fictional walls that will

allow the investigator to install third party not signed software like Cydia or SSH listener, and so on.

4.3.2 Jailbreaking the iPhone

First, is important to know the basic difference between Original Firmware (OFW) and Custom

Firmware (CFW). The main difference is that the OFW is a kernel released by the software provider

and the CFW is a modified version of a specific OFW. Therefore, depending on the device that the

investigator has between hands and the version of the OFW running will use a corresponding CFW.

For this example, an iPhone 4 with iOS 4.3.4 will be used. Some tools need to be downloaded before

starting:

• 4.3.3 OFW: http://appldnld.apple.com/iPhone4/041-

1011.20110503.q7fGc/iPhone3,1_4.3.3_8J2_Restore.ipsw.

• Redsn0w version 0.9.6rc17:


o MAC:https://sites.google.com/a/iphone-

dev.com/files/home/redsn0w_mac_0.9.6rc17.zip?attredirects=0

o Redsn0w Windows: https://sites.google.com/a/iphone-

dev.com/files/home/redsn0w_win_0.9.6rc17.zip?attredirects=0

• ITunes: www.apple.com/es/itunes/download/

After extracting Redsn0w, the iPhone needs to be updated to the last version 4.3.3 if it is not.

Therefore, select the device on iTunes left panel and holding the shift key click on restore button as in

Figure 4-12. This will show a window for selecting the downloaded .ipsw. When the restore process

has finish, Redsn0w can be executed as shown in Figure 4-13. Later, select the downloaded .ipsw and

in the next screen select “Install Cydia” like in Figure 4-14.

Figure 4-11 Restoring option while jailbreaking

Figure 4-12 Redsn0w

Figure 4-13 Redsn0w installing options


After that, the user will have to switch off the device and put it into Device Firmware upgrade (DFU)

mode, which is like a recovery mode. For entering into DFU, just hold the “Power” button for 3

seconds, then hold “Power” and “Home” button at the same time for 10 seconds and finally release the

“Power” button but continue pushing the “Home” button for 15 seconds.

In the end, the program will restart the device and it will tell that the process is done and completed.

When the phone is restarted, it will show a new application call Cydia. The first thing to do after the

phone has been restarted is going to the “General Settings” and set to “Never” the “Auto Lock” option

and to disable the “Passcode Lock”, Figure 4-15. The reason why this is done is because while the

physical image is being created, if the device goes to into “Sleep mode” could happen that the transfer

would be cancelled.

Figure 4-14 iPhone general configuration

4.3.3 Installing OpenSSH and Netcat

The investigator needs to connect to the device from his computer for creating an image and sending it

back to it. Therefore, a remote daemon will be installed on the iPhone called OpenSSH that will allow

the connection thought the port 22 which has also de advantage of been encrypted. Because the image

cannot be send by default, Netcat will be also installed for creating a pipe, which will be listening into

the investigators computer into a different port, Figure 4-16.

Figure 4-15 OpenSSH and Netcat installation


4.3.4 Setting up an internal Network

The best way to connect the investigators computer to the device is via a Wi-Fi access point. Once

both and on the same network the investigator can try to ping the iPhone for testing the connection

(The iPhone IP can be found on the connected network values). This will mean that the computer can

reach the device, Figure 4-17. After that, the investigator can proceed doing the image of the device.

As commented before, the iPhone disk is divided in two partitions in this case disk0s1 is the whole

disk, the first partition is disk0s1s1 and the second partition is disk0s1s2. Therefore, this example will

image the whole partition disk0s1 and send it by a pipe, which has been created in the computer with

Netcat.

Figure 4-16 Ping to the device

When attempting to connect via SSH the system will ask for a password. Apple uses two passwords:

“Alpine” which is the most common one and “dottie”. The file will be created where the Netcat was

executed on the user computer. Once the connection has been proved that can be established, the data

partition needs to be unmounted and mounted as read-only for avoiding changes. This can be done

using the commands mount and umount proportionated by the system. Next, a hash of the partition

needs to be calculated for future verification of the data. In this case MD5 hash has been used. Finally,

the raw image is created with .dd extension can be mounted by further analyse as shown in Figure 4-

18.

Figure 4-17 DD Process using Netcat pipe and SSH connection

Before mounting the image, it has been verified that the imaging copy integrity is the same as the

original calculating again the MD5 and comparing it with the original. The comparison was successful

showing that the copy and the original were duplicates.

4.4 iOS System partition

The first partition has a size between 0.5 and 1 GB depending on the phone model. However, if the

phone is jailbreaked, this size can be manipulated. Usually Apple labels the first partition with a name

and a number that references the firmware version. The partition is based on HFSX file system and is

where the operating system is stored. The structure folder is as follows in Figure 4-19.


Figure 4-18 System partition

Explaining in detail the folder structure, the first difference that comes ahead is that files such as

“Applications”, “etc”, “tmp”, “User” or “var” are links to the real folders that are stored on the second

and first data partition. These are where those files are pointing:

• Applications: /var/stash/ on second partition.

• etc: /private/etc. The folder contains the passwords file named “passwd”. This file is the one

that contains the two most important users used for connecting to the device: root and Mobile.

In the same folder, can be found another file called “master.passwd” that is an exact copy of

“passwd”. Mobile has a user id and a group id of 501. Also has the same encrypted password

in DES as root “smx7MYTQIi2M” which is “Alpine”, Figure 4-20. Mobile is a restricted user

that has access, for example to contacts, SMS and call logs. It is also the responsible of

synchronising iPhone and iTunes.

Figure 4-19 Passwd file from system partition

Therefore, these are what the main folders have:

• bin: Contains binaries with the commands for the console. This folder is created and populated

when jailbreaking. These binaries (dd, nc, mount…) are what allow the investigator doing the

images.

• boot, cores, and Developer: are empty folders.

• lib: Is the library folder and it is empty.

• Library: Is the local library folder for the system. Most of the files contained by this folder are

system settings. Hence, there is nothing sensible for an investigation.

• sbin: Here are found more command line binaries that are also used in OS X. The jailbreaking

process installs some of the commands residing here.

• System: Inside this folder some of the most important files are:


o /Library/CoreServices/SystemVersion.plist: Gives the build version of the device,

Figure 4-21.

o /Library/DataClassMigrator: Has the executable for the Calendar and Address Book

migration. Moreover, references libraries that are related with the syncing process of

the Address Book and Calendar.

o /Library/LaunchDaemons: This folder storages items that start automatically like

AddressBook.plist, Figure 4-22.

Figure 4-21 Information from the Address Book daemon

As can be seen, the user “Mobile” is related with the daemon “AddressBook” automated started up

process while it is synchronizing with iTunes. Therefore, this proves the previously information told

about the “Mobile” user and his restricted values.

There is not much sensible information on the first partition for a forensic investigation. There are

many .plist files but the most important information is the one already told.

4.5 iOS Data partition

The second partition is where all the important information resides and where the investigators are

going to spend most of the time because contains all the live info.

Figure 4-23 shows the folder structure from the second partition:

Figure 4-20 Information about the device build version


A better explanation is required:

• db: Under this folder, there are 2 important folders where can be found with important

information:

o dhcpclient: File that contains the last network settings where the device was connected

like the IP

given, lease length and when it was given and from whom, Figure 4-24.

Figure 4-23 Last network connection settings

o timezone: Here the investigator can found time zone settings. However, the local time

file is just a pointer to /usr/share/zoneinfo/ where can be found the rest of the zones.

• Keychain: Contains databases with the passwords. Most of these file are encrypted and is

difficult to gather information from them:

o Keychain-2db: When this file is opened with a database browser such as SQLite

browser in mac, shows encrypted information about accounts, services and the

associated passwords for those accounts as shown in Figure 4-24.

Figure 4-24 Accounts & passwords from keychain-2db

• logs:

o Apple Support: This folder contains a file called “general.log” that specifies the iOS

version and the build number, model of the device, serial number and when was the

log created. Also shows a big list of services and when they were run, Figure 4-25.

Figure 4-22 Second partition folder structure


Figure 4-25 General Log

o CrashReporter: The folder contains logs about crashes from services like MobileSafari

for example when it runs out of memory. However, this information is not very useful

for an investigation.

• Mobile: This folder contains most of the important information about the devices:

o Applications: In this folder can be found all the applications loaded on the device via

iTunes or the ones downloaded paying or not from the App store. Each application is

related with GUID such as “0A001300-DF26-4CF4-A935-6797DD40E491” for

Adobe Reader for example. Moreover, each application can have the following folder

structure inside:

§ library: Preferences for the applications and its cache into .plist format.

§ documents: Files important for an investigation such as databases, music files

and videos between others. In general, sensible data for the application.

§ tmp: Usually is empty

§ iTunesMetadata.plist: Contains information about the application name,

purchase information, username, e-mail addresses as shown in Figure 4-27.

Figure 4-26 Facebook app information

§ iTunesArtwork: Dock icon of the application.


§ application.app: The software package. For been able to see the content of the

application just right click it and select the option “Show Package contents”.

This will show the items used by the application like pictures, music files and

commands, Figure 4-28.

Figure 4-27 Facebook app package content

o Library: This folder contains huge significant information for an investigator.

Therefore, will be deeply explained later.

• Folders such as “cache”, “Empty”, “folders”, “lib”, “local”, “lock”, “log”, “Managed

Preferences” and “log” are empty or there are not evidences to gather.

4.6 Library Folder

This folder contains important information:

Figure 4-28 Address book contacts


Addressbook: Inside this folder can be found two SQLite databases, AddressBookimages and

AddressBook. AdressBook: This file contains the contacts that are synchronizing with the suspect’s

computer. Here the investigator can see information like: Contact names, phone numbers, birthday,

business, notes, when it was created or modified. Figure 4-29 outlines one example.

Caches: This folder contains recently information that has been accessed for each application. For

example, for “Safari”, the web browser from iPhone, here can be found a .plist with the most recently

searches done and pictures under the thumbnail folder from the last visited websites, Figure 4-30.

Apart from that, there is also data from the last searches done in Google Maps, icons cached during the

searches…

Figure 4-29 Cache of last searches and Safari Websites

Calendar: There is a database inside that shows information about all the events registered including

alarms, when was happening, notes… Figure 4-31.

Figure 4-30 Calendar Events

Call History: There is a database inside this folder called “call_history.db” which contains

information about phone numbers called, duration of these ones. The data contained does not

difference between incoming or outgoing calls as the same way for received or missed ones, Figure 4-

32. However, the date can be converted into a readable one with software like

“CFAbsoluteTimeConverter” or other online tools.


Figure 4-31 Call Log database

Cookies: There is a property list file with the name “com.apple.itunesstored.plist” which gives

information about the domain name and the expiration date of cookies, Figure 4-33.

Figure 4-32 Cookies from the iTunes store

Mail: This folder contains information about the e-mail account configuration. The first file that can

be found, is the account configuration contained in a file named Account.plist

Apart from that, all the mailboxes are stored inside this folder. Therefore, they can be extracted with

the proper software, which is Emailchemy. Once the program is opened, the user has to choose which

type of email is going to import. In this case, the mailbox type is “Apple Mail”, Figure 4-34.

Figure 4-33 Emailchemy, email type

Next step is to select where are the mailboxes that are going to be extracted. For this purpose, the

program will ask for a path, Figure 4-35.


Figure 4-34 Emailchemy, email path

Finally, it will ask for a saving path and the most important thing, the format in which the investigator

wants to save the extracted emails. This will decide with program will be able to be opened, Figure 4-

36.

Figure 4-35 Emailchemy, saving path and format

After all the mailboxes are extracted. The emails can be opened with the desired program as shown in

figure 4-37.

Figure 4-36 Extracted email example


Maps: Some important property lists resides here. History .plist contains information from the

searches done in Google Maps or routes plan. Some of the information displayed here is what the user

was searching, the location where the search was done and the level. Another important property list is

Bookmarks, which has the favourite places from the user, Figure 4-38.

Figure 4-37 Searches in Google Maps

Notes: All the information recorded on the Notes.app on the cell phone is stored on a database called

notes.sqlite. Some of the values found there are the title notes, date created and contents… However,

the notes contents could be not very readable and is a good option to export them into a csv file,

Figure 4-39.

Figure 4-38 Notes.app information

Preferences: Under this folder remain the configuration property lists of recent searches, time zone

information and bookmarked videos in YouTube, favourite cell phone numbers…

Some of the most important property lists are:

• Com.apple.accountsettings.plist: Information about the accounts showing the username,

email, hosts, type of account.

• com.apple.locationd.plist: Shows if the GPS location services are enabled.

• com.apple.Maps.plist: When was the Wi-Fi alert, last used latitude, longitude and zoom. The

starting and ending point of the last route plan.

• com.apple.mobilecal.plist: Information about the time zone where the phone was configured

showing the country name, city name, latitude, longitude and date.

• com.apple.mobilephone.plist: Device phone number.


• com.apple.mobilesafari.plist: Deleted bookmarks and last used search engines date.

• com.apple.Preferences.plist: Language settings from the keyboard.

• com.apple.springboard.plist: Settings from the Springboard like applications identifiers and

sounds, settings status for device lock or wipe…

• com.apple.stocks.plist: List of the stocks that are tacked down by the user.

• com.apple.youtube.dp.plist: Last search done in YouTube. Codes from the videos that were

the user searched in the past. Bookmarks.

One of the property lists, “com.apple.carrier.plist” is just a link to the main file residing in the first

partition. The path to the original file is /System/Library/Carrier Bundles/iPhone/*. Inside this folder,

there is a list of all the carriers and with their configurations, custom service numbers, user account

website, tethering info… Figure 4-40.

Figure 4-39 AT&T Carrier configuration file

However, this property list from the carrier is pointing to the bundle in the same folder, which in this

case is “ATT_US.bundle”, which is a package. As every package, can be opened right clicking and

selecting the option “Show Package Contents”.

Safari: Safari is the default browser from Apple and its configuration files are stored in this folder.

Here, five files can be found:

• History.plist: This shows the websites that have been accessed, when, how many times and the

title of this one, Figure 4-41.


Figure 4-40 Safari history

• SearchEngines.plist: Is a list of the search engines that have been used.

• SuspendState.plist: Show information of the websites that are opened on the background,

Figure 4-42.

Figure 4-41 Safari suspended state websites

• Bookmarks.db: Database that shows the bookmarked websites with the respective URL and

parent item as shown in Figure 4-43.

Figure 4-42 Safari Bookmarks

SMS: Everything is recorded by a database named “sms.db”. All the messages are together in table

“message”, outgoing and ingoing but can be difference by the column “Flag” which shows “2” if is an

ingoing SMS and “3” if is an outgoing SMS. The table shows information such as SMS sender, date in

which was sent, from which country, if it was read and the content of this one. Check Figure 4-44.


Figure 4-43 SMS Database

Inside the SMS folder can be found several “Draft” folders. These folders save the content and

destination of the SMS that have not been sent but there is still information because the user left it half

done and closed the SMS application.

Voicemail: iPhone stores the voicemails locally inside the flash memory. Therefore, it is possible to

recover the messages left. The file type used to store them is .amr, which are speech encoding format

files that can be opened with program like Real Player, QuickTime or VLC.

Moreover, there is another file “voicemail.db” which contains on the table “voicemail” all the

messages recorded by the voicemail including the date that was recorded, the time, the phone number

that left it and also the time and date that was erased if it was.

4.7 Media Folder

This folder is located just under the folder “mobile” at the same level as “Library”. All the multimedia

information such as pictures, videos, books and recordings… is stored under this folder. Let’s start

reviewing each folder inside “Media”:

DCIM: Here, the investigator can found the folder “100APPLE”. This folders contains all the pictures

and videos that have been taken with the camera, screenshots that have been save while pushing

“HOME” button and “POWER” button at the same time and images or videos downloaded into the

flash memory, Figure 4-45.

Figure 4-44 100APPLE Folder and Files

These files can be opened with programs like Picasa, iPhoto, preview… After opening one example

photo in Preview, the investigator can have a look at the properties of the picture or video opening the


inspector window. This window shows information such as picture height, width and orientation…

But more important than that is the GPS, Exif and TIFF tab:

• GPS: Shows coordinates like the latitude and longitude

where the image was taken. Altitude and the reference from

this one (In the example can be seen that the picture is

above the sea level 422 metres). Another important piece of

information is the time stamp that allows the investigator to

know when the picture was taken, Figure 4-46.

• Exif: This information is not as important as the GPS

one. However, here can be found the frames number,

exposure, if the flash was fired or not. Also, is possible to

see the date and time in a readable format, Figure 4-47.

• TIFF: Again, here is possible to see the date and time in a

clean and readable format. Apart from that, another

important fact is the possibility of knowing the maker,

format and version of the device and the orientation in

which the picture was taken, Figure 4-48.

Regarding to the videos stored on this folder, they can be visualized with a video player like VLAN or

QuickTime. If opened with QuickTime for example, can be seen that the metadata such as the original

location can be shown as the same way with the pictures.

iTunes_Control: The following folder stores information about the synchronization between the

iPhone device and the host computer.

• The “Ringtones” folder contains music files in format .m4r music files that have been used as

ringtones for the device.

• Music folder contains all the music that has been send from the iTunes to the iPhone. These

music files are stored in folders named “FXX” where XX is a number. The order stabilised for

where to store each music file, seems completely random.

Figure 4-45 Picture GPS information

Figure 4-46 Picture Exif information

Figure 4-47 Picture TIFF information


• iTunes: Preferences for the iTunes application like the ringtones information, playlists or if it

is protected or not.

• Artwork: Contains a file called ArtworkDB. This file can be opened with a program called

“Keith’s iPod Photo Reader”. This will show the artworks stored in the file.


As said before, the information contained in a smartphone is huge and each mobile telephone is

different from each other. This means that every time a phone is going to be analysed, the case will be

completely different to another one done before. Does not matter if the phone model is the same as

one processed before. Many other variables can intervene in play changing the case completely such

as the firmware running on the telephone, making the data partition encrypted. The most common fact

to bear in mind is that the data found on the handset is always going to be different in each mobile

phone. The simple reason is that each handset will have different applications, configuration files or

games installed.

The phone used in this example contained many erased information such as SMS, pictures, call logs,

application logs or applications preferences. These pieces of evidence could be enough for

incriminating a suspect but as shown on this chapter the live data has the same importance than the

erased data.

On the databases extracted from the logical acquisition, there were appointments, chats, SMS half

written, screens or logs from the web browser. More important than this is the possibility of locating

the suspect at an exact moment in an exact place if the GPS signal was activated. This is one of the

most powerful evidences extracted because the suspect cannot negate that he can be there at that time.

The aims and objectives of the project have been covered. Every piece of information has been

obtained from the cell phone with two different methods, one in a logical way and the other in a

physical one. The information extracted has been categorized into different families like music, web

browser, history, images, logs, preferences and SMS. Finally, an analysis of the data evaluating it,

showing what can be done and what information does each evidence contain.


5 Conclusions

The aim of this project is to cover the physical and logical acquisition process of the iPhone and

finally analyse all the data extracted to look for sensible information. A physical image was realized

from an iPhone 3GS with tools like dd, Netcat, md5, openSSH as well as a logical image from an

iPhone 4 with tools like iTunes, Elcomsoft Phone Password Breaker and JuicePhone. In previous

chapters, methodologies to follow and tools to use during the implementation chapter were chosen for

obtaining the best results possible and acquire as much information as possible.

This chapter will first show how the objectives of the thesis were accomplished (Section 5.1). Next, it

will explain the reflections about the project and the difficulties encountered in it (Section 5.2).

Finally, some ideas for future works will be proposed for improving the iPhone forensics area (Section

5.3).

5.1 Meeting the Objectives

Four objectives were defined at the beginning of the thesis:

1. Acquire a range of possible data from an iPhone. This data is not only SMS, call logs or voice

mail, but artefacts like web based chat, Skype chat or any possible footprint produced by any

of the applications running on the smartphone.

2. Evaluate that the extracted data is correct and is not missed or modified somehow by the

software used.

3. Investigate the obtained data for categorizing the most important and provide an analysis of

the obtained results compared with the expected ones.

4. Determine how much information can be obtained from the iPhone and which use can be done

with the extracted data.

5.1.1 Objective 1 - Acquire a range of possible data from an iPhone

First objective was met in the development chapter. Not only simple information about SMS logs, call

received or sent but also voicemail recordings, databases with data about all the cell phone

configuration, searches done with the web browser, metadata from taken pictures and videos done.

Most of the information was stored in small databases that needed to be interrogated by queries with

specific programs.


Each program or game save its configuration in property list files as well as the searches done or logs

from the different usage of the software. Finally, the GPS position allows setting the suspect in a

specific place at a specific time and date through the different mobile phone applications such as

navigators, web browser, Google Maps or Wi-Fi spots saved.

The literature review helped to identify the key kinds of data that an examiner could find in a cell

phone or SIM card, allowing to categorize the extracted data in different areas.

5.1.2 Objective 2 - Check the extracted data is correct and is not missed or modified

While acquiring the physical image on the iPhone 3GS, an MD5 command could be executed for

calculating the hash of the partition that was going to be image. Before imaging, the user data partition

/dev/rdisk0s2 needed to be unmounted and mounted as read-only for avoiding any modification.

Afterwards, the hash could be calculated for later verification.

Because the partitions were setup as read-only was impossible to modified the data that was going to

be copied into the destination drive. This helped maintaining the integrity of the forensic image. After

the imaging job was finished. The hash verification process begun for checking that the MD5 was

exactly the same as the one calculated before imaging. The results were successful, demonstrating that

the data and information copied from the cell phone were not only unmodified but also complete and

without missing any piece of information, were equal.

5.1.3 Objective 3 - Categorizing the most important data and provide an analysis

Objective 3 was accomplished trough the development chapter. All the information gathered was

categorized into 3 different main areas:

1. Media data.

2. System data.

3. Library data.

Media data stored pictures, videos, programs or games that have been used, music files and the covers

from the songs. System data, contain all the information related with the operating system such as

passwords inside a keychain, configuration for networks, GPS locations. Finally library data, had

address books, call histories, mailboxes with the emails. Each area, contain many subfolders were the

information was saved but chapter 4 explains in details all of them.

In addition, the development highlights an analysis of the information imaged, explaining what type of

data it is, how it has been obtained, how can be read and how it is useful for the investigator,

positioning the suspect in space and time or showing what actions the custodian has taken with that

specific application or function.


5.1.4 Objective 4 – Determine how much information can be obtained and which use can be done with it

Literature review chapter, section 2.2 outlined what sources of information could be obtained from a

mobile device. The iPhone is not different and the data that could be obtained it was found handset.

For technical reasons and resources, it was impossible to access the information on the SIM card.

However it is an easy task once the examiner has the proper equipment because the SIM or USIM

cards are not encrypted. Hence, it is not a difficult task.

Through the whole thesis have been given examples and definitions of what the data found was and

what usages could and investigator give to it. The development chapter focuses more on what the

examiner can do with this information how can use it on the investigation.

5.2 Reflection

While doing the forensic investigation of the iPhone 4, most of the difficulties found while trying to

acquire all the pieces of information were that the partitions were physically encrypted and there was

no way to decrypt it for extracting the information. The physical encryption requires more technical

skill about cracking than compared with cracking the encryption of the logical image. Moreover, just

the law enforcement or big companies have access to these kinds of tools that allow them to pick up a

phone, acquire the whole disk and decrypt the information with just a few clicks.

This was a turnover and mobile that was going to be used for physical imaging had to changes for an

old iPhone 3GS. The great advantage of this version was that it does not have any kind of physical

encryption apart from the logical image encryption. After that, the iPhone 3GS was going to be used

for doing the physical acquisition and the iPhone 4 for the logical acquisition. This decision helped for

creating a clean image of the whole device, the first and the second partition without having to worry

about how to decrypt or to find a program for hacking the security system of the new iPhone 4.

Another problem encountered while trying to physical imaging the iPhone device was that the system

partition was always been used. Therefore, was impossible to create an image of that partition without

unmounting it. Hence, first thing to be done was to unmount that partition and mount it apart with

special rights. This was not possible because the command “umount” was not installed into the iPhone

commands. The solution was to do just a physical image of the second partition and access the first

partition through SSH with a client called CyberDuck.

After the whole development part was finished, the first thing to do was to compare the obtained

output against what it was expected. It was a surprise to obtain so much information. The smartphone

contains big amount of data that when an expert investigator has access to it, allows him to create a

perfect picture from the owner of the phone. It is scary that because of the big usage that is given to

the phone, how much information can be obtained. Some of the examples are where the user has been


and in which exact moment thanks to the pictures. In addition, the last GPS location, searches done in

Google Maps or Google search engine, the chat logs, SMS sent and received, Skype logs or purchased

applications stored on the flash memory was another important piece of information.

One of the most surprising discovers was that the voicemails were stored on the phone itself and not

on a server or just a log. This could ben an important fact to track in an investigation in case that a

suspect leaves a voicemail on the suspect’s phone.

In addition, the possibility to download all the email contained inside mailboxes on the device and

extract it into an easier readable format was quite interesting. Any account configured on the iPhone

and all the emails sent or received could be exported and ingested into another system for future

processing.

Regarding to mobile live forensics, which is the part of computer forensics, which focuses on the

volatile data, some useful evidences were found. When the owner of the phone writes a message and

does not send it, the SMS is still stored on the databases. The same thing happens while visiting

websites; screenshots of these last accessed pages are stored in the flash memory. These are very

important clues to bear in mind because when an investigation is been run and if the suspects have

knowledge about it, they tend to erase all their incriminatory records. Moreover, usual suspect do not

how much information can be stored apart from what they see and they can still leave some footprints

that can allow an investigator to track them back and find needed incriminatory or exculpatory

evidences.

5.3 Future Work

When this document was written the iOS 5 and the iPhone 4S were about to be release. This are two

this that will be very interesting to work on because the systems continue evolving and is important to

be up to date with them. Is too soon to know what information can be acquired from iPhone 4S or how

does iOS 5 process the information. However, one of the new features that will include and will be

really interesting to work on is Siri. It is an advance voice control system that hopefully will maintain

a record of every command that is been told.

Another improvement were the investigators can focus is the new notification system. The

notifications system that was already present on Android has been implemented in iPhone devices

running the last firmware iOS 5. If there is a log, record or database for all the notifications or at least

the latest ones, it could help the investigator to figure out what were the last events received on the

system and do an image of the suspect. It would be similar to a graphical log of the last events: Last

posted message in Facebook including its content, SMS received and sent, call received and from

whom…


Last but not less important, the physical encryption of the iPhone 4 and probably present on iPhone 4S

has given many headaches. Apparently, some investigators and experts have been working on how to

decrypt it and after a while during this summer, Elcomsoft has released a tool that can manage this

encryption. However, looks like although the live data can be recovered quite nicely, when trying to

recover deleted information on the unallocated space, most of the recovered information is garbage or

unreadable. Other software tools like Oxigen are updating their programs for been up to date with this.

Therefore, looks like this area needs a push from the mobile forensic community for improving and

fixing those problems.


6 References

AddPod. (2011, 10 25). addPod - JuicePhone. From JuicePhone: http://www.addpod.de/juicephone

Apple. (n.d.). Apple - iTunes - Todo lo que necesitas para divertirte. Retrieved 09 10, 2011 from

Apple: http://www.apple.com/es/itunes/

Apple. (n.d.). Apple - QuickTime - Download. Retrieved 11 15, 2011 from Apple:

http://www.apple.com/quicktime/download/

Apple Inc. (n.d.). Apple - iPhone 4S - Technical Specifications. Retrieved 07 25, 2011 from Apple Inc:

http://www.apple.com/iphone/specs.html

Data Duplication Ltd. (n.d.). Mobile Phone Faraday Bags. Retrieved 08 13, 2011 from

Dataduplication:

http://www.dataduplication.co.uk/details/mobile_phone_faraday_bag_faraday_bags.html

Elcomsoft. (n.d.). Recover passwords protecting iPhone/iPod and BlackBerry backups. Retrieved 10

15, 2011 from Elcomsoft Proactive Software: http://www.elcomsoft.com/eppb.html

File Juicer. (n.d.). File Juicer - Extract images from PDF, PowerPoint, Word, Excel and other Files

on Mac OS X. Retrieved 10 26, 2011 from File Juicer - Extract images from PDF, PowerPoint, Word,

Excel and other Files on Mac OS X: http://echoone.com/filejuicer/

Freeman, J. (2011, 08 23). Cydia application icon - Mac OS X 10.6.6 to Meet Cydia 'Within Weeks' -

Softpedia. Retrieved 08 29, 2011 from news.softpedia.com:

http://news.softpedia.com/newsImage/Mac-OS-X-10-6-6-to-Meet-Cydia-Within-Weeks-2.jpg/

Gunther, C. (2011, 07 18). Apple iOS vs Google Android in Latest ChangeWave Research Report |

Android Community. Retrieved 08 20, 2011 from Android Community:

http://androidcommunity.com/apple-ios-vs-google-android-in-latest-changewave-research-report-

20110718/

Hoog, A., & Strzempka, K. (2010, 11). iPhone Forensics White Paper «viaForensics. Retrieved 07

16, 2011 from ViaForensics: http://viaforensics.com/education/white-papers/iphone-forensics/

iphone-release. (2011, 11 11). Untethered Jailbreak iOS 5 on iphone 4S with Redsn0w, Limera1n,

sn0wbreeze, GreenPoison, GullRa1n Tutorial | iphone 5 Release Date,News,Rumor | Untethered

Jailbreak iOS 5 on iPhone 4S, 4, 3GS, ipad. Retrieved 11 13, 2011 from www.iphone-release.com:

http://www.iphone-release.com/untethered-jailbreak-iphone-4s-with-redsn0w-limera1n-sn0wbreeze-

greenpoison-gullra1n-tutorial/


Iwayar. (2011, 10 28). Breve historia de OpenSSH | RetroNet. From RetroNet:

http://www.retronet.com.ar/wp-content/uploads/2011/06/openssh_logo.jpg.png

Morrisey, S. (2010). iOS Forensic Analysis for iPhone, iPad and iPod touch. New York, USA:

Apress.

OpenSSH. (n.d.). OpenSSH. Retrieved 10 28, 2011 from OpenSSH: http://www.openssh.com/

Pinto, M. (2010, 11 29). Fanboy. Retrieved 08 15, 2011 from 7 Ways That Windows Mobile 7 Could

Win » Fanboy.com: http://www.fanboy.com/2010/11/7-ways-that-the-windows-7-mobile-can-

win.html

Redmond Pie. (2010, 08 02). Enable iPhone 4 FaceTime Video Calls Over 3G Network with My3G |

Redmond Pie. Retrieved 07 25, 2011 from Redmond Pie: http://www.redmondpie.com/enable-iphone-

4-facetime-video-call-over-3g-network-with-my3g/

Savoy Place. (n.d.). Faraday Room - IET London: Savoy Place - IET Venues. From Savot Place:

http://savoyplace.theiet.org/rooms/faraday/index.cfm

Varsalone, J., Morrissey, S., Kubasiak, R. R., Barr, W., Chasman, M., Cornell, J., et al. (2009). Mac

OS X, iPod, and iPhone Forensic Analysis DVD Toolkit. Burlington: Syngress Publishing.

Weird Kid Software. (n.d.). Emailchemy - Convert, Export, Import, Migrate, Manage and Archive all

your Email. Retrieved 10 23, 2011 from Emailchemy - Convert, Export, Import, Migrate, Manage and

Archive all your Email: http://www.weirdkid.com/products/emailchemy/

Wikipedia. (2011, 11 14). Preview (Mac OS) - Wikipedia, the free encyclopedia. Retrieved 11 20,

2011 from Wikipedia: http://en.wikipedia.org/wiki/Preview_(Mac_OS)

Wiley, K. (n.d.). Keith's iPod Photo Reader. Retrieved 11 02, 2011 from Keith's IPod Photo Reader:

http://keithwiley.com/software/keithsIPodPhotoReader.shtml

Zdziarski, J. (2008). iPhone Forensics. Sebastopol: O'Reilly Media.