iPhone Forensics White Paper - UFED
The Cellebrite UFED Forensic system is a stand-alone device capable of acquiring data from mobile devices (~1600) and storing the information on a USB drive, SD card or PC. UFED also has a built-in in SIM card reader and cloner. The ability to clone a SIM card is a powerful feature as you can create and insert a clone of the original SIM and the phone will function normally. However it will not register on the mobile carrier’s network, eliminating the need for Faraday bags and the possibility that the data on the phone will be updated (or erased). The UFED package ships with about 70 cables for connecting to most mobile devices available today. Connection protocols include serial, USB, infrared and Bluetooth although I only utilized the USB approach. Cellebrite also distributes the UFED Report Manager which provides an intuitive reporting interface and allows the user to export data/reports into Excel, MS Outlook, Outlook Express, and CSV or to simply print the report. The UFED device fully supports Unicode and thus can process phones with any language enabled. Also, the following data types are extracted:
- Text Messages
- Call History (Received, Dialed, Missed)
- SIM ID Cloning
- Deleted Text Messages off SIM/USIM
- Audio Recordings
- Phone Details (IMEI/ESN phone number)
There is beta support for logical extraction of the phone’s file system though a feature Cellebrite labels Memory Dump. In the case of the iPhone, this is achieved without jailbreaking the iPhone. This allows for greater analysis of data on the iPhone.
The UFED package arrived in a soft case containing the UFED device, manuals/CD, USB Bluetooth radio (Cambridge Silicon Radio Ltd.), 250MB USB drive and roughly 72 cables for connecting to supported devices. The manual was sparse but sufficient and very straightforward. To start things off, I decided to make sure the UFED software was update to date. There are options to update via a PC, USB, SD card or via the Internet. I decided to test the convenient online upgrade feature. I powered the UFED on and had to first set the date/time which was simple. Next I connected it via Ethernet to a switch running DHCP and went under Services ->Upgrade -> Upgrade Application Now and selected HTTP Server as the source. On my first attempt, the download froze prior to completion and I eventually rebooted the device. The second time I connected it to a different switch and the upgrade went flawlessly. A few minutes later I was on the latest Application software (126.96.36.199) which supplies the UFED application and support for the various phones. Cellebrite seems to add new phone support often and a forensic examiner should check for updates often. The UFED contains two other pieces of software termed Images. One dubbed Tiny contains the core system software. The other image named Full contains additional core system software. Both were up to date (188.8.131.52 and 184.108.40.206 respectively) and I am unclear if this was due to the Application update I initially performed or was shipped as such. The update process for the Image software is under a separate menu in Services and I suspect the updates are performed independently. One minor note, when I checked the manual online , the PDF with update direction for UFED instead opened a UME-36Pro PDF. The platforms are likely very close and this is also probably easily remedied by searching their site or contacting technical support.
The acquisition of the 3G iPhone was extremely simple and fast on UFED. After powering the device on, I selected Extract Phone Data, Apple, iPhone 2G/3G, USB disk drive (destination), Content types (I pressed F2 to select all including Call Logs, Phonebook, SMS, Pictures, Videos and Audio/Music) and was then instructed to connect the iPhone to the source port with Connect cable 110 and the USB Disk Drive into the target port. The extraction took 6 minutes and was copied into an automatically create folder on the attached USB drive. I also performed a Memory Dump of the iPhone, which is marked Beta on the main screen. Following the prompts, I was instructed to attach the iPhone and USB drive as before. Bear in mind you will be performing a full backup of the iPhone (possibly 16GB) so ensure you have enough space on the USB drive. The Memory Dump failed the first few times but eventually succeeded. It would pause for several minutes while acquiring large files. I opted to let the acquisition run overnight and from the previous attempts, I knew it took several hours. The resulting data was written to the attached USB drive in an automatically created folder.
Since UFED has both a “standard” acquisition process and a memory dump (Beta) option, please note there are two sections detailing the results.
The standard acquisition resulted in a roughly 60MB folder containing the extracted audio and images, proprietary files with extensions such as .SMS and .PBB and reports in both HTML and XML containing the following sections: Contacts, SMS, Call Logs, Images, Ringtones (Not Supported), Audio and Video. I was able to easily import this folder into the UFED Report Manager for a more user friendly interface. When you run UFED Report Manager, you can import the data from the USB drive by clicking on File -> Open Extraction (from folder). You can then add Optional Information including case, examiner and other investigation information.
Along the left hand side, you can see the major areas of focus including Optional Information, Report, Contacts, SMS, Call Log, Images, Videos, Audio and Ringtones. The following shows some basic information included in the Report section.
The Images section previews all images found.
And the Calls Log shows the type of call (Outgoing, Incoming or Missed) as well as the Name (if found in Contacts), phone number, date/time and duration.
The SMS section shows the full set of messages and a detailed message window. The details include Number, Name, Message, date/time, SMSC, Status (Send, Read, Unsent, etc.), Folder, where it was stored and the type (Incoming or Outgoing).
The final screenshot I took was of the Contacts information, including Name, various numbers, and text fields including Company Name, email address, notes, etc.
The data can be extracted into Excel (or CSV) as well as importing directly into Outlook or Outlook Express. While this is an interesting feature, I can’t think of a situation in which I would import the information into Outlook.
The Memory Dump acquisition (logical) was 282MB and included 382 files. The top level folder including the following 3 subfolders: AFC Service, Backup Service and Lockdown Service. The majority of the data were songs under the AFC Service -> iTunes_Control -> Music directory. The Backup directory contains important database, Plist and other files allowing a more complete recovery of data from the iPhone. The results of the Memory Dump (Beta) from Cellebrite are actually quite promising. Of the 382 files extracted, it included the following:
- 180 property list (Plist) files containing a wealth of user/configuration information
- SQLite databases including SMS, Notes, Call History, Calendar, Address Book, iTunes Extras, keychain and several App Store program’s data (TwitterFon, Facebook and Wordpress)
- 14 XML files (Wordpress)
- 2 ASCII files
- 41 pictures (JPEG) and associated thumbnails (JFIF files with .thm extension)
- 44 MPEG4 songs, 1 Podcast and 1 Video
- 37 miscellaneous data files (requires additional analysis)
The keychain-2.db SQLite database contained information about the networks the user attached to including Wi-Fi, VPN, Bluetooth and the Apple iTunes Store ID. In addition, other SQLite databases under the Documents folder contained information from some App store programs such as TwitterFon and Facebook and could provide valuable information to the investigator. All of this was done without jailbreaking the phone, a major plus for any forensic investigation. By analyzing the SQLite databases and Plist files, an investigator can recover deleted information and important configuration and usage information. However, in the Memory Dump, the call_history.db and sms.db SQLite databases were empty. Since this review takes into account the combined acquisition results, UFED was not penalized for this since the standard acquisition acquired the call and SMS data accurately.
The following are the results from the UFED tests.
Table 1.1. UFED Matrix of Results
|Scenario||UFED - direct||Ranking||UFED - Memory Dump||Ranking||UFED Total||Results|
|Contacts||1282||3||1282 (14 w/ images)||3||3||Meet|
|0||0||some account info, folder info, etc.||1||1||Below|
|Notes||0||0||2(1 recovered in SQLite db)||5||5||Above|
|Google Maps||0||0||5 histories||3||3||Meet|
Cellebrite’s UFED is an excellent product for forensic analysis of the iPhone. By providing two acquisition methods, the investigator can recover a significant portion of the data on the iPhone. The device is also very simple to use, easy to update, performs acquisitions quickly and is portable. The firmware is updated often to support new phones and functionality and the support department was efficient and professional. The following ranking establishes UFED’s overall rating of 3.0 on the four criteria established at the beginning of this white paper.
Table 1.2. UFED Rankings
Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry. Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.
viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies. Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.
One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including:
- Impartiality: Your case must be credible, unbiased and withstand legal scrutiny; internal investigations present major obstacles in each of these areas.
- Expertise: viaForensics is a qualified expert in the Federal Courts. Expert status is a product of extensive training and a wide range of experience, often a challenge in a single corporate environment.
- Cost: Forensic hardware, software and training are singular in purpose and require major capital investments and recurring expenses.