iPhone Forensics Whitepaper Introduction
The iPhone was introduced on January, 2007 and has now surpassed the Blackberry as the second largest supplier of smart phones. Regardless if this is sustainable, the Apple iPhone already has a significant footprint and will appear more frequently in computer forensic cases. The iPhone has an active hacking community which has yielded research and tools which support forensic investigations. Several commercial software packages now offer iPhone support and in September 2008, O’Reilly released “iPhone Forensics, 1st Edition” by Jonathan Zdziarski. This paper will review forensic tools available for the iPhone, perform forensic analysis with each tool and report on the installation, acquisition, reporting and accuracy of each tool. The 3G iPhone (firmware version 2.2) was used for the testing but this white paper may, over time, include other models and firmware versions.
The iPhone, like most complex electronic devices, is a collection of modules, chips and other electronic components from many manufacturers. Due to the complex and varied features of the iPhone, the list of hardware is extensive. The following information is based on the research published online. [XXX]
|Application Processor (CPU)||Samsung||S5L8900B01 – 412 MHz ARM1176Z(F)-S RISC, 128 Mbytes of stacked, package-onpackage, DDR SDRAM|
|3D graphic acceleration||Imagination Technologies||Power VR MBX Lite|
|UMTS power amplifier (PA), duplexer and transmit filter module with output power detector||TriQuint||TQM676031 – Band 1 – HSUPA TQM666032 – Band 2 – HSUPA TQM616035 – Band 5/6 - WCDMA/HSUPA PA-duplexer|
|UMTS transceiver||Infineon||PMB 6272 GSM/EDGE and WCDMA PMB 5701|
|Baseband processor||Infineon||X-Gold 608 (PMB 8878)|
|Baseband’s support memory||Numonyx||PF38F3050M0Y0CE - 16 Mbytes of NOR flash and 8 Mbytes of pseudo-SRAM|
|GSM/EDGE quad-band amp||Skyworks||SKY77340 (824- to 915-MHz)|
|GPS, Wi-Fi, and BT antenna||NXP||OM3805, a variant of PCF50635/33|
|Communications power management||Infineon||SMARTi Power 3i (SMP3i)|
|System-level power management||NXP||PCF50633|
|Battery charger/USB controller||Linear Technology||LTC4088-2|
|GPS||Infineon||PMB2525 Hammerhead II|
|NAND flash||Toshiba||TH58G6D1DTG80 (8 GB NAND Flash)|
|Serial flash chip||SST||SST25VF080B (1 MB)|
|Accelerometer||ST Microelectronics||LIS331 DL|
|Touch screen controller||Broadcom||BCM5974|
|Link display interface||National Semiconductor||LM2512AA Mobile Pixel Link|
|Touch screen Line Driver||Texas Instruments||CD3239|
The Samsung CPU is a RISC (Reduced Instruction Set Computer) processor that runs the core iPhone processes and works in conjunction with the PowerVR co-processor for graphics acceleration. The CPU is under clocked to 412 MHz (from a possible 667 MHz) presumably to extend battery life.
This is the component in the iPhone that manages all the functions which require an antenna, notably all cellular services. The baseband processor has its own RAM and firmware in NOR flash, separate from the core resources and functions as a resource to the main CPU. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM. [XXX]
The Apple iPhone’s operating system, iPhone OS, is a variant of Apple’s core operating system, OS X. Based on the same MACH kernel and sharing some core elements with OS X 10.5 (Leopard), the iPhone is comprised of 4 layers including the core OS, the Core Services API, the Media layer and the Cocoa Tough layer. Entire books are dedicated to the operating system and the development of applications. Research into these areas will improve an analyst’s skills and could be central to solving investigations. Also, the iPhone software development kit (SDK) is free to download after registration and is recommended for anyone performing forensic analysis on the iPhone.
Like any forensic investigation, there are several approaches that can be used for the acquisition and analysis of information. A key aspect of any acquisition, arguably the most important, is that the procedure does not modify the source information in any manner. Or, if it is impossible to eliminate all modifications, the analyst must detail the changes and the reasons why it was necessary. The following points highlight the various techniques utilized by the products tested.
- Acquire data directly from the iPhone: this approach is preferred over recovering files from the computer the iPhone was synced with (details at http://chicagoediscovery. com/iphone-forensic-howtos/forensic-analysis-iphone-backupdirectory. html). However, the forensic analyst must understand how the acquisition occurs, if the iPhone is modified in any way and what the procedure is unable to acquire.
- Acquire a backup or logical copy of the iPhone file system using Apple’s protocol: this procedure will read files from the iPhone using Apple’s synchronization protocol but is only able to acquire files explicitly synchronized by the protocol. Many key pieces of information are stored in SQLite databases and these are supported by the protocol. By querying the databases directly, you can generally recover more information such as deleted SMS and emails messages.
- Physical bit-by-bit copy: this process creates a physical bit-by-bit copy of the file system, similar to the approach taken in many personal computer forensic investigations. While this approach has the potential for the greatest amount of data recovered (including deleted files), the process is quite complicated and required modifying the system partition of the iPhone.
Another key point of consideration for an iPhone forensic tool is how it handles an iPhone that has a pass code set. Several products offer different strategies for this situation, each with their own benefits and drawbacks.
A 3G iPhone running firmware 2.2 and not jailbroken was used for this forensic analysis. The phone was heavily used including:
- Email, contacts and calendar (Microsoft Exchange Active Sync with Exchange 2007)
- Web browsing (news, online banking, Gmail accounts, Google, MLB, etc.)
- Phone calls, text messages (some deleted)
- App store (Facebook, Remote, Google Earth, Urbanspoon, Crazy Pumpkin, Now Playing, Units, SFNetNews, Stanza, WordPress and TwitterFon)
- Multiple Wi-Fi networks
- Camera and iTunes synced pictures (some deleted)
- Songs via iTunes
- YouTube movies
- Google Maps
For obvious privacy reasons, personal information will be redacted as needed throughout the report. A comparison of what each tools is able to extract will be a primary focus of this white paper.
Each forensic tool is rated on four general areas based on the following percentages:
Table 1.2. Forensic Tool Analysis Areas
|Installation||10%||This cover installation, activation and updates of the forensic tool|
|Acquisition||10%||This covers the acquisition process|
|Reporting||20%||This covers the reporting process|
|Accuracy||60%||This covers the accuracy and completeness of the information acquired|
To determine accuracy of a forensic tool, I compared the results of the acquisition to the expected results and assigned a quantitative number between 0 and 5 for each of the 27 scenarios outlined below. If a tool failed to recover any data in a particular area, it was rated a 0 for that category. A rating of 1 or 2 indicated some information was recovered however it did not meet the expected result. A rating of 3 indicated the tool met the expected results. Ratings of 4 or 5 indicated the tool exceeded the expected result including recovering deleted data and/or more information than other tools were able to recover. For readability, I also included the following text description of each rating:
- 0: miss
- 1-2: Below
- 3: Meet
- 4-5: Above
If a forensic tool provided multiple methods to acquire information from the iPhone and the analysis took place separately, I provide rankings for each method and then the overall tool is assigned a total rank. The rankings in this white paper are based on my individual experiences and should be considered my opinion only. I am not recommending or endorsing any forensic tool or technique reviewed. I would strongly encourage investigators to personally test the forensic tools themselves (many offer a demo version) and form their own opinions of each product.
The following chart illustrates the 27 test scenarios and expected results.
Table 1.3. Test Scenarios
|Call Logs||Determine whether the tool can find call log information on the phone. -iPhone contained full populated Call Log, no entries were deleted. -Expect that tool can connect, acquire and report on full call log containing 100 records. - Expect remnants of purged logs can be recovered and reported.|
|SMS||Determine whether the tool can find Short Message Service (SMS) information on the phone. - iPhone contained 30 SMS conversations, each with multiple messages. Total messages were 827. Deleted 2 conversations resulting in total of 262 messages. - Expect that tool can connect, acquire and report on 262 undeleted SMS messages. Expect remnants of deleted SMS messages can be recovered and reported.|
|Contacts||Determine whether the tool can find Contact information on the phone. - iPhone contained 1284 contacts, 14 with images associated. Deleted 2 contacts resulting in total of 1282 and 14 with images. - Expect that tool can connect, acquire and report on 1282 undeleted Contacts, 14 with pictures. Expect remnants of 2 deleted Contacts can be recovered and reported.|
|Determine whether the tool can find email messages on the phone. - iPhone was synchronized with Exchange 2007 and contained thousands of emails. Specific folders (Inbox, Sent, Drafts) were downloaded and should contain 200, 200 and 7 messages respectively. - Expect that tool can connect, acquire and report on several hundred email messages. Expect remnants of deleted or purged email messages can be recovered and reported.|
|Calendar||Determine whether the tool can find Calendar information on the phone. - Calendar contained 3,070 appointments and no entries were intentionally deleted however during normal usage, some appointments were likely deleted. - Expect that tool can connect, acquire and report on 3070 Calendar items. Expect remnants of deleted or purged Calendar items can be recovered and reported.|
|Notes||Determine whether the tool can find Notes information on the phone. - iPhone contained 1 note and 1 note was deleted. - Expect that tool can connect, acquire and report on 1 undeleted note. Expect remnants of the deleted note can be recovered and reported.|
|Pictures||Determine whether the tool can find image files on the phone. - iPhone contained 41 pictures taken with the on-board camera and 9 that were deleted. iPhone also contained 1 picture that was synchronized from iTunes on a host PC and 1 that was deleted. - Expect that tool can connect, acquire and report on 42 pictures. Expect remnants of deleted pictures can be recovered and reported. Expect that pictures downloaded by various iPhone applications including Safari web browser, Facebook application and more can me recovered and reported.|
|Songs||Determine whether the tool can find music files on the phone. - iPhone contained 44 songs synchronized via iTunes from a host PC, 38 of which contained DRM protection. No songs were deleted. - Expect that tool can connect, acquire and report on 44 undeleted music files.|
|Web History||Determine whether the tool can find web browser history information on the phone. - iPhone contained 2 browser history entries and 7 were deleted. - Expect that tool can connect, acquire and report on 2 undeleted browser history entries. Expect remnants of deleted browser history can be recovered and reported.|
|Bookmarks||Determine whether the tool can find bookmarks from the Safari web browser on the phone. - iPhone contained 11 Safari bookmarks and 1 was deleted. Of the 11, 6 are a standard configuration for Safari. - Expect that tool can connect, acquire and report on 5 user bookmarks. Expect remnants of deleted bookmark messages can be recovered and reported.|
|Cookies||Determine whether the tool can find web browser cookie information on the phone. - iPhone contained numerous cookie files from web browsing via Safari and other applications. - Expect that tool can connect, acquire and report on Safari cookie files. Expect cookie files of other applications can be recovered and reported.|
|Applications||Determine whether the tool can find Application information on the phone. - iPhone contained 7 Applications and 3 that were deleted. - Expect that tool can connect, acquire and report on 7 undeleted applications and their associated information. Expect remnants of deleted applications can be recovered and reported.|
|Google Maps||Determine whether the tool can find Google Maps information on the phone. - iPhone contained the Google Maps application and it was used for location information and directions. No information was deleted from this application. - Expect that tool can connect, acquire and report on Google Maps information including history of location information and directions. Expect remnants of map tiles (images) can be recovered and reported.|
|Voicemail||Determine whether the tool can find Voicemail information on the phone. - iPhone contained 11 voicemail messages on the phone. - Expect that tool can connect, acquire and report on 11 voicemail messages.|
|Passwords||Determine whether the tool can find various application and network password information on the phone. - iPhone contained various passwords from Applications and network resources such as VPN, Bluetooth, Apple iTunes ID and more. - Expect that tool can connect, acquire and report on application and network passwords. Expect remnants of deleted passwords can be recovered and reported.|
|Configuration files||Determine whether the tool can find phone and application configuration files in the XML and Plist formats on the phone. - iPhone contained many XML and Plist configuration files. In the course of normal usage, some configuration information would have been deleted - Expect that tool can connect, acquire and report on many XML and Plist configuration files. Expect remnants of deleted configuration files can be recovered and reported.|
|Phone Information||Determine whether the tool can report on basic phone information. - iPhone is a GSM device and contains basic identification information such as IMSI, IMEI, ICCID, MSISDN (Phone Number), Serial Number, phone name, Wi-Fi MAC address and Bluetooth MAC address - Expect that the tool can connect, acquire and report on basic phone information listed above.|
|Video||Determine whether the tool can find video information on the phone. - iPhone contained 1 video and 1 deleted video that were synchronized with iTunes on the Host PC. - Expect that tool can connect, acquire and report on 1 video file. Expect remnants of 1 deleted video file can be recovered and reported.|
|Podcasts||Determine whether the tool can find Podcast information on the phone. - iPhone contained 1 Podcast and no Podcasts were deleted. - Expect that tool can connect, acquire and report on 1 Podcast.|
|Speed Dials||Determine whether the tool can find Speed Dial information on the phone. - iPhone contained 4 Speed Dial (Favorites) and no speed dials were deleted. - Expect that tool can connect, acquire and report on 4 Speed Dial favorites.|
|VPN||Determine whether the tool can find VPN configuration information on the phone. - iPhone contained 1 active VPN profile and 1 deleted VPN profile. - Expect that tool can connect, acquire and report on 1 active VPN profile. Expect remnants of deleted VPN profile can be recovered and reported.|
|Bluetooth||Determine whether the tool can find Bluetooth pairing information on the phone. - iPhone was paired with 1 Bluetooth headset and no pairings were deleted. - Expect that tool can connect, acquire and report on 1 Bluetooth pairing.|
|GPS||Determine whether the tool can find GPS information on the phone. - iPhone contains GPS device and software and many applications use this information. - Expect that tool can connect, acquire and report on GPS information including coordinate and date/time from various application usage.|
|File Hashes||Determine whether the tool creates MD5 or SHA1 hashes for information on the phone. - Expect that tool will create MD5 hashes for files extracted from the iPhone.|
|YouTube||Determine whether the tool can find YouTube video information on the phone. - iPhone was used to watch YouTube videos via the YouTube Application. - Expect that tool can connect, acquire and report on YouTube videos viewed.|
|HTML||Determine whether the tool can find cached HTML files on the phone. - iPhone was used to browse many web sites and cached files from this activity are located on the phone. - Expect that tool can connect, acquire and report on HTML files on the phone from Safari and other applications.|
|Office Documents||Determine whether the tool can find Office documents (PDF, Word, Spreadsheets and PowerPoint) documents on the phone. - iPhone contained office documents that were downloaded through email or the Safari web browser - Expect that tool can connect, acquire and report on office documents located on the phone.|
Table 1.4. Expected Results
|SMS||30 threads (deleted 2, 262 messages left of ~800)|
|Contacts||1282 (deleted 2)|
|Inbox, Sent (200 each), Drafts – 1|
|Notes||1 (deleted 1)|
|Pictures||41 (deleted 9 camera, 1 sync)|
|Web History||2 (deleted 7)|
|Bookmarks||11 (deleted 1)|
|Applications||7 (deleted 3)|
|Voicemail||At least 1|
|Passwords||Wi-Fi, VPN, BT|
|Video||1 (deleted 1)|
Whenever possible, I preformed the forensic testing on a Windows XP Professional workstation (SP3) instead of a Mac or Linux workstation to more closely mimic what many analysts use. The tests were performed in the following order:
- WOLF - Sixth Legion
- UFED - Cellebrite
- Device Seizure - Paraben
- MacLockPick - SubRosaSoft
- MDBackupExtract – BlackBag Tech
- Physical DD – Jonathan Zdziarski
- .XRY - MicroSystemation
- CellDEK - Logicube
For each software application, I will provide a brief overview of the software and forensic process. I will also provide feedback on the installation process, user interface, acquisition process and the results of the acquisition.
Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry. Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.
viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies. Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.
One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including:
- Impartiality: Your case must be credible, unbiased and withstand legal scrutiny; internal investigations present major obstacles in each of these areas.
- Expertise: viaForensics is a qualified expert in the Federal Courts. Expert status is a product of extensive training and a wide range of experience, often a challenge in a single corporate environment.
- Cost: Forensic hardware, software and training are singular in purpose and require major capital investments and recurring expenses.