Forensic Possibilities on iOS devices

Final Project - Hands on Lab

Team 7: Sean Collins, Manas Agrawal, Malaika Henderson

10

Introduction With the launch of the first iPhone and iPod touch, came the introduction of a ground breaking new OS, iOS by Apple Inc. Since then, 2007, apple has gone on to sell more than 100 million iOS based devices. This number also takes into account, the iPad; this product was launched in 2010 and was an addition to the iOS camp. Therefore the possibility of one being on a crime scene is quite high. Currently there are 4 devices in Apples closed ecosystem; iPhone, iPad, iPod touch and Apple TV. Since these devices are relatively similar in nature, therefore their forensics approach matches. We use iPhone as the device of choice for the project and assume that these techniques will apple equally well to others under the iOS umbrella. Scenario An investigator hears about a man with an iPhone who has been suspected of sending inappropriate messages to a co-worker. The investigator goes through the legal process and gets a warrant from the judge to search the suspects apartment. The investigator finds an iPhone under the bed. The investigator uses the protocol for seizing electronic device, outlined below. The investigator finds that the phone was being used to send obscene SMSs, suspicious emails, monetary transaction records, and multimedia files to a female co-worker. The investigators job is now to recover as much suspicious data as possible from the phone. The phone was a 3G iPhone running firmware 3.1.3 and was not jailbroken. The phone was heavily used including: Email, contacts and calendar (Microsoft Exchange Active Sync with Exchange 2007) Web browsing (news, Gmail accounts, Google, etc.) Phone calls, voicemail, text messages (some deleted) App store (FaceBook, Google Earth, Soduku, Memory Lock, Paper Toss, Twitter, Wi-Fi plus, TripAdvisor, iCamcorder) Wi-Fi network Pictures (some deleted) YouTube movies Google Maps Notes GPS

This chart lays out the current protocol when it comes to seizure of electronic devices.

Data that can be Extracted: SMS History (Text Messages) Deleted SMS (Text Messages) Phonebook Call History o Received Calls o Dialed Numbers o Missed Calls Deleted Data Calendar Notes GPS Information RAM/ROM E-mail Appstore apps Cookies Passwords Config Files Phone Information Speed Dials Wi-Fi Networks

Possible Forensic Tools: UFED Cellebrite iXAM FTS Oxygen Forensics for iPhone .XRY MicroSystemation Lantern Kantana Forensics MacLockPick SubRosaSoft Mobilyze BlackBag Tech Physical DD Jonathon Zdziarski Device Seizure Paraben CellDEK Logicube Encase Neutrino Guidance Software iPhone Analyzer Wolf by Sixth Legion (Program) iPhone Explorer (Program) Limera1n (iOS jailbreak utility) USB Device Analysis

Forensic Techniques: Logical This approach acquires data directly from the iPhone and is preferred over recovering files from the computer the iPhone was synced with. However, the forensic analyst must understand how the acquisition occurs, if the iPhone is modified in any way and what the procedure is unable to acquire. Backup Forensics tools can analyze the iTunes back-ups of all iOS devices, giving them a chance to uncover previous information without accessing the device. Physical bit-by-bit copy - this process creates a physical bit-by-bit copy of the file system, similar to the approach taken in most computer forensic investigations. While this approach has the potential for the greatest amount of data recovered (including deleted files), the process is more complicated and requires sophisticated analysis tools and techniques.

Investigative Run-through: We started off by downloading a trial version of the Oxygen Forensics Suite on which we will perform the entire investigation. We then connected an iPhone 3G on firmware 3.1.3. (The handset was borrowed from a friend therefore some screenshots have been censored for their convenience)

After plugging in the phone, the suite opened a wizard where we were asked whether this is the phone we want to run the investigation on. This may be useful as many times investigators have multiple devices connected to a forensics machine.

This screen shows the extraction wizard which takes all relevant input from the investigator before proceeding with the extraction. Firstly, case information including which hash algorithm we would like to use.

The data type selection is the most important investigator input before extraction. The options select the extent of the extraction. A full reading will copy all files in the root directory and memory cards. There is also an option for selective reading which allows the software to detect certain kinds of data report. Phonebook, event log, calendar, messages, and extras are other information you can capture. This information is later categorized into sections used to navigate the device. Confirming the investigators input, the extraction begins.

Once the extraction process is complete the suite gives you the option of open the contents of the image or store the results and export or print in a report form. This can be helpful when data needs to presented elsewhere. Once the extraction is complete navigation is divided into 8 sections.

The Device info screen provides with critical information about the device with is helpful for the investigator to understand what device he/she is dealing with. Phonebook, Calendar, Notes & Messages extract the databases stored within the file system, displaying the databases contents in a friendly manner. An investigator should be able to do without these categories as the databases can be extracted from the file system manually. Event logs and access to the file system are the most important aspect of a tool such as this one. Extras gives us some other useful tools such as a Wi-Fi history analyzer.

The call logs of this device are visible here, along with complete duration, number, type and direction information. The Event Log we feel is an extremely important tool as it gives elaborate details on events that occur on a device. Since any user action can result in an event most important tasks such as calls, messages & packet data are recorded here. This list can be sorted in many ways can is pivotal in giving investigators an overview of the users activities. Exporting events to any convenient database format is a breeze.

The file browser section allows you to browse the root directory including memory cards the device uses. The key advantage here is that Oxygen Suite makes a complete image of the device and it is this image we browse thus preventing modifying any data on the device.

The messages section is key to our investigation as the suspect is accused of having sent inappropriate messages to a co-worker in various forms. Oxygen Suite gives a comprehensive set of features and views in this section. We were able to sort according many categories such as: Time stamp Service center time stamp Remote party Text MSG Type Status

This was extremely helpful in narrowing down on suspicious messages. We were able to see different kinds of messages therefore we saw that many Multimedia type messages were sent indicating this suspect is an active MMS user and is familiar with the process of attaching media to messages. If we were to be able to acquire the co-worker involved we could search their number from the contacts and see what communication the two have had. This would also reveal any inappropriate content the suspect may have sent the victim. .

The spectrum analyzer allows us to view compete Wi-Fi connection history. This may be useful when we are looking for where the suspect may have been physically present. Ex. In this screenshot you can see visits to United States, Canada and India.

Conclusion Many tools are available for popular devices such as those running iOS. Although good investigators will rely on multiple tools, Oxygen Forensics tool was just one such tool we felt would meet our requirement. This tool supports other platforms such as Android, Blackberry, and windows phone. Many advanced tricks allow the software to give investigators critical information. The standard format of the software allows for an investigator to analyze different types of devices. We feel we successfully completed the investigation and produced results that are definitive in their statement.

Works Cited 1. "Oxygen Forensic Suite 2010." Oxygen Software Company, n.d. Web. 1 Dec. 2010. <http://www.oxygen-forensic.com/en/>. Orginial Vendor 2. GCFA, Andrew Hoog. "IPhone Forensics White Paper viaForensics." Home ViaForensics viaForensics. 1 Nov. 2010. Web. 1 Dec. 2010. <http://viaforensics.com/wpinstall/wpcontent/uploads/2009/03/iPhone-Forensics-2009.pdf>. 3. Paraben. "Paraben Forensic Software - Device Seizure." Paraben's Computer Forensic Software and Training. 1 Jan. 2010. Web. 1 Dec. 2010. <http://www.paraben.com/device-seizure.html>. 4. Haagman, Dan, ed. Good Practice Guide for Computer-Based Electronic Evidence. Publication. Association Of Chief Police Officers. Web. 1 Dec. 2010. <http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf>. 5. Janse, Wayne, ed. Publication no. 800-10. National Institute of Standards and Technology. Web. 1 Dec. 2010. <http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf>.