Advanced Mobile Forensics Blog Cell Phone Forensics CelleBrite Chip Off forensics Document Discovery eDiscovery Electronic Discovery iPhone Forensics Law Enforcement Location Data Forensics Mobile Forensics Tablet PC forensics

Apple Forensics – iPhone, iPod, and iPad Forensics

There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:

Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.

iPhone Forensic Collection

This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.

The collected data from a iTunes back up file via mobile forensic tools
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.

Advanced Mobile Forensics Blackberry Forensics Blog Cell Phone Forensics iPhone Forensics Mobile Forensics Mobile Spyware Tablet PC forensics

Is your phone hacked or running Spy Software?!

Over the past 6+ months I have been inundated with clients calling with concerns over Spyware on their mobile phones. I made it my mission to start a detailed R&D project that would analyze the forensic aspect of Spy software, how Spy software is purchased, how Spy software is installed, how is the infected phone monitored, and what can Spy software really do?! To be quite honest, I was a bit surprised on the ease, accessibility and power of the Spy programs I researched.
**As a warning, If you think your phone has spyware on it TURN IT OFF or PUT IT IN AIRPLANE MODE. Do not use this phone because the second you start calling Binary Intelligence for help or telling your mom you think your phone is tapped, the criminal can remotely take the software off of your phone.**
Let me start this blog post by listing things that MUST happen in order for your phone to be considered a candidate for a potential spyware breach. (These items are from my own research and I do not claim that these are the only things to be aware of. Other programs, that I am unaware of, may require less or more from the user and infected phone.)
1. The phone must be Rooted (if Android) or Jailbroken (if iPhone). Blackberry simply requires access to the “Blackberry App World”, but has a more complex configuration process.
2. The individual placing the Spy software on your phone must have physical access to your device for about 5-20 minutes.
Side Note: I was made aware of a program that did not require access to the phone, but it did not work when I tested it. It utilized a “infected photo” sent to the phone that allowed someone to monitor calls, text messages, and even intercept messages. Again I tested it and it did not work.
If you believe Spy software is on your mobile phone here are some things that you may want to look for:
– Spy software is very powerful and can allow the user to listen in on calls or turn your microphone on to listen in on what you are doing while the phone is not in use. With each of these features there are no physical signs that the act is happening. If you see 3 way calls on your bill, that you did not make, that maybe a sign. If you see a incoming calls that you did not get (and you know for sure you didn’t get) that maybe a sign as well. Some programs utilize data for monitoring instead of calls.
– Application control is another feature of Spyware programs. This feature allows the person monitoring the phone to deny or grant access to particular applications. Normally this feature is used to deny access to applications that cannot be monitored. If you are using “KIK” or any other application that allows you to text or call for free those will normally be blocked so you are forced to use options that can be monitored.
– When a person is listening in on your calls they can un-mute their phone and communicate. If for some reason you hear people or someone in the background they may have accidentally turned the mute off.
– Spy programs run all the time. They can be draining on a cell phones battery especially if they are transmitting your location via GPS signal. If you see your battery dying within hours it is possible the program maybe hiding in the background.
If you are concerned over the threat of your phone being hacking and monitored give us a call and ask for Daniel. I am more than happy to discuss your particular situation and give you some feedback. If you would like me to analyze your phone for Spy Software I can do that is quick and easy manner. My client utilize FedEx or UPS to get me the phone.
Please comment on this blog post if you are currently using a program that works outside of my post. I am always interested in new programs for R&D purposes.
866-246-2794 ext 713 or

Blog Cell Phone Forensics CelleBrite iPhone Forensics Malware MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics Tablet PC forensics

Android & iPhone’s Growing Malware Problem – MFC 2012

Wednesday mornings keynote speaker was Chet Hosmer. Mr. Hosmer is the Chief Scientist at Wetstone Allen. The realm of digital and network security has changed dramatically. Think back to before smart phone devices, as a network security manager. You only had to worry about the network locally within your firewall. With the boom of smartphones and mobile workforces the realm of protecting your companies data and infrastructure has grown to be almost uncontrollable.

The latest corporate buzz word is BYOD (Bring Your Own Device). When you have a BYOD policy within a company you are allowing more uncertainty into the work place by allowing unknown devices to access your systems, email, and confidential documents. You do not know what OS the device is running, what applications are installed, if encryption is enabled, or if the device is already compromised. As a network administrator you can try to control everything within your firewall, but how do you control a mobile worker with their own personal device?

Infected smartphones is not new. Today Android OS devices lead the industry in this epidemic. They lead this epidemic because they are an open sourced OS and because their App Marketplace relies on users vetting out bad applications. When dealing with iPhones you have a OS that is proprietary and leaves the public guessing as to what the 10+ million lines of code really are. Having these 10+ million lines of code confidential protects (somewhat) Apple iPhones from giving hackers exploits in their OS.  By no means am I saying iPhone users do not need to worry about malware or trojans, because they do and it has happened.

iPhone recently had a hot selling app called Flashlight. The actual flashlight didn’t really do anything special, but people were paying for the app anyways. It took 4 weeks for Apple to realize that this app was a Fake app and people were buying it because it provided users a tethering options via a Trojan exploit into the iOS.

Android had a major outbreak of malware recently that was found in 100’s of apps. Google Bouncer found some of them, but its easy to look at the data and realize it didn’t vet them all. Some of these apps that were infected were Dice Roller, Chess, Super Ringtone Maker, Best Password Safe, Advanced Compass Leveler, Piano, Quick Delete Contacts, and many more. This specific exploits in these apps used RATC (rage against the cage). RATC allows the malware to be installed and install unwanted apps or steal data. Here is how RATC works:

1. Finds dbug server (adb_server) & process ID

2. Kills adb_server (auto restart)

3. Server auto restarts and beings to execute root access.

4. RATC races to reduce the number of allowed processes in the adb_server.

5. Two system calls are made:

A. setgid (AID_Shell)

B. setuid (AID_Shell)

Within step 5 the calls fail. This exploit is here because the programmer never checked to see if the calls would give a return value. Mr. Hosmer made this statement: ” Programers that do not check return values equal dinosaurs because they become extinct.” A Android OS code line was the exploit and it was found when these two calls were made when the adb_server was rebooting and accessing root.  When this failed it would leave the system running in root and give the malware free reign.

Below are a few malware, trojan, and fake apps that have been found with in mobile OS devices.

BASSBRID – Trogan – Set up to steel personal data

JIFAKE.F – Trojan – Version of Jimm Mobile ICQ Client. This would set up SMS messages to send to a premium service and charge the user $4-$6 per message on their bill. This was the first malware known to be installed by having the user scan a QR Code.

BATTSTATUS – Fake App – Sent personal data to remote servers.

Ginger Master – Root exploit

Rabbiddog.A – Malware – Sends SMS messages to all of your contacts the following message ” I take pleasure in hurting small animals, just thought you should know.”

Not discussed by Mr. Hosmer was the availability of Spyware. I am not referring to Spyware that is downloaded like a virus, but Spyware that can be purchased by someone and installed on to a phone for monitoring or calls, texting, location, email, and web history. This is a teaser for a future blog post, but I have had several cases within the past few months where Spy software was purchased and installed onto a target smartphone. It is out there and it is VERY powerful. The scariest parts is that you will never know its there with the naked eye.

Here are some of my final thoughts on this situation. The growth of malware and trojans on mobiles phones is growing at a rapid pace and no OS is going to be completely safe. When a corporation is concerned over classified information or intellectual property the policy of “bring your own device” should be shelved and the company should provide devices that can be managed by the network IT guys. This allows you to manage which APPs are downloaded, what information is stored on the device, and it gives you the ability to wipe the device if it is lost of stolen. Each OS has its benefits and both have their minuses. I think their will always be a need for open sourced mobility to accelerate innovation in mobility. With acceleration comes risk and the need to manage and assess those risks.

Blog Cell Phone Forensics GPS Forensics iPhone Forensics Location Data Forensics MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics

iPhone Forensics / Location Information – MFC 2012

Don’t Try Hiding Where You Have Been If You Use An iPhone!

Terry McGuire, of CMD Labs, went over some test data he had acquired in relation to location data on his iPhone and TomTom GPS. If you are familiar with the forensic examination of these two devices this maybe an overview, but you make learn something too. Terry activated a new number with a iPhone to obtain new data between his trip from VA to SC for the Mobile Forensic Conference 2012. Within the iPhone there are 3 main files that the maps/directions will be stored in and these can be found under mobile/library/maps:




If you are unfamiliar with what a .plist is, it is simply means property list. You can obtain these files and view them with a plist editor or even just a hex editor. In the bookmarks.plist file the data contains is just that, bookmarked locations within your maps app. You have have bookmarked address for home, work, school, or a favorite restaurant you went to a few month ago. Within the directions.plist file you will find the actual data for a trip. It will give you the turn by turn directions along with date and time stamps (usually, not always). You must be aware though that even if a location is mapped out and the directions are shown in the directions.plist file does not automatically mean the trip was made. Someone could have entered the address for directions and canceled them without ever making a trip. This information should be used to corroborate other evidence you have. Within the history.plist you will find a list of past trips, but only the starting and ending spots will appear here.

When dealing with photos on the device you can find location data in the metadata. The pictures/videos can be found in the 100APPLE folder. This is located under the DCIM and holds all of the USER interacted pictures and videos. This will not include any cached photos from the web. This is a nice folder to look at when you don’t want to deal with the parsed pictures that include buttons, caches, and what not. The metadata within theses user interacted pictures and videos is rather accurate. Terry took a photo the night before at a local restaurant and than showed the location data within that image. It was dead on.

Within the iPhone you can also find cell tower data. This data will not tell you exactly where each call was made, but it will give you a list of towers that the phone, you’re investigating, has picked up on. So, if I am sitting in Myrtle Beach right now using “tower 1” my iPhone will show that, but it will also show about 5-10 other towers that I drove by or that it already knows are near me. This could be helpful when added to other pieces of evidence or putting someone at a specific spot. The  storage for this information is different in the iPhone 3G/3GS and iPhone 4. Here are the files where this data is held:

3G/3GS – Cells.plist, H-Cells.plist, and H-wifi.plist

4 – data/root/library/caches/locationd/consolidated.db

4 w/ 5.1.1 iOS – data/root/library/caches/locationd/cache_encryptedA.db

As of now the cache_encryptedA.db file is no longer backed up with the phone when connected to the PC. So when examining an iPhone backup with 5.1.1 iOS you will no longer see that database file with the cell tower data.

Something very interesting about a specific APP that some of you may user regarding location sharing. Foursquare saves your location information for places you have never even been. (I have not had the chance to personally test this, but per Terry he tired and tested this on his device). Foursquare will save location information for nearby spots and could give the examiner false presumptions about the whereabouts of a suspect. Be aware of this for your investigations.

TomTom GPS forensics seems to be pretty straight forward. The TomTom can be acquired with Cellebrite and examined with it. TomTom will store this specific data (some early versions saved a TON more):

Fixes – Locations

Journeys – Trip Info

Locations – Home addresses or saved address

other data (depending on if they used it to save photos or what not)
Until next time! Thanks!


Blog Cell Phone Forensics Law Enforcement Mobile Forensics Tablet PC forensics

Mobile Forensic / Techno Security Conf 2012

Setting the stage: Mobile Forensic / Techno Security Conference 2012 is being held at the Marriott Grande Dunes resort in Myrtle Beach, SC. With about 500+ attendees from various government agencies, law enforcement jurisdictions, private consulting firms, and corporations the variety of knowledge and experience was endless. I feel it is safe to say that the majority of attendees were public servants in some capacity. I had the pleasure of meeting one on Sunday, Peter Buchan of HSI. Sunday we shared the experience of the 1st annual Conference golf outing hosted and sponsored by CRU Data Port. (They did a great job and I hope more people join in next year!) Needless to say we enjoyed our 18 holes and even swapped a few war stories. I must throw this in here and mention that our 3 sum wound up winning custom Adidas golf shoes! So a big shout out to Peter and Dan (from CRU Data port) on a job well done.

Okay, now back to the conference!

The first session this morning was a keynote type session. Kieth Lyon, eCrime Prosecutor from the California Attorney Generals Office, offered up his experiences and knowledge of the side of digital forensics that I hardly see. Sitting a room with a bunch of law enforcement agents/ officers, I’m sure Keith knew he was in for a TON of questions. I thoroughly enjoyed Keith’s presentation and hope to grab a copy of it soon (we were unable to get through it all).

Digital evidence was the main focal point of the presentation and it began with the evolving laws regarding collection and analysis of digital media. When an arrest is made, law enforcement officials are able to obtain any type of evidence that is Incident to Arrest. Governing laws that have evolved around Incident to Arrest are first Chimel followed by Belton and than Gant.

Chimel rule was established in the Chimel v. California (1969).

Belton was an extension of the Chimel rule from the New York v. Belton (1981)

Gant stemmed from Arizona v. Gant (2009)

Of course neither of these have actual verbiage of digital media containers since they were created before the wide usage of mobile devices. Back in 2008, in US v. Finley, a cell phone was ruled as a container and fell into the verbiage of “a container, is a container, is a container”.

Soon after this case in 2008 the argument over the type of container a cell phone is arose and so did the debate of virtual v. spatial containers. The argument is that there is a reasonable assumption of privacy with a cell phone. Since our devices can now hold up to 32gb of data the cell phone is now more than ever like a computer.

Until State (Ohio) v. Smith (2009) their had not been rulings on the virtual v. spatial argument. A cell was was examined for pictures and call logs to assist in the investigation. The courts ruled that this fell in to the Virtual v. Spatial argument and there is a reasonable expectation of privacy with a cell phone. The courts discussed that the same information was available through the phone carrier. I would have to strongly disagree with this assumption by the courts. We can obtain call logs and message logs from the carrier, but does the carrier give us the actual text with those messages, or give us pictures taken directly from the phone? Without a doubt the logs from the carriers can, at best, corroborate the evidence found through a forensic examination.

These evolving rules for collection and analyzing critical evidence is not indication of the “bad guys” winning. Mr. Lyons explained that the proper evidence collection processes need to be taken. The argument of “exigency” is strong in the world of digital media and evidence. Digital data can be destroyed or lost if not collected right away. Phones can be wiped remotely or even overwrite old data when new data is being stored. Use of “exigency” properly can prove to the judge that collecting the cell phone was indeed imperative to protecting evidence that could be lost forever if left in the hands of the suspected criminal.

Mr. Lyon’s made a point to discuss the fact that preserving digital evidence does not fall under actual searching of that device. Once an arrest is made the process of obtaining a forensic image can start. (As long as you do not look at the data!! You are simply using “exigency” and allowing the judge to ALLOW or DENY your claim before any data is EVER put into forensic analysis tools.) You have until the suspect is leaving booking or makes bail to obtain this copy. If you do not have this done when the suspect is leaving you are officially interfering with possessory of interest.

Once you have the forensic image of the device you can ask for a search warrant from the judge to examine the evidence you collected (but did not look at). If the judge allows it then you are clear to go. If the judge denied this warrant you have an obligation to never look at it until you can find corroborating evidence to make your search warrant request stronger. This process is not law, but the US v. Flores (2012) gives your argument backing from a ruling allowing this process.

There have been cases from 2012 that begin to start discussing the evidence of cellphones and other digital media. One to look at would be US v. Smith (2012).

In no way am I an expert on how to obtain evidence from a suspect of crime scene. This blog post was simply a relaying of verbiage from the keynote speaker at the Mobile Forensic/Techno Security Conference. Any processes should be run by your superior or prosecutor.