Advanced Mobile Forensics Blog Cell Phone Forensics CelleBrite Chip Off forensics Document Discovery eDiscovery Electronic Discovery iPhone Forensics Law Enforcement Location Data Forensics Mobile Forensics Tablet PC forensics

Apple Forensics – iPhone, iPod, and iPad Forensics

There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:

Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.

iPhone Forensic Collection

This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.

The collected data from a iTunes back up file via mobile forensic tools
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.

Advanced Mobile Forensics Blackberry Forensics Cell Phone Forensics Chip Off forensics iPhone Forensics Mobile Forensics

Chip Off Forensics for almost Any Device

Over the years Binary Intelligence has had the opportunity to service the mobile and cell phone forensic field with logical and physical acquisitions. We started to research and develop a proven chip off forensic process about 3 years ago. We work with devices like Blackberry, Apple iPhone / iPod, Android, Tracfone, Samsung, LG and other feature style phones.Chip Off forensics is simply a more advanced form of cell phone forensics (mobile forensics). It does not require the phone to be operational. The phone can be broken, locked, water damaged, and even run over with a car.

With out a doubt Blackberry has been the most difficult device to master. RIM has utilized a thick, nasty, hard epoxy to secure the BGA memory chip to the motherboard. This epoxy is plastered on the sides of the chip, underneath the chip and even on top of the BGA chip. This epoxy makes performing chip off forensics difficult. The only proven way to remove this epoxy is to heat it and slowly remove it. Not only are you removing the epoxy from the sides and top of the chip, but you also must remove the epoxy from the pad portion of the BGA chip. These pads are very sensitive and even the SLIGHTEST scratch can sever connections and render the chip unreadable. The risk is higher with Blackberry devices, but the end result can really be extremely beneficial to any case or individual.

Ready for Heating
"Heat me Up Scottie"

Binary Intelligence has successfully removed, repaired, and read dozens and dozens of chips from an endless list of phone models. The amount of data recovered from Blackberry’s vary, but they seem to provide great results. One particular phone yielded over 20,000+ emails that were active and deleted.

Heating BGA Chip for removal
Precision is Perfection

The knowledge and popularity of chip off forensics is really growing. We have been getting work not only from government agencies and law firms, but from private individuals as well. Some of these private individuals need our help finding closure after a close family member has passed away or they are in the middle of a sensitive divorce/ child custody battle and need the data for court. That’s how competitively priced Binary Intelligence is when it comes to chip off forensics.

Here is a list of phones we have done chip offs on:

Blackberry 8330, Blackberry 8350i, Blackberry 8520, Blackberry 9330, Blackberry 9630, Blackberry 9650 Bold, many more

Samsung SPH I917, Samsung SCH U740, Samsung SCH-U350, Samsung SCH R451C, many more

Motorola Droid, Motorola A855, Motorola V3A Razr, many more

Apple iPod Nano 4GB, Palm P101EWW, LG GPLG900GB (Tracfone), Sanyo SCP3820, Kyocera K612, Casio Commando, Olympus DP-10 Voice Recorder, and many more


As always this is a very destructive process and you must find a proven and experienced professional to assist you with any chip off forensic process. Feel free to call me and chat my direct extension at the office is x713.

After BGA Chip was Removed
After Chip Off