Advanced Mobile Forensics Blog Cell Phone Forensics CelleBrite Chip Off forensics Document Discovery eDiscovery Electronic Discovery iPhone Forensics Law Enforcement Location Data Forensics Mobile Forensics Tablet PC forensics

Apple Forensics – iPhone, iPod, and iPad Forensics

There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:

Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.

iPhone Forensic Collection

This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.

The collected data from a iTunes back up file via mobile forensic tools
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.

CEIC 2012 Conference Document Discovery eDiscovery Electronic Discovery Intellectual property theft Network logs Time line analysis

CEIC 2012 Day 3 – Time Bandits (Time Line Analysis)

For the second time I had the opportunity to sit through a session taught by Rob Lee. If you have not had the chance to learn from Rob or hear him speak you are missing out. The crowds seem to follow Rob and this session was no different. Within minutes the largest session room at the conference was full and people were sitting in the back of the room.

Rob started off by talking about what forensic investigators needs to accomplish before they can be proficient in advanced time line analysis. For the second day in a row I give my quote of the day to Rob. He used the phrase “conversational forensics”. I knew exactly what he meant by that phrase before he defined it. “Conversational Forensics” means you have the ability to talk shop with someone else in this industry with ease and fluently. If you were to start talking about a case you were having issues with, would you be able to explain where you have looked within the case and have a conversation about specific prefetch files, .lnk files, or user assist files? Until you can freely converse with forensic terms, with the ability to walk or talk through a specific case, you would not have the skill set of “conversational forensics”. This tidbit is neither here nor there, but it gives you an idea of how much knowledge you really do need to perform advanced time line analysis.

To be successful with advanced time line analysis Rob believes you need to be proficient in three areas:

file system data

windows artifacts

registry keys.

When you are dealing with logs from a system or server it can feel overwhelming when you pull it up for the first time. If you have seen 2-5GB log file you know what I mean. Trying to find time stamps and files involved with your investigation is like trying to find 2-5 specific grains of sand on a beach. Since there is a vast amount of data to be sorted through it is a good idea to find a “pivot point”. This pivot point could be a point in time or event, but it will give you somewhere to start. Examples of a pivot points maybe:

Time of an incident

Network activity (specific packets leaving)

Process Activity aka Memory Analysis

Name of a File – ex: topsecret.pdf

Type of File lost or accessed

Activity – USB keys, downloads, or file wiping

With regards to file wiping, food for thought here, How do you wipe the WIPER? I ask this because Rob explained very well that anti forensics will always exist, but they cover all of there tracks. Even the most advanced adversaries can’t hide everything perfectly.

Once you have your “Pivot Point” there are several steps you can follow to make your job easier. First you need to determine the scope of your investigation, narrow your pivot points, determine best practice, filter your timeline, and finally analyze the time line. If you don’t have a time line analysis tool Rob suggested log2timeline. Just google it and you’ll find it. As a teaser he also mentioned that the new SIFT workstation may have these tools sometime soon.

Once you feel you have found your data you need to prove, or show, 4 things. The date of involvement, artifact involved, the action of the artifact, and the source of the data artifact.   This will ensure that you can explain where, what, and how this happened.

If you were looking for a breach where top secret files were loaded onto a USB drive by a current employee you can obtain certain information to start your analysis. When was this first seen and how does that line up with this users login stamps? You can than boil this down more by finding user assist entries (executable) along with USB keys. When you can determine a time where a USB was inserted and logged to the system you can look for LNK entries that show your specific files being opened.

By no means is this blog going to provide as much detail as Rob did, but it gives you an idea of the complexity of timeline analysis and the knowledge it takes to think outside the box and find that single grain of sand for your investigation.


Daniel Parsons

Computer/ Mobile Forensic Examiner

Binary Intelligence

CEIC 2012 Conference Document Discovery eDiscovery Electronic Discovery

Day 3 CEIC – “Culling all eDocs and eMail!”

EnCase is well know for being a powerful tool with regards to computer forensics. Some may even know its a powerful tool for eDiscovery, but the first session I sat through today highlighted some key features inside EnCase v. 6 that can help you with you filtering out the files, folders, documents and emails you need for your specific situation. If you are able to work this eDiscovery case with a image of a server or computer it can make your life a little easier although you can connect to your subject server or PC via network connection for instances where it is not possible.

Within Encase utilizing Conditions is where this software can make your eDiscovery run more smoothly. When you set up conditions you can pin point specific documents, files, or folders that was specific to your case.

In the bottom right pane navigate to conditions and right click to add a new folder. A point made by the session teachers was to keep your folders organized. Keeping folders unique and organized can save headaches in the future when looking for that information.

When you set up a new condition you are looking for something specific and you need to determine which tab is going to give you the results you want. Unless you know the specific file name or size you will not want to utilize those tabs. With our specific exercise we utilized the Description tab to “cull” our eDocs and eMails.

When you add the condition and choose the description tab you will need to select the operator. Selecting the operator will tell EnCase what to do with the data will input. If you want to neglect all of the system folder you would want to choose “Find” under the operator and enter something like this (see image too):









physical disk






Inserting these keyword will tell EnCase that you want it to search the Description tab for ONLY these words and exclude the rest. Once your done you double click the condition in the bottom right pan and it will run. If your like me you realize right away that this will yield way to many results, but that’s the beauty of it. You can use conditions to be a broad or narrow as you want.

If you want to narrow down the documents more you can add a second condition to find documents within certain folders. You can insert specific paths you know these documents are in. The list you add to utilize this search may look like this (see second image too):



\Program Files\

\Program Files (x86)\

\System Volume Information\


\Temporary Internet Files\





\Lost Files\

I would suggest playing with these tools and going to Guidance Software directly if you want to get more information about these tools and how to utilize the conditions more to speed your eDiscovery cases up!


Daniel Parsons

Computer/Mobile Forensic Examiner

Binary Intelligence