Advanced Mobile Forensics Blog Cell Phone Forensics CelleBrite Chip Off forensics Document Discovery eDiscovery Electronic Discovery iPhone Forensics Law Enforcement Location Data Forensics Mobile Forensics Tablet PC forensics

Apple Forensics – iPhone, iPod, and iPad Forensics

There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:

Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.

iPhone Forensic Collection

This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.

The collected data from a iTunes back up file via mobile forensic tools
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.

Blog Cell Phone Forensics Law Enforcement Mobile Forensics Tablet PC forensics

Mobile Forensic / Techno Security Conf 2012

Setting the stage: Mobile Forensic / Techno Security Conference 2012 is being held at the Marriott Grande Dunes resort in Myrtle Beach, SC. With about 500+ attendees from various government agencies, law enforcement jurisdictions, private consulting firms, and corporations the variety of knowledge and experience was endless. I feel it is safe to say that the majority of attendees were public servants in some capacity. I had the pleasure of meeting one on Sunday, Peter Buchan of HSI. Sunday we shared the experience of the 1st annual Conference golf outing hosted and sponsored by CRU Data Port. (They did a great job and I hope more people join in next year!) Needless to say we enjoyed our 18 holes and even swapped a few war stories. I must throw this in here and mention that our 3 sum wound up winning custom Adidas golf shoes! So a big shout out to Peter and Dan (from CRU Data port) on a job well done.

Okay, now back to the conference!

The first session this morning was a keynote type session. Kieth Lyon, eCrime Prosecutor from the California Attorney Generals Office, offered up his experiences and knowledge of the side of digital forensics that I hardly see. Sitting a room with a bunch of law enforcement agents/ officers, I’m sure Keith knew he was in for a TON of questions. I thoroughly enjoyed Keith’s presentation and hope to grab a copy of it soon (we were unable to get through it all).

Digital evidence was the main focal point of the presentation and it began with the evolving laws regarding collection and analysis of digital media. When an arrest is made, law enforcement officials are able to obtain any type of evidence that is Incident to Arrest. Governing laws that have evolved around Incident to Arrest are first Chimel followed by Belton and than Gant.

Chimel rule was established in the Chimel v. California (1969).

Belton was an extension of the Chimel rule from the New York v. Belton (1981)

Gant stemmed from Arizona v. Gant (2009)

Of course neither of these have actual verbiage of digital media containers since they were created before the wide usage of mobile devices. Back in 2008, in US v. Finley, a cell phone was ruled as a container and fell into the verbiage of “a container, is a container, is a container”.

Soon after this case in 2008 the argument over the type of container a cell phone is arose and so did the debate of virtual v. spatial containers. The argument is that there is a reasonable assumption of privacy with a cell phone. Since our devices can now hold up to 32gb of data the cell phone is now more than ever like a computer.

Until State (Ohio) v. Smith (2009) their had not been rulings on the virtual v. spatial argument. A cell was was examined for pictures and call logs to assist in the investigation. The courts ruled that this fell in to the Virtual v. Spatial argument and there is a reasonable expectation of privacy with a cell phone. The courts discussed that the same information was available through the phone carrier. I would have to strongly disagree with this assumption by the courts. We can obtain call logs and message logs from the carrier, but does the carrier give us the actual text with those messages, or give us pictures taken directly from the phone? Without a doubt the logs from the carriers can, at best, corroborate the evidence found through a forensic examination.

These evolving rules for collection and analyzing critical evidence is not indication of the “bad guys” winning. Mr. Lyons explained that the proper evidence collection processes need to be taken. The argument of “exigency” is strong in the world of digital media and evidence. Digital data can be destroyed or lost if not collected right away. Phones can be wiped remotely or even overwrite old data when new data is being stored. Use of “exigency” properly can prove to the judge that collecting the cell phone was indeed imperative to protecting evidence that could be lost forever if left in the hands of the suspected criminal.

Mr. Lyon’s made a point to discuss the fact that preserving digital evidence does not fall under actual searching of that device. Once an arrest is made the process of obtaining a forensic image can start. (As long as you do not look at the data!! You are simply using “exigency” and allowing the judge to ALLOW or DENY your claim before any data is EVER put into forensic analysis tools.) You have until the suspect is leaving booking or makes bail to obtain this copy. If you do not have this done when the suspect is leaving you are officially interfering with possessory of interest.

Once you have the forensic image of the device you can ask for a search warrant from the judge to examine the evidence you collected (but did not look at). If the judge allows it then you are clear to go. If the judge denied this warrant you have an obligation to never look at it until you can find corroborating evidence to make your search warrant request stronger. This process is not law, but the US v. Flores (2012) gives your argument backing from a ruling allowing this process.

There have been cases from 2012 that begin to start discussing the evidence of cellphones and other digital media. One to look at would be US v. Smith (2012).

In no way am I an expert on how to obtain evidence from a suspect of crime scene. This blog post was simply a relaying of verbiage from the keynote speaker at the Mobile Forensic/Techno Security Conference. Any processes should be run by your superior or prosecutor.