Advanced Mobile Forensics Blog Cell Phone Forensics CelleBrite Chip Off forensics Document Discovery eDiscovery Electronic Discovery iPhone Forensics Law Enforcement Location Data Forensics Mobile Forensics Tablet PC forensics

Apple Forensics – iPhone, iPod, and iPad Forensics

There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:

Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.

iPhone Forensic Collection

This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.

The collected data from a iTunes back up file via mobile forensic tools
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.

Blog Cell Phone Forensics GPS Forensics iPhone Forensics Location Data Forensics MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics

iPhone Forensics / Location Information – MFC 2012

Don’t Try Hiding Where You Have Been If You Use An iPhone!

Terry McGuire, of CMD Labs, went over some test data he had acquired in relation to location data on his iPhone and TomTom GPS. If you are familiar with the forensic examination of these two devices this maybe an overview, but you make learn something too. Terry activated a new number with a iPhone to obtain new data between his trip from VA to SC for the Mobile Forensic Conference 2012. Within the iPhone there are 3 main files that the maps/directions will be stored in and these can be found under mobile/library/maps:




If you are unfamiliar with what a .plist is, it is simply means property list. You can obtain these files and view them with a plist editor or even just a hex editor. In the bookmarks.plist file the data contains is just that, bookmarked locations within your maps app. You have have bookmarked address for home, work, school, or a favorite restaurant you went to a few month ago. Within the directions.plist file you will find the actual data for a trip. It will give you the turn by turn directions along with date and time stamps (usually, not always). You must be aware though that even if a location is mapped out and the directions are shown in the directions.plist file does not automatically mean the trip was made. Someone could have entered the address for directions and canceled them without ever making a trip. This information should be used to corroborate other evidence you have. Within the history.plist you will find a list of past trips, but only the starting and ending spots will appear here.

When dealing with photos on the device you can find location data in the metadata. The pictures/videos can be found in the 100APPLE folder. This is located under the DCIM and holds all of the USER interacted pictures and videos. This will not include any cached photos from the web. This is a nice folder to look at when you don’t want to deal with the parsed pictures that include buttons, caches, and what not. The metadata within theses user interacted pictures and videos is rather accurate. Terry took a photo the night before at a local restaurant and than showed the location data within that image. It was dead on.

Within the iPhone you can also find cell tower data. This data will not tell you exactly where each call was made, but it will give you a list of towers that the phone, you’re investigating, has picked up on. So, if I am sitting in Myrtle Beach right now using “tower 1” my iPhone will show that, but it will also show about 5-10 other towers that I drove by or that it already knows are near me. This could be helpful when added to other pieces of evidence or putting someone at a specific spot. The  storage for this information is different in the iPhone 3G/3GS and iPhone 4. Here are the files where this data is held:

3G/3GS – Cells.plist, H-Cells.plist, and H-wifi.plist

4 – data/root/library/caches/locationd/consolidated.db

4 w/ 5.1.1 iOS – data/root/library/caches/locationd/cache_encryptedA.db

As of now the cache_encryptedA.db file is no longer backed up with the phone when connected to the PC. So when examining an iPhone backup with 5.1.1 iOS you will no longer see that database file with the cell tower data.

Something very interesting about a specific APP that some of you may user regarding location sharing. Foursquare saves your location information for places you have never even been. (I have not had the chance to personally test this, but per Terry he tired and tested this on his device). Foursquare will save location information for nearby spots and could give the examiner false presumptions about the whereabouts of a suspect. Be aware of this for your investigations.

TomTom GPS forensics seems to be pretty straight forward. The TomTom can be acquired with Cellebrite and examined with it. TomTom will store this specific data (some early versions saved a TON more):

Fixes – Locations

Journeys – Trip Info

Locations – Home addresses or saved address

other data (depending on if they used it to save photos or what not)
Until next time! Thanks!