- March 28, 2020
iPhone Mobile Forensics
Mobileforensics has become a key factor to the forensic community becausemobile phones especially smartphone use has increased tremendouslyamong people. One of the type of smartphone that is common among thepeople is the iPhone and has grown in popularity over the years sinceits introduction in the mobile market. The iPhone containsinformation that is challenging to retrieve due to its nature ofoperating system and encryption of data on the iPhone do not allowjust any application tools to run if it has not been designed byApple software developers. The main challenge to forensicinvestigators is to keep up with the ever-changing development of anew operating system after a new release by the Apple phonemanufacturing company hence the need to familiarize themselves withdifferent techniques of retrieving data for every operating systemdeveloped over the years. During an investigation forensic scientisthave to use different methods to obtain information in accordancewith the conditions and variables they are faced with. The aim ofthis paper is to help forensic scientists retrieve data fromdifferent IOS systems in the field.
Whenfaced with an active case involving forensic acquisition of data thatis relevant to the case and can be used as evidence. The scientisthas to firstly get to know what the model of iPhone he /she isdealing with, the type of iOS version that is installed in the iPhoneand whether the mobile device is locked with a simple or complexpasscode. Here are some of the iPhone models released by Apple overthe years from the original iPhone to the latest. The latest iOS isin the iPhone 7 Year introduced: 2016 Capacity: 32, 128, 256 GB,model no. A1660, A1778, A1779. iPhone 5S (CDMA) Model no.A1457-A1518-A1528-A1530 N53AP Identifier iPhone6, 2 Year introduced2013 Capacity 16, 32GB. iPhone 5 Model no. A1428 N41AP IdentifieriPhone5, 1 year introduced 2012 16, 32, 64GB. Lastly iPhone 2G Modelno. A1203 M68AP Identifier iPhone1, 1, year introduced 2007 capacity4, 8, 16GB.
Themodel number is always indicated at the back of the mobile devicehence easy to identify, while the operating system of the device canbe obtained using an online tool ideviceinfo that can be obtained atlibimobiledevice.org this will give the model and the operatingsystem version even if the device is password protected(Epifani, 2013).There is need to declare what the data or information being retrievedwill be used for.
Asa forensic investigator, there is need to find irrelevant informationfrom the mobile device, which will act as evidence in court to punishthe guilty party and the data will show a connecting among his /hercollaborators and victim(s) in the crime. A large amount ofinformation can be obtained from the mobile devices but research hasfocused on data that may be of interest to a forensic investigator.According to Engman (2013), he focused his research on the followingdata to be collected for analysis by a forensic investigator, whichinclude the following sources Call logs from which informationobtained will show the list of persons the suspect has been incontact with and the timeline. Other focus include contacts in thephone directory, which will provide the phone numbers and emailaddresses, Messages, Media where pictures can be obtained, Internethistory which will show the users internet pattern, Facebookinformation giving detailed information about the person’s interestsocial life. Lastly, Location information will show the suspectsmovement patterns, Deleted files from the directory, which couldcontain very valuable evidence.
Aforensic process is to be followed in order to obtain the informationdiscussed above and an understanding of the file system used in theiPhone Mobile devices. The file system used in these iPhone and otherdevices using the iOS operating system is HFSX. The iPhone has twopartitions, the root partition is read only and a forensicinvestigator uses a jailbreak tool to jailbreak the partition andallow for read–write permission which enables them to gain accessto the system files of the iPhone. The other memory of the iPhone iscontains the user partition stores all the data used by the user ofthe device. Information is stored in the SQLite databases and properlists that are in the form of XML. Some of the sources of data likemessages, geographical location, keychains and call history areaccessed using a SQLite viewer tool on the iPhone. Analysis of thephones backup data is performed by the use of different tools andforensic programs. The most common tool is the ITunes and theuniqueness of an iPhone is determined by the phones UDID. To read anddisplay the databases applications from the web an example is theIphoneanalyzer but wit does not work with the latest versions of theiPhone that uses iOS6. Another method to analyze data on the iPhoneis by the use of the XRY analyzer, which contains software that usedto gain access to the phone memory (Curran,Robinson, Peacocke & Cassidy, 2012).
Inconclusion, all these methods used to obtain and analyze informationuse specific processing commands, and are able to obtain informationfrom any iPhone. Developers are researching on new tools to gainaccess to the newly developed operating systems used in the recentlyreleased iPhone 7.
Epifani,M. (2013). Cloud Storage Forensics. SANSEuropean Digital Forensics Summit, Prague.
Engman,M. (2013). Forensic investigations of Apple`s iPhone.
Curran,K., Robinson, A., Peacocke, S., & Cassidy, S. (2012). Mobilephone forensic analysis. CrimePrevention Technologies and Applications for Advancing CriminalInvestigation,250.