SANS Digital Forensics and Incident Response Blog

Paraben Forensic Conference Report: iPhone Forensics - Tools and Tips From The Trenches

One of the training classes with high attendance at the Paraben Forensic Innovations Conference this week in Park City, Utah, was the Apple iOS Forensics Bootcamp. Apple's iOS is the operating system that powers the Apple iPhone, iPod Touch, the iPad, and the Apple iTV device. With the exploding popularity of these devices (well, except for the iTV), Law Enforcement, corporate investigators, and other forensic professionals are looking to learn more about this platform.

The iOS Forensics Bootcamp was instructed by Ben Lemere of Basis Technologies. Lemere has worked in forensics for The Feds, and the private sector. The focus of the bootcamp was mostly on iPhone forensics, although many of the principals apply to the other devices. Ben uses an excellent tool for conducting iOS forensic analysis, and provided helpful "boots in the trenches" tips.

The hands-on part of the bootcamp was to a great extent focused on using the iBackupBot. All iPhone users must use iTunes to manage their device. And it's iTunes that provides a wealth of information for the forensic investigator.

iBackupBot is an easy-to -use shareware/nagware tool allows an investigator to view and analyze the iOS backup files that reside on the computers end users use to manage their iOS devices. With iBackupBot, the investigator can view and analyze the iTunes backup files, and quickly identify the relevant files of interest. iBackupBot allows the investigator to view the device's databases, images, SMS messages, notes, address book, call history calendar, and more. And, the applications allows the export of the data to CSV files for easier creation of charts for use in reports. Finally, most iOS tools are Mac-only tools (developed by Mac developers for Mac users). iBackupBot is a Microsoft Windows application, and therefore is more useful for forensic labs, where Windows is still the predominate operating system.

iBackupBot will also allow the viewing of all "captured text." The iPhone has a spell checker to improve the accuracy of the on-screen keyboard. That feature saves a running log of recent keystrokes. Those keystrokes can be very revealing. For example, did the use enter in a search engine string that is relevant to the investigation? Or, did the user start to enter a note with relevant information, and then delete the note? This keylogging feature can contain a treasure-trove of valuable information.

The CyberJungle Radio Program also met with a representative of Lantern by Katana Forensics here at PFIC. Lantern is Mac-only desktop software that does analysis of the iOS backup file. According to their spokesperson, Lantern is designed to speed analysis of iOS data.

One of the challenges in iOS forensics is the imaging of the device itself. According to Lemere, the only method for imaging an iPhone is by "Jailbreaking" first. That necessitates changing the information on the device itself, a practice that is not ideal from a forensic science perspective. So, a true "DD-like" image is not possible to accomplish at this time, so any physical imaging (as opposed to logical imaging) of an iOS device could be described as a "near physical image." Note to expert witnesses: it might be relevant to note that a physical image of an iOS device, is not pure, unaltered image of the device.

Another iOS challenge is that while there are Jailbreaking forensic techniques to image an iPhone, Lemere said that many open-source tools only work on one iOS device, due to subtle differences between the different devices.

According to Amber Schroeder, CEO of Paraben Corporation, Paraben has a commercial tool that will allow the near physical imaging of iPhones, iPod Touches, and iPads. According to Schroeder, the current Paraben Tools will not parse the iPad data. The next revision, due out in about one month, will have that feature. In the meantime, a manual, time-consuming analysis will be required for the iPad data.

Using the backup file, and basing an investigation on that logical image, may therefore, be the preferred method for many investigators.

Another challenge for forensic investigators is getting cooperation from Apple and AT&T for devices and software. Many members of law enforcement were in the bootcamp, and they complained about Apple and AT&T's lack of co-operation. It appears that Apple and AT&T view law enforcement as just another potential niche to sell iPhone and contracts to, if the comments by the attendees are to be believed.

Finally, Lemere and his associates are getting ready to launch a new resource for investigators: iOSForensics.org. The site is up now in basic form, with more content and forums to follow "soon," according to Ben.

by Ira Victor, G7799, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of The CyberJungle radio program, the news and talk each week on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime International Association.