SANS Digital Forensics and Incident Response Blog

iPhone Forensics white paper

We (viaForensics) have released an updated version of our free white paper on iPhone Forensics. The paper reviews specific software and techniques that analysts and investigators can use to recover the vast amount of information stored on Apple's iPhones. Ok, that's from our press release but this audience doesn't need that. So here is some additional background on the white paper!

First, it is a huge endeavor to generate this white paper but the interest is quite high so we saw it through. We reviewed 13 different tools and provide our thoughts on each as forensic analysts who regularly analyze smart phones. There are plently of screen shots, descriptions and the like. We'd love any feedback so if you can check it out and let us know, it would be most apprecaited.

This time around the tools were noticeably more mature than in early 2009. But Apple keeps changing things in the constant cat and mouse game so it means the vendors must have a sustained investment in their product to stay relevant. Some do that better than others.

One interesting development was that many of the logical tools were able to retrieve some deleted data which really helped in the overall ratings. They achieve this mostly by pulling deleted records from the SQLite files they acquire as part of a logical/backup process. We think this was a very smart move on their part. Of course, as we further refine the white paper, we'll likely have a test iPhone which contains deleted data not only in the SQLite files but in other areas. This information is generally only available after a physical acquisition and analysis but can be extremely important in an investigation.

So I'll wrap this post up but I think it's interesting to postulate where the iPhone Forensics industry will (or perhaps should) be in the next 6 to 12 months. Predictions are not interesting unless you go out on a limb so here are my thoughts on what the tools need to do to push the envelope:

  1. Focus on iOS vs. a specific device (iPhone) to prepare for the expansion I believe Apple is planning for iOS
  2. Strive to support the latest version of iOS when it is released. The luckiest companies will have a direct relationship with Apple where they can build support prior to official release
  3. Provide the examiner the specifics on where data was pulled from and expose that data to the examiner directly for further analysis
  4. Enhance the ability to recover deleted data from a logical analysis. This will be mostly pulled from SQLite files but we've found deleted data in other files too
  5. Truly understand the various artifacts pulled from the device. For example, few vendors "reverse engineer" the full set of flags available in a particular data feed. Those that do will provide the examiner with the extra information which can so often be critical in an investigation.

So, there's my off the cuff list. Until next time (which will likely be our Android Forensic white paper).

1 Comments

Posted November 17, 2010 at 5:59 PM | Permalink | Reply

Graham Gelling

I really appreciated the updated white paper. It's got a lot of the information I was just asked to collect a week ago.
One question that came up, I have known about the Zdziarski method and grabbed his O'Reilly book a year and a half ago. But most of the more recent details he has kept specfically to Law Enforcement. You mention going to iphoneinsecurity.com to get some automated tools. I was under the impression that commerical enties couldn't do that.
It's mostly for proof of concept, the fact that it "has" been done is usually enough for most people I report my findings to, but some have asked for demos and proof that X method works on our data/systems, and without access to the this, I've been unable to show that.
I'm just curious if there was a different resource/second hand you got the details from, or if you had been given access to the site and were using the full and complete method.