iPhone Forensic Practices
This page is meant to be an introductory into iPhone forensics. The practice of computer forensics is broken down into three parts.
- Hardware. Hardware is at the backbone of what we do. If we didn’t have computers as well as specialized equipment such as cables, write blockers, and forensic duplicators we would not have much of a job to do.
- Software. Software makes everything possible. Certain software is designed to handle broad amount of data. Other software is designed to take on a specific task.
- Knowledge. Knowledge of computer forensic principles and practices, along with the knowledge of how to operate not only the hardware, but the software as well, rounds out the trifecta of computer forensics.
It is no different with iPhone forensics. It requires at times certain hardware as well as software and knowledge in order to successfully extract and decipher data from an iPhone.
The following will be a general knowledge of what can and cannot be done on iPhones. We receive phone calls daily from people who want to know what can be done on a particular iPhone.
On June 8th, 2009 Apple introduced the iPhone 3GS. This was followed by the iPhone 4. From a cell phone forensic standpoint, these were great phones to work on. Both allowed for what we in the industry call a physical extraction. This simply meant that we could grab all of the available data whether it has been deleted or not.
Note: It is not possible to recover everything that has been deleted. When an item has been deleted it is now available to have new data overwrite the space on the which it resided. Deleted data is only available for recovery if it has not already been overwritten by new data.
With that in mind, an iPhone 3 and 4 are great candidates for physical extractions. Items, like deleted photos, videos, text messages, phone calls and contacts to name a few can typically be extracted. The basic rule of thumb is this on the iPhone 3 and iPhone 4. If it has been deleted, it can be recovered so long as it has not been overwritten.
iPhone 4S, 5 and 6
On October 14th, 2011 the iPhone 4S was released. To the general consumer, the best feature was the increased battery life of the iPhone.
A major point of differentiation is that the iPhone 4S is a dual-antenna equipped “world phone” that supports both GSM and CDMA networks — UMTS/HSDPA/HSUPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz), and CDMA EV-DO Rev. A (800, 1900 MHz) — and the “antenna automatically switches between send and receive.” It supports 802.11b/g/n and Bluetooth 4.0, too. HSDPA is up to a theoretical maximum of 14.4 Mbps.
It is easy to look up the differences between between the 4 and the 4S. The biggest difference between the two phones that you won’t typically read about is iPhone encryption. The encryption developed by Apple is second to none. At the time of this writing, nobody has been able to break the encryption on iOS device. Many have tried and many have failed. North Korea, Russia, Iran, hackers from around the world including our team here at Decipher Forensics have failed to break the encryption. What does this mean to you and I that have an interest in iPhone forensics? Once an item has been deleted, it is encrypted and it is gone for all practical purposes and it’s not coming back. iOS encryption applies to deleted data on an iPhone. So within the forensics world deleted photos, videos, call logs that have been deleted are deleted. Did you notice that I left out an item or two of particular importance? Text messages and certain app data.
What? How can this be? You might be thinking, “Hey this guy just told me that once an item is deleted on a iPhone 4s and forward that it is gone and not coming back?” You are correct I did say that, but fortunately Apple runs a large number of its apps and programs in an SQLite database.
SQLite is not as powerful as other DMBSs, such as MySQL or SQL Server, as it does not include all of their features. However, its greatness lies mostly to these factors:
- It’s lightweight, yet robust.
- It contains an embedded SQL engine, so almost all of your SQL knowledge can be applied.
- It works as part of the app itself, and it doesn’t require extra active services. (this is a key ingredient)
- It’s very reliable.
- It’s fast.
- It’s fully supported by Apple, as it’s used in both iOS and Mac OS.
- It has continuous support by developers in the whole world and new features are always added to it.
I am not a SQLite database expert by any stretch of the imagination, but here is what I know. For lack of a better term, the SQLite database acts as force field from iOS encryption upon deletion in many circumstances. In a SQLite database, when you deleted a text message for example, it is gone from being pulled up again by the operating system, but in many circumstances, it still resides in the bubble of the database for lack of a better term. Because of that, you are able to “carve” out the data in a readable format. I did not say a perfect format, but a readable format. In a perfect situation, you can find the phone number, the time stamp and the message itself. In a not so perfect world different text messages might reveal the phone number and the time, but no message, or the message with no time. I think you get the idea.
This also applies to different apps that are used on the iPhone. SQLite databases are very popular for many different types of apps. Because of this a vast amount of data can be recovered from various apps. We have done research on dozens of apps in banking, social media, texting, dating, photo sharing to name a few. Each app discloses data, but what data is given up varies from app to app.
To discuss your case, or your potential case involving an iPhone, iPod, or iPad, you need to talk to one of our expert examiners. Fill out the form to the right or give us a call now.
Decipher Forensics LLC 686 East 110 South Ste. 104 American Fork, Utah 84003