The iPhone is one of the most commonly used smartphones in the world today. As its popularity grows, the interest in retrieving all the data contained in this device also grows. A smartphone is basically a small computer and numerous concepts of computer forensics can be applied in it. However, the difference here is that data in such phones is highly volatile. Furthermore, it is difficult to copy the content of the memory since it is encrypted in the phone’s operating system. The running of applications foreign to Apple is also cumbersome and this forces forensic experts to work their way around the challenges (Engman 1).
Smartphones such as the iPhone are increasingly being used as instruments of connecting people. This s through phone calls, social networks and short message services. If an individual’s consociates and networks are to be mapped then their mobile phones becomes a resource for this purpose (Engman 1).
The main objective of this paper is to demonstrate how forensic analysis can be performed on the memory of the iPhone. The main question in this study is:
- How can a forensic analysis of an iPhone be performed?
Approach / Methodology
This study will involve a qualitative research methodology which will include conducting investigative experiments. To be able to acquire forensic data from the iPhone it is important to understand the file system that is often used. The iPhone uses the HFSX file system. An understanding of the two main ways, SQLite databases and the binary list (.plist), is important since artefacts such as call history and messages are stored in the databases of the iPhone (Engman 5).
The main objective of any forensic investigation is to find information that can be used as evidence to get to know the individual behind the system. The interest also includes the acquisition of some knowledge of the people that this person knows including his or her associates. The primary function of the smartphones will be to provide the necessary connection between an individual and his or her acquaintances (Engman 9). The data that can be extracted from this phone, which is of interest to forensic investigators, focuses on the following areas
- Call logs (Library/CallHistory/call history.db). It is an apparent source of data in the examination of a mobile phone. It provides a list of people the person under investigation is attached to. It also provides timestamp data.
- Phone contacts (library.AdressBook/AddressBook.sqlitedb. It includes both mobile phone numbers and email addresses.
- Media (Media/PhotoData/photos.sqlite). IPhones can also be used as cameras that keep improving every time a new model is produced. This extraction of these files can act as vital evidence.
- Deleted files. To be able to retrieve this there is need for a hard copy of the phone memory which will be engraved out of the unallocated space. The files and folders in this segment could be valuable evidence.
- Internet History (Library/operamini/history.Plist). This will provide information useful in understanding the internet patterns and the sites accessed.
Analysis and Discussion
Backup analysis is one way through which different used can be used in the performance of forensic investigation in an iPhone. iTunes is one of the most common for backup in iPhone. When using iTunes one is supposed to specify how often he or she will be upgrading the firmware on the mobile device. With great dependence on the operation system, the backups are often stored in the default locations. This folder often has a forty digit long muddle value as its name hence a unique identifier (Engman 8-9). During forensic investigations a browse through the backup directory will produce files without file extensions but only a Unique Delivery Identifier that is different in every iPhone (Engman 9). These backup files are able to display the content of the messages, contacts, media, and internet history and call logs.
Forensic analysis can also be conducted through the jailbreak technique. This is made possible by a security fault in the phone that can be used in the exploitation of the device to gain a read or write permission into the root partition of the phone (Engman 18). The initial step is to find a tool that can be used to exploit the existing version of the iOS on the iPhone. Whenever a jailbreak is done Cydia, application software for searching and installing other programs foreign to Apple, s installed. When installed through an SSH-client to the iPhone, the software is able to browse through the entire file system without any restrictions. It is able to browse through the entire file structure and retrieve call logs, contacts, messages, media, internet history and deleted files (Engman 18-19).
The objective of this paper was to provide an overview of the techniques that can be used in the examining forensic data in an iPhone. The methods discussed are both based on their usability and ability to retrieve certain files. These files are considered as vital to forensic investigators and could act as important evidence. They include messages, call logs, internet history and deleted files. Backup files in the iPhone only serve to retrieve minimal amounts of data. However, the jailbreak technique, despite its complexity, gives more information that the backup style of analysis.
Engman, M. Forensic Investigations of Apple’s iPhone. Kandidatuppsats. 2013, pp. 1,3,5,12,15,18. 19.