Mobile Forensic on Iphone free essay sample

In recent years, mobile forensics is a new science, which means that the items we are used to retrieve from computers are not available on the mobile devices; one such example is deleted files. By constantly changing the models of mobile phones, it is deemed to be a great challenge. Therefore, there is a need to be able to perform forensic investigations on mobile phones since majority of the people rely on mobile phones, particularly iPhone. Also, iPad and iTouch are also hot products developed by Apple. The iPhone was first released to the market in June 2007. The main purpose of the iPhone released was to allow consumers and the public to be able to check their emails, take photographs, browse the internet and many more functions on the go which saves them trouble of switching on their laptop or PC just to check and make their replies respectively. Other than the named functions of an iPhone, there are also applications that help the organization work flow and also provide entertainment. We will write a custom essay sample on Mobile Forensic on Iphone or any similar topic specifically for you Do Not WasteYour Time HIRE WRITER Only 13.90 / page As iPhone has been widely used today, more and more applications are developed to help one does their job on the go. These applications not only serve to help the organization, it also helps students and even the elderly these days. With such a robust amoung of iPhone users, many consumers have treated it as a mini computer no matter where they go. With a large number of users using this smart phone, this would mean that most of the data will be stored in this small little device. In iPhone forensics, there are many aspects which we are looking at in terms of hardware and software. We will further explain the aspects below. iPhone Specification Comparing the differences between the four different iPhone models, iPhones do have integrated GPS except that of iPhone first generation, which can actually track the location of the iPhones. This helps in tracking the previous locations which the iPhone has been which the information can be viewed at the micro read level which will be covered later on. Also, the table below shows the basic applications inbuilt in the iPhone. These applications might render some help in the mobile forensic investigation. Application| How information helps| Map| Previous location user has gone to| Call| Provide call logs between user and others| Photos| Provide latitude and longitude when the picture was taken (if location services are enabled)| Mail| Emails received/sent/drafts| Messages| Conversations between user and others| Calender| Provides dates user deemed as important (marked dates)| By having the information from these built-in applications, we can at least gather some evidence and document the end results to further on analyze before we can recover deleted files such as deleted emails. iPhone leveling When we talk about iPhone leveling, we will tools to do the different classification. The tool, developed by Sam Brothers in 2007, allows the examiner to assign the iPhone to whichever category depending on the different depths of examination they are doing. The main purpose of this tool is to allow easier comparison between the tools and provides a standard for examiners. The purpose is also to let examiners know what they are doing with the iPhone. Figure 1. 1 It can be seen that the higher the different level of pyramid, the more technical the methods will be. For each of the levels progressing up, the time needed for performing analysis will be significantly longer. Also, the techniques will be in-depth each by each level. Manual Extraction is the most significant phrase as it is the first hand information of the device, first hand meaning the physical contact of the phone, browsing the data using the keypad and documenting the results. There will be error in the analysis will arise if the phone is physically damaged (Screen unresponsive/ Buttons spoilt). In Level two, this involves logical analysis. Logical Analysis, involves a connection of the device with a computer and analyzing it with software. This involves looking into details of what the phone has. In level 3, which is the hex dump, requires a connection to be established in Level 2 in order to push the data stored on the phone across to the communication conduit. The next level is Chip-off level. This involves the acquisition directly from the device memory chip which is the NAND Flash Memory. The chip will be physically removed from the device and data will be extracted from the chip reader and stored on a computer. One challenges faced is that the time taken to interpret and read the raw data will be long. The last level will be the Micro Read level. This level involves manual reading of physical gates and interpreting data seen on the chip. Because it is at the highest level, this means that the process of micro reading is time consuming and expensive. Acquisition Types There are a few acquisition types. The types of acquisition include: Backup, Logical, Physical and Nontraditional. These few types of acquisition techniques may overlap with what is covered in the previous sections. I will explain further in the different types below. Backup Backup in IPhone is stored in the active directory. When we sync data on iPhone, it is simply to ensure what is kept in the phone is in sync in the PC, only certain data are synced. For example, photos, contacts and some application data are sync. In the backup phase, every single files or directory is being duplicated. For example, call logs, SMS and other applications are all backed up. In this acquisition type, it will read the data from the iPhone backup files created through the iTunes using Apple Synchronization Protocol. Only files that are synchronized by this protocol can be analyzed. Logical In logical acquisition, it involves direct obtaining of data from the iPhone and is preferred over recovering files from the computer the iPhone have sync with. Using this approach, the active files and folders from the iPhone’s file system are recovered; however data contained in the unallocated phrase (slack space) is not recovered. Physical In physical acquisition, it allows bit by bit copy of the file system of the iPhone. The process of this particular acquisition is a more complex process as it recovers the most data. This method can recover any data stored on the phone. When looking further at this type of acquisition, even deleted messages , photos , GPS location can be recovered. Nontraditional In a nontraditional method, Jail breaking could be one techniques in the nontraditional methods. In a jail broken firmware, it is meant to modify the firmware to allow better flexibility. This technique of investigations will require a high educational experience personnel as the firmware is already mess up. IPhone OS In iPhone, IOS is the platform and the operating system that is developed for iPhone. With the IOS developed, it is now running in different devices like the IPad, Itouch and so on. IOS Layers Layers| Description of layers| Core OS| This layer is situated directly above the hardware which provides the services which include low-level networking, access to the accessories as well as OS handling. | Core Services| Provides the minimum systems needs that are required in the applications of the device. It contains fundamental interface to allow low level data types. | Media| This is the part where all the audio and videos are stored. | Cocoa Touch| Contains technological things that provide the backbone to implement the virtual interface for applications. Objective –C is being used. | File System The file system used by any Apple device is HFS Plus. The HFS Plus is used to ensure that disk space efficiency is met, international-friendly filenames and making it compatible to any operating systems. iPhone disk partitions iPhone uses NAND Flash which have two partitions. The two partitions are firmware partition and user data partition. The firmware partition is when the operating system and the applications are hold. The user partition takes up most space on the disk. This is the place where most evidence can be found. The info taken from this part of the partition will be transforming to a disk image and named as a ‘. dmg’ file and put on mac for further analysis. The table below will show you more about the two partitions: | Partition 1 â€Å"System†| Partition 2 â€Å"User Data†| Referred as| System or firmware partition| User Data or Media partition| Storage on device | 0. 93/8 GB; 1. 4/16GB; 2. 7/32GB| 7. 07/8GB; 14. 6/16 GB; 29. 3/32 GB| Mount location on iPhone| â€Å"/† (root)| â€Å"/Private/var†| Type of data stored| Operating System, basic application, firmware upgrades| All user data (SMS, Call Logs, Photos, ITunes files, etc)| Figure 1. Iphone disk partitions( Taken from reference below) Acquisition Techniques There are many acquisition techniques as discuss earlier. There are three main methods of acquisitions. The three main types are physical, logical and back up acquisition. In the Backup acquisition, the backup of the device on the computer is retrieved. This backup is used only when the device is not available. The following files status. plist, info,plist and manifest. plist are the files that contain configuration files about the phone or any apple device, backup files, and status of backup. The two main files that we are looking at is *. mdata and *. mdinfo. These two types of files are the binary files which contains user information that are not readable when opened directly. Tools are needed to enable you to read these files. All the plist file should be converted to xml in order for it to be legible. In an unencrypted backup, it is easy to acquire the data, while in an encrypted backup require a password to be keyed in before syncing. Therefore, the standard tool is not able to view the files directly unless a password cracking tool is used to decrypt the password. In a logical acquisition, active file system are being duplicated into another file. These files will then be viewed in particular tool and then export to become a report. The overall steps involve in the acquisitions is the following no matter what software is being used: 1. Run the forensic software of your choice 2. Connect the device 3. Begin to acquire the image from the phone: This step will pull out all the information from the device that is backup via the apple synchronization protocol. 4. Depending on the software you use, some of these could be turn into a report. Zdziarski Technique In this technique, the examiner could use bit-by-bit copy of the user data partition. This process requires the modifying of the read-only system partition. This method requires the examiner to know some commands in order to use this method as the tool is command line driven. There is some software required for this method which needs to be installed in the system partition to allow this to work. Once the phone is rebooted, the user initiates a raw disk image on the device and pulls it onto the forensic workstation for further analysis. iXAM Technique XAM was created by Forensic Telecommunications Services Ltd. This is a software base which requires a USB dongle. It runs on windows only, but able to run in a VM environment that can be run on Linux or Mac. iXAM is installed by running a setup file, provided by FTS on an external USB drive. The iXAM works when an unassigned code is sent over a USB connection to a device running in the DFU mode. Before I moved on further, I would like to describe on the different operating modes of a iPhone. Normal mode In the Normal mode, the device is on in a typical fashion. Recovery mode In the Recovery mode, the examiner will boot the device into iBoot, bypassing the Operating System. iBoot is something at level 2 of the Apple device which is where the recovery mode lies. By powering off the device, and holding down the home button and connect to your computer will move to the recovery mode. DFU mode In DFU mode, actions are required to initiate various actions on the iPhone, most commonly to perform a physical acquisition. It can be called as the â€Å"Firmware upgrade â€Å" mode. In order to get into DFU mode, you have to connect phone with the computer and make sure that itunes is not auto on. If it is auto connect to itunes be sure to exit. Then hold down both power and home button for ten secs and release the power button(while holding the home button) Continue to hold the home button for ten more secs to enter the DFU mode. When entered correctly, no apple logo should be seen. Once you are in the DFU mode, the code will run on the RAM and not at the user partition. The iXAM also prevents the device from connected to the external networks. This is an important feature as this allows the protection of the data which is required in computer forensics too. Real World Applications Mobile forensics on iPhone, iPad and iTouch has been widely used among all the countries due to the fact that Apple users have a fairly active hacking community which yielded tools and researches which support forensic investigations. Some examples of tools that supported are: -UFED Cellebrite -Oxygen Forensics for iPhone -MacLockPick SubRosaSoft By having forensic investigation, it is a must to make sure that the procedure of investigating the source information does not be modified in any manner just so to maintain the integrity of the information. If the source information has been modified and that the information could not be restored back to its original state, the forensic investigation will be deemed fail. Two techniques that can be utilized by the forensic software products are as follow: Backup: By analyzing the backup of the iPhone file system using Apples protocol. The procedure involves reading and acquires files explicitly synchronized by Apples synchronization from the iPhone. By querying the databases which the information are stored in, that is SQLite, the chance of recovering the information such as deleted call logs and messages will be higher. Physical bit-by-bit copy: The process involves a physical bit-by-bit copy of file system. Although this technique has the highest amount of data being recovered, it is usually considered to be more complex and requires other sophisticated tools. By having forensic investigations on mobile such as iPhone, challenges are often faced by the investigators. One such challenge is the time taken to perform the physical acquisitions and analysis. Secondly, there are more than a dozen of software and hardware solutions for the data extraction and analysis in the market. Product descriptions given on websites do not give clear understanding of software functions and features, which made the product, seemed unclear. Conclusion In order to do mobile forensic investigation or analysis, we must first know how the things work inside iPhone, iPad and iTouch. As it seem, all Apple touchscreen devices uses the same iOS (iPhone Operating System), therefore it is much easier to do a forensic analysis since they are all on the same platform. Reflections and Task Allocation Task Allocation: Spread across all parts and overall edit. By researching on the real-world applications, I found out that there are actually a lot of mobiles forensic tools out in the industry to try out. From this assignment, I have learnt that mobile forensics is equally important to the normal forensic investigations because in this technology advanced technology world, mobile forensic will be really needed in the near future. It consists of a lot of steps in order to get the data needed. E. g. deleted messages will have to go through a lot of process to retrieve, which might be time consuming. By Candice.