iPhone Forensics
Catherine Stamm
The Senator Patrick Leahy Center for Digital Investigation
Over the past three weeks, I have been working on iPhone forensics using an iPhone 3G provided to me by the LCDI. The phone’s service was not turned on, so all data accumulated on the device came from using Wi-Fi.
Before starting, I set up an outline of all the areas of the iPhone I wanted to examine. This included using Safari to generate an internet history, using a VPN service, sending emails, downloading applications for texting and calls (as well as social networks, books, games, etc.), taking photos and videos, using Google maps, creating a lock code and jail breaking the device. Other iPhone capabilities were also used in my research (notes, calendar, alarms, YouTube, screenshots, IM), but I figured these were the ones most often used by people who own iPhones.
Initially I planned on conducting a physical acquisition of the iPhone. This method would have given me much more access to the iPhone’s file system and would have provided me with a lot of data. In order to perform a physical acquisition on iPhone’s though, the phone needs to pretty much be jail broken. A popular method that does this, without actually jail breaking the phone and therefore not corrupting any data, is the Zdziarski method. I tried to do this, but the tools needed are only given to full time law enforcement and military personnel, and is not available for research projects.
While it would have been great to get access to the Zdziarski method, the software Oxygen Forensic Suite 2012 works just as well. This was the software I used for the majority of this project. Paraben’s Device Seizure was also used toward the end because we do not have the full version of Oxygen and I felt a lot of necessary data was missing.
The first thing I did with the iPhone was connect it to my workstation and activated it using iTunes. I then turned on Wi-Fi and connected that to my Droid Bionic’s hotspot (Android51), as the iPhone could not find any available networks when I started. I installed an application called Talkatone so that the iPhone could make/receive calls and text messages over the Wi-Fi connection. This was the best method for me considering the iPhone’s service was not on and so no data regarding calls or texts would be saved to the SIM card.
I then downloaded Facebook and Twitter from the App Store and set up accounts for both. I posted a status for both accounts and posted a status with a picture for each. I deleted one post from both accounts to see if I would later be able to find the data that was originally there. The majority of this project was based around finding deleted data.
I set up a Gmail account with the iPhone’s mail application. This was the application I used to send emails to myself from the iPhone Gmail account (testiphone51412@gmail.com). I sent a few emails from the iPhone, deleted only a couple, wrote two drafts and deleted one, archived an email, and received email from my own personal account.
From there, I activated Google Voice so that I could use the previously downloaded application, Talkatone. Once I got it running, I sent a few text messages from the iPhone to my Droid and also called the iPhone from Droid in order to generate a log. I tried to delete individual text messages from Talkatone, but it wasn’t possible so I had to delete all of them. I then deleted the entire Talkatone application to see if I would be able to find any trace of the application still on the iPhone. I tried to call my Droid using just the iPhone itself and also tried to send a text message to myself. Although I knew it wouldn’t work because there was no service, I did this to see if it would still show up in my analysis.
Continuing down my outline, I opened Safari and went to www.champlain.edu. I clicked on a link within the website and watched a video. I then went to several other websites (usa.gov, nhl.com, forensicfocus.com). Within usa.gov there was a search bar, which I used to search for “forensics” and while on nhl.com, I bookmarked the page. I also bookmarked forensicfocus.com and then deleted nhl.com. Next I conducted a Google search for the word “strawberry” and clicked on the first link, which brought me to Wikipedia. After creating a reasonable amount of internet history, I went into the iPhone’s settings and deleted all cache, history and cookies from Safari.
For the next part of this project, see “iPhone Forensics: Part 3”.
If you have any comments, questions and/or suggestion please feel free to leave a comment here on the blog. Feel free to email us at LCDI@champlain.edu, with “iPhone Forensics” in the subject.