New Perspective on Siri Forensics

Since its release in 2007, the iPhone has been extremely popular. Sales have especially increased within the past three years. With its growing popularity and larger user population, there is a greater chance of coming across a case which involves forensically examining an iPhone.

Siri is a personal assistant function on the newer iPhones First being released on the iPhone 4S, it was made with a friendly interface where the user simply asks a question and Siri answers. The ability to properly analyze Siri could provide evidence based on the questions the user asks.

With this new technology, new techniques must be developed to analyze the device so the evidence is forensically sound and preserves it’s integrity. Many tools have been created to handle iPhone examination such as Cellebrite and Oxygen. These programs can show information on the phone. It is up to forensic examiners to piece the story together and figure out exactly what was going on.

In classic mobile device forensics, artifacts such as texts and pictures can be recovered from a device. Previous research shows Siri does not leave much evidence. In Trevin Mowery’s soon to be published paper on Siri Forensics, he discusses how traditional mobile device forensics cannot be used on Siri. He found a property list file (.plist) that proved Siri was enabled on the phone as well as a sqlite database called ManagedObjects.SQLite which stores the latest reminders that was set with Siri. Because Siri does not store much on the phone, it was difficult to find more then that.

Siri functions by sending packets to Apple’s servers which analyze the voice recording and send a response. According to Apple’s spokesperson Trudy Miller, Apple keeps this Siri data sent to the servers for two years. When trying a different approach and attempting to use network forensics on Siri, Mowery decided to analyze Siri through Wireshark (a network monitoring tool). When these packets were picked up using Wireshark, they were encrypted and unreadable. This means a live analysis on the usage of Siri on a device could not be done over a network.

The purpose of this project is to continue Mowery’s research as well as take a new approach on Siri Forensics. Rather than looking for artifacts Siri leaves behind or trying to grab the information in the network, I want to find existing artifacts that could suggest Siri was used to access the information. I hope that by looking for Siri’s footprints on the device I can figure out if it can be distinguished from normal application usage. Although Mowery’s research shows we cannot obtain pure Siri artifacts from the phone, this research could provide the evidence needed for an examiner to request information from Apple’s servers for a forensic case. Voices are unique identifiers, so by proving a web search, for example, was done with Siri, information from Apple’s servers could be requested and the user behind the phone could be identified. While putting a user behind a device has always been a grey area and difficult point to prove in digital forensics, using this form of Siri forensics could be a solution to this issue.

During my research, I will be using Cellebrite to acquire an iPhone 5. I can then use EnCase to examine the phone for artifacts. I will be examining internet history to look for something that would indicate Siri was used to search, rather than a manual search by the user. Another area I will be looking into is sending out texts using Siri and seeing if I can find a distinction between texts someone manually typed themselves or used voice to text with Siri.

-Julie Desautels

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team