Because I have been away at the CEIC conference, I have decided to use my limited time this week on setting up everything I need for the Siri project before jumping into it. This post will give an explanation of the setup for the project.
At the Senator Patrick Leahy Center for Digital Investigations we have an iPhone 5 designated for research projects. This iPhone had been used in the past for other research projects, so I had to find a way to wipe the phone to make sure I only saw the data I generated.
I first imaged the phone using Cellebrite without modifying it. This way I have all the information that was on the phone before I attempt to erase it. Now, if something unusual shows up in my results, I can reference back to my first image and see if that is where it came from.
The image I acquired was a logical image of the iPhone 5 filesystem rather than a physical image. This means rather than grabbing every single one or zero written on the drive, including unwritten and erased space, I am only getting the phone’s file system of current data. However, the logical image should still contain key artifacts such as keylog caches and browser histories needed to look for traces of Siri.
Next I erased the phone on a physical level. Even though I cannot get a physical image of the phone, if it is wiped physically I will have a cleaner image to work with. To do this, I started off with a factory restore of the iPhone by going to Settings>General>Reset and selecting “Erase all content and Settings”. This will not completely erase everything, as it is still stored on the phone, however it indicates it should not appear on the phone because it is deleted content. I then downloaded the application Wickr, which provides a secure file shredding feature, which should erase the deleted content.
After finishing erasing the iPhone, I imaged it again, creating what should be a clean image. I quickly loaded the image up in FTK Imager 3.1.0.1514 and browsed through the file system to ensure the content had been erased. With a clean iPhone, I can now begin generating and looking for Siri artifacts!
-Julie Desautels