Methodology and Methods
We’ve just finished working with the iPhone 3gs for our iPhone Artifact Comparison project. We started off by factory resetting the phone and installing all the applications that were said to be supported by Cellebrite. After installing 25 applications, some of which required a working phone number to use, we chose to pick some of the more popular applications that didn’t require an active number to use to generate data. These applications included Facebook, Facebook Messenger, Twitter, Google Plus, Dropbox, Any.DO, Snapchat, Keepsafe, Yahoo Mail, Chrome, LinkedIn, and the default iPhone applications. We generated data by first creating all of the necessary accounts. In the end, we created a total of 18 accounts to use on the device. We sent, opened, and deleted emails for each of the email applications, created posts for all of the social networking applications, surfed the internet with the web browsing applications, and used the various features of the other selected applications. Additionally, we deleted some of the data to see what could be recovered and where the deleted data is stored.
After generating the data, we made a physical image of the phone with the Cellebrite and XRY. Our initial analysis shows that we were able to extract the majority of the generated data, some of which was deleted on the phone. Over the next few weeks, we will be generating data on the iPhone 4 and iPhone 5 by following the same process used with the iPhone 3gs. After that, we can fully analyze the data extracted from all three devices and find where the applications store their data in the file system of the various iPhones. In the end we should have a list of applications and where their data is stored on each of the three devices.
For the first blog in this series go to: http://computerforensicsblog.champlain.edu/2014/01/16/iphone-artifact-comparison-introduction/
– Maegan Katz