Tag Archive for forensics

iPhone Forensics – Part 1

As with anything else its important to really understand the inner working of the iPhone before attempting to recover any data from it, as two things may happen: the device may be rendered useless or the data on it become contaminated which is just as bad when you are looking for evidence.

The iPhone runs a custom version of Mac OS X 10.5 (Leopard) with several differences which include:

  1. an ARM architecture as opposed to the Intel x86 architecture used on desktop machines
  2. special hardware including an accelerometer, proximity sensor, multi-touch capable screen and several radios including GSM, Wi-Fi and Bluetooth
  3. a user interface framework built around the iPhone to accommodate the proprietary hardware
  4. a signed kernel designed to prevent tampering

What can be recovered:

Information stored on the iPhone includes keyboard caches containing usernames, passwords, searches, and some history of what was ever typed on the phone.

Sections of map images from the phone’s Google Maps application, location searches and their coordinates can be found on the phone.

Browser cache and deleted items identifying what websites the user has visited.

Deleted voicemails, email and SMS messages can also be recovered.

A cache of screenshots of the user’s last activities which are kept to improve the experience of opening and closing applications.

Deleted images, address book entries, contacts, calendar events and other personal information can be recovered.

A very detailed call history list beyond what is visibly on the iPhone as well as deleted items from the history.

Disk Layout:

The iPhone uses a solid state NAND flash which is treated as a disk by storing a partition table and a formatted file system. Generally the iPhone will be configured with 2 partitions as shown below.

The first partition is the root which houses the operating system and all the preloaded applications on the iPhone. This partition is read-only and designed to stay like that. The size of the root partition varies depending on the version of the phone (size of the flash).

The remaining space is assigned to the user and is mounted as /private/var as shown above. This allows Apple to upgrade firmware of the devices without in theory touching the user data on the device.

To perform forensics on this type of environment we would need to make the root partition writable  to install forensics software in order to maintain the integrity of the data on the user’s data partition.


The iPhone can communicate in multiple ways including the serial port, 802.11 Wi-Fi and Bluetooth. AFC or Apple File Connection is a serial protocol used by iTunes to connect to the iPhone and transfer everything from music to software upgrades.

iTunes is not allowed access to the whole iPhone but is rather placed in a jailed environment. People familiar with Linux will understand the term “jailed”, which in general terms mean restricting access and operations to a specific area within the target device.

The hacker community coined the term “jailbreaking” after successfully breaking out of this restricted environment allowing pirated apps to be installed on the phone and unlocking it to be used with other carriers.

The Firmware:

Apple provides firmware updates on a periodic basis which update the operating system, radio baseband and other device firmware. Although these updates have not resulted in loss of user data, it is not recommended that the firmware be upgraded during the forensics process.

Reblog this post [with Zemanta]

Mobile Forensics

With the explosion of mobile devices there is little doubt that the number of security incidents were a mobile device is involved will also increase exponentially.

My next couple of posts will look at what is takes to perform forensics on mobile devices targeting specifically the iPhone, the Blackberry and the Android platforms.

Some interesting statistics on the iPhone in particular and the number of them that AT&T activated in the last couple of years. As can be seen below the number of iPhones activated in the 3rd quarter 2009 was 3.2 millions devices in the US alone.

This doesn’t equate to iPhone’s sold because activations would also count dad’s giving their iPhone to their daughter and buying a new one for themselves, which would mean 2 activations but just one iPhone bought.

According to AT&T they added 2 million subscribers to that quarter. Nevertheless the evidence is there on an upward trend.

The graph below shows the how activations for the 1st quarter of 2010 rose by 50% over the previous quarter.

Reblog this post [with Zemanta]

SIM Forensics

One of the challenges I have come across recently is being able to retrieve data from a cell phone SIM, whether it be a large phone-book list and there is not an existing PC interface you can make use of or if you are trying to recover deleted outgoing/incoming messages from the phone.

A SIM or Subscriber Identity Module (SIM) on a removable SIM Card securely stores the service-subscriber key (IMSI) used to identify a subscriber on mobile telephony devices (such as computers) and mobile phones. The SIM card allows users to change phones by simply removing the SIM card from one mobile phone and inserting it into another mobile phone or broadband telephony device.

You will need a SIM card reader, drivers and software to read the SIM card.

You can easily get the SIM card reader on eBay for under $5, and though they usually ship with a software CD, I have not found one that has the right drivers with it. What this has meant for me is prying open the plastic casing and looking at the chip-set manufacturer, subsequently diving into Google to find in the majority of cases a Taiwanese manufacturer hosting the drivers for the reader.

Then comes the software. I recommend Data Doctor Recovery Sim Card from Pro Data Doctor, it has a nice interface and works, which was also a challenge. This will set you back $69.

Once the SIM is in the reader and its connect to the USB port on your computer and working correctly after the drivers have been installed, you can start-up the program and click the magnifying glass icon. You will then be prompted to select the reader type, which in my case is Phoenix technology standard.

You will be asked to define the port, data baud and parity. To determine what port was assigned, I open up the Device Manager on Windows XP and look under modem to find the reader. The baud should remain at 9600 and the parity at even. Once this is done, the software will scan the SIM for data and display it on the screen were it can be viewed or save to a text file.