Forensic analysis of an iOS device can be performed by using the backup files available with the corresponding account at iTunes. This backup can provide access to the file structure and folders without altering the original backup files, making it a forensically sound method of examination. By using a variety of open source tools, various types of data can be extracted for evidence in an investigation. The file system is organized so that most of the crucial files are in a property list or SQlite database format. Many tools are designed to convert these files into easily readable interfaces for faster and more efficient examinations. The investigator can gain an in depth picture of the device user by accessing files and folders that describe whom the user is communicating with, what websites they are visiting, what they are downloading, where they have been and any images or videos they may have taken along the way. As many iOS devices contain up to 60GB of storage, the user can literally keep a copy of their daily activities and interactions within these portable computers, offering valuable evidence to a criminal investigator.
Keywords: iOS, forensic examination, backup files.
Forensic Analysis of an iPod Touch 4G
The Apple iPod continues to evolve from basic mp3 functions to fully featured operating systems with camera, GPS, and Internet capabilities. Since many models have upwards of 64 GB of storage, the potential for a variety of evidence being processed through, or stored on the iPod, is high. Criminals can take and store images, videos and audio files as well as share with others over the Internet. Other valuable information, such as address book, calendar data, user information, history and Internet applications can also play an important role in an investigation. More importantly, iPods may not be considered when the scope of a warrant is considered, making a potentially valuable piece of evidence insignificant.
The iPod Touch can be forensically analyzed using physical and logical acquisitions. The physical method focuses on work created by Jonathan Zdiarski and was not performed due to data corruption concerns. The logical method involves accessing the backup files in iTunes. Upon the initial connection, iTunes will automatically create a file using the unique device identifier (UDID) that is specific to each device, corresponding to the hardware components such the MAC and Bluetooth address (Santosh, 2012). Each time an iPod is connected to iTunes using the user account it will be synced according to its iTunes settings. Such items updated include contacts, images, Internet bookmarks and email (Ley, 2013).
The UDID folder contains four types of file extensions: plist, mdbackup, mddata and mdinfo. The plist files are property lists and are written in XML (Extensible Markup Language). They are visible with many text editors or multiple commercial and free tools. The info.plist contains identifying information about the device such as the assigned name and serial number as well as the last time it was synced with iTunes on a computer (Ley, 2013). The mdbackup files contain most of the actual data. The file itself provides identification about the file as well as file format or extension. The mddata and the mdinfo files are included in more recent version if the iPod Touch and take the place of the mdbackup files in previous versions. Instead of containing both the metadata and file information, the data is now split between the two files with each having a different file extension but the same filename (Ley, 2013). Several open source tools were used to analyze the backup, automating the above processes. There was no password protection on this device, therefore, no decryption of the backup files was necessary.
Steps of the Process
The Touch was attached to iTunes and connected with an account. A backup was then made on this computer of all the files on the Touch according to the above iTunes procedures, resulting in a backup copy. That copy was processed through iBackupbot, iPhone Analyzer, FTK Imager and Autopsy. iBackupBot. iBackupBot gave an easy to use interface while providing the bulk of the forensic information retrieved. Figure one shows device information, typically contained in the info plist, but with an easy to read format. The device serial number, version and an overview of what is in the backup file are given.
Figure 2. Device information on the iPhone Analyzer.
The iPhone analyzer also provides an easy to use interface that gives system plist and SQlite database information in an easy to use format. Figure two shows the device-identifying information, as well as installed application details. The operating system also gives timeline information in the form of MACB, or modified, accessed, changes and born date. Timestamps are present on many files although they may in the form of absolute time, which is the number of seconds from January 1, 2001 (Proffitt, 2012).
The iOS platform runs on a hierarchical file system (HFS). Types of files in the system are plists, binary plists, SQL databases, DAT and log files (LeMere, 2011). Domain names lead the file path. There are several main domain names: the App, Home and Media domain. The open source tools used here give a good representation of recreated file structures as shown in figure three. The Library folder contains a wealth of information that could be valuable for an investigator, such as address books, mail, calendar information, Youtube, Safari pages browsed and voicemail (Proffitt, 2012). Files of interest in the Library folder are shown and discussed in the next several slides.
Figure 3. Dynamic text in iBackupBot.
Figure three shows dynamic text in the library folder. Dynamic text is the actual keyboard input from the user. Any keystrokes entered into such applications as Safari, Facebook or messages will be captured and displayed here. The purpose of this file is to assist the device user with commonly used words, which can provide valuable information to an analyst (Proffitt, 2012). While this can yield important information, no timestamps are associated with this file, which means that the text can have been entered at any time in the device’s lifecycle (Proffitt, 2012).
Figures four and five show the browser cookies in the Library folder. These cookies can demonstrate browsing history or patterns of browsing by the device user. The iOS stores these cookies in binary form but can be viewed with tools such as iBackupBot and iPhone Analyzer, which provides them in a readable format (Proffitt, 2012).
Figure 4. Binary cookies in iBackupBot.
Figure 5. Binary cookies in iPhone Analyzer.
While browser-specific search terms can be located in the corresponding cache folder, none were entered on this device. An image was found in the Safari cache, indicating that it was viewed within the Safari browser. Figure six shows this file.
Figure 6. iBackupBot image in Safari cache.
While the Safari cache was limited, the Apple cache did contain multiple web searches as demonstrated in figure seven. These websites were shown on the iBackupBot but not on the iPhone Analyzer. These websites appear to be browsed within the Apple web browser.
Figure 7. iBackupBot WebCache folder.
The preferences folder also provided a Youtube plist, which can show properties about Youtube browsing. The image below appears to show that the term ‘Nora Jones’ was navigated to while in Youtube and was the last term searched.
Figure 8. Youtube search plist.
Another file of interest within the Library folder is the Address Book, which is shown in figure nine. The address book can hold such information as first and last names, birthdate, phone number, email addresses and notes about the subject. The address book can hold valuable information about both the user and the subject list within, making it a prized piece of potential evidence. iBackupBot does a great job of organizing the SQlite database file into a readable format (Proffitt, 2012).
Figure 9. iBackupBot Address Book database.
The system preferences file in the home domain shows the WIFI networks that the device has used. This information is in the form of a plist which iBackupBot displays well. The name of the network, the system identifier or MAC address is also given as well as time and date of the last use. This information can be used to place the device user at a specific location or at least within the range of a WIFI device. Figure ten displays the name of a WIFI network along with the last time it was accessed.
Figure 10. Wifi information in iBackupBot.
Photos are also very valuable pieces of information that can be stored in a Touch. The iOS gives distinction to those synced with the device or directly taken with the device. The latter can be found in the 100APPLE file and will contain timestamps when it was taken and will be numbered sequentially in the order they were taken (Proffitt, 2012). Proffitt (2012) gives other interesting information about photos in iOS. He states that the sequential numbers will continue without regard to deletion, meaning that if an image is missing from the list, it can be assumed to be deleted. Moreover, the iOS can take a screenshot of itself, which can provide clues to what may have been on installed on a device prior to deletion or syncing. Figure eleven displays contents of the 100 APPLE file, which indicates that these images were taken with the device itself.
Figure 11. Images from the 100APPLE folder in iBackupBot.
While the file locations above were stated by several references to be the most valuable, I found others that gave good potential information as well. The map settings gave great information in the form of addresses entered by the device user as well as start and end points on the map. Figures twelve and thirteen show user-entered addresses for beginning and end points on a map. Latitude and longitude, as well as time stamps, are given for these locations. This information could be invaluable to placing a person or device at a location or correlating that data with other evidence.
Figure 12. Last location in maps.
Figure 13. Start location in maps.
Figure fourteen shows a great representation of user-entered addresses in iPhone Analyzer. The beginning and ending points are clearly shown in string, indicating the user typed the data and may reveal where they have been or are planning to go.
Figure 14. iPhone Analyzer string data in maps.
The iPhone Analyzer gives an excellent representation of where images on the camera were taken. A timeline of when the images were taken as well as latitude and longitude are given with each image. A single click offers the location of the image, where and when it was taken, the file extension and where it is located in the file system as shown in figure fifteen. A graphical map that gives an illustration of where the images are taken is a good touch also. This feature can show a pattern of activity along with the timeline. Figure fifteen shows this data.
Figure 15. iPhone Analyzer photo location map.
Other potentially useful information can be found in the email folder of the System files. Figure sixteen shows data such as the sender, sender’s email and the date of the transmission. This can provide helpful connections to other evidence or provide new leads to an investigator. This file should be considered at least as valuable as the SMS folder in that it can show who the device user is communicating with, their identification as well dates of communication. The fact that others email is given is a valuable piece of potential information.
Figure 16. Email folder in the System files.
Figure 17. User Applications in iBackupBot.
Figure seventeen displays the applications a user has downloaded onto the device. These files each contain a documents, library and tmp folder as well as varying files within those files depending on the application. The library folder within each file may contain cache and cookies as well as preferences, Hoog, Strzempka, 2012). Artifacts that may be found in the preferences folder include plist information such as a username and password to sign in to the application. Secondary information that can be obtained includes application versions or GPS data (Hoog, Strzempka, 2012).
Issues or Concerns
The main issues are the same situations that arose with other acquisitions and analyses, namely the variety of data available on multiple tools. I loaded the backup files into FTK as a mounted device and could view more images than with other tools. Autopsy focused more on the email files and did not give a better overall picture of the file system that the other tools. These two tools did not provide anything I was not able to get from iBackupBot or iPhone Analyzer. Physical acquisition was not possible as the device was only loaned to me to make a logical image from, and I did not want to alter any information on it. Using tools that utilize an iTunes backup is also forensically sound as the files structures are only recreated, no changes are made to the backup files (Proffitt, 2012). Other issues were minor but included not being able to see some common evidence, such as SMS messages, as the user did not create them. Some of the references indicated evidence in files that were either not present or empty, implying that the data was not created or entered.
The iOS platform allows the iPod Touch to interface with iTunes in a way that is quick and efficient. iTunes will sync the Touch upon connection to the corresponding account and change any files that have been updated since the last connection. This allows an investigator to access the backup files without having to physically access the Touch, therefore ensuring the integrity of the backup. There are a variety of tools available, both commercially and free, that will extract potentially valuable evidence from the device, with varying levels of detail and success. By understanding how the Hierarchical File System works, I was able to better understand how the files are organized to make better use of the tools that I chose. The best tool for this examination was the iBackupBot. It gave an easy to read interface while giving the most complete evidentiary information and best presentation. The iPhone Analyzer also produced a good amount of evidence, although it was more limited. Its focus appears to be more on quick evidence identification rather than in-depth file structure presentation. By using both tools, I was able to get a good picture of the user and their activities, including email use, GPS data, plist information about images and applications, as well as address and web browser data.
Hoog, A. (2009). Forensic analysis of iphone backup directory. VIA Forensics. Retrieved from https://viaforensics.com/iphone-forensics/forensic-analysis-iphone-backup-directory.html
Hoog, A. & Strzempka, K. (2011). iPhone and iOS Forensics Investigation, Analysis, and Mobile Security for Apple iPhone, iPad, and iOS devices. Retrieved from http://ac.els-cdn.com/
LeMere, B. (2011). iOS Forensics & Open Source Tools. Retrieved from http://www.slideshare.net/blemere/ios-forensics-amp-open-source-tools
Ley, S. (2013). Processing iphone/ipod touch backup files on a computer. The Apple Examiner. Retrieved from http://www.appleexaminer.com/iPhoneiPad/iPhoneBackup/iPhoneBackup.html
Proffitt, T. (2012). Forensic analysis on ios devices. SANS Institute. Retrieved from http://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092
Satish, B. (2012). Forensic Analysis of iPhone Backups. Retrieved from http://www.slideshare.net/securitylearnwordpress/forensic-analysis-of-iphone-backups-ios-5