With the fast growth of sold iPad since it was introduced in 2010, we knew by now that it is almost everywhere. Nowadays, iPad can replace Personal Computers especially if its equipped with some applications to process documents that run different types of documents. People can use iPad in different ways, It could have information that will help investigators to put bad people behind bars or it could help them in the other way to clear other people names (Hailey, 2002). iPad is one of the most popular devices worldwide and Apple sold more than 215 Million iPads from Aril 2010 to Q1 2014 (Elmer-DeWitt, 2014) .Therefore, different challenges arise by Apple products frequent release. Different iOS versions have different features in terms of encryption and security (Rodney, 2013). That will raise the bar, in term of forensics, every time iPad has a new iOS or major software upgrade. Since there is no mean to perform physical extraction to iPad running iOS7 so far, therefore, this paper focuses on the logical acquisition of iPad2 running iOS7 and the analysis of the extracted artifacts. MPE+ and FTK are the main software utilized for this paper.
Keywords: MPE+, FTK, iLogical, Logical Acquisition, iPad, iPad Forensics iOS7
Model iPad2 Wi-Fi + 3G
Operating System iOS 7.0.6
1- Will MPE+ be able to acquire data, in forensically sound manner, from iPad2 running iOS7 physically?
2- What can commercial tools provide to the forensics world?
3- What type of data this paper can provide by using MPE+ and FTK?
4- What are the limitations that prevent extracting data from iPad2?
Certain methods are used by law enforcements and researchers to acquire images or data from iDevices. Mobile forensics acquisition categorized into three categories: Logical, physical acquisitions and mechanically disassembling the device.
Logical acquisition is a common method applies to devices running iOS. Normally, logical acquisition required the availability of iTunes backup, say, suspect computer confiscated by the law enforcement. The problem with logical acquisition is that it cannot extract deleted data or accessing the system partition. iTunes backup collects data from the user data partition such as downloaded page caches, user credentials, databases of friends, accounts and more (Business Wire, 2013).
Zdziarski common method is well known method for extracting data physically from iOS devices. This common method is based on jailbreaking the device and using Secure Shell (SSH) communication to access the device. In addition, this method uses (dd) command, which is used to create a bit-by-bit copy of the source. Furthermore, command (netcat) is used to transfer the image via the device Wi-Fi connection. The drawback for this method is the time required for transferring the image to the forensics machine. Besides, it cannot applied to devices running iOS 7 (Zdziarski, 2012).
Luis Gomez and Moreno, presented another approach for imaging the iPad as a physical acquisition example. They used a cheap iPad accessory, the Camera Connection Kit, to image the disk to external hard drive attached via USB connection, which, as claimed, significantly reduced the amount of time, required for imaging iDevices (Luis Gomez-Miralles, 2012).
Mobile Phone Examiner Plus (MPE+) and Forensics Toolkit (FTK) were used in this paper for the purpose of acquisition and analysis. Recently, AccessData introduced a new feature added to MPE+ software. (iLogical Enhanced iDevice Support) feature can supports all Apple iOS devices ranging from iOS v1.0 to iOS v7.0. Moreover, iLogical can work whether or not iTunes is installed on the forensics machine (AccessData, n.d.).
This paper is an approach to acquire, in a forensically sound procedure, logical image from iPad2 running iOS7. The acquiring process was performed under forensically accepted conditions, without jailbreaking or breaking into the file system partition, to keep the legality of the process. iMac machine and Windows XP VM along with MPE+ and FTK were the main hardware and software that was used for acquiring and analyzing the device. Moreover, The logical acquisition methodology was followed in this paper by using MPE+. MPE+ has a new feature, iLogical, which is capable of acquiring the user data such as screenshots, maps tiles, downloaded cache pages and more.
MPE+ Logical acquisition Steps
Below is a step-by-step procedure for acquiring logical image for iOS7 using MPE+.
1- Connect iPad to the remote desktop to be able to run MPE+
2- Run MPE+
3- Select device Manufacturer and type of connection
4- Disable device password as instructed by the MPE+
5- Provide backup encryption password to grant MPE+ full access to the device
6- Select data that need to be retrieved
7- Data carving
8- Data carving progress
Main page which has the device information such as iBoot, IMEI, and more
SMS and Call history data extraction
Call History Database
Some of the carved data
Generate a report selection
After that, data was exported to AD1 format then browsed through FTK.
Analysis and findings
First, run FTK. Then, created a case and add MPE+ exported AD1 file. This process took around 15 minuets. All photos and videos were deleted intentionally before starting the research.
As a result, MPE+ recovered numerous amounts of deleted media files and other types of file like property list files (plist) and SQLite databases (sqlite). iOS artifacts usually stored in SQLite databases and property list files (N. Kala, 2013). Most of the findings were found under the library folder. As shown below, MPE+ retrieved various numbers of different files types. The analysis of this paper will focus on, approximately, 110 SQLite databases, 1400 and 3300 plist files.
(/private/var/mobile/Applications/com.skypeForiPad/Library/Prefrences/com.skype.skypeForiPad.plist) this Propriety list file contains information about last login ID to Skype program along with account full name.
Manifest.plist located in (\private\var\root\Library\Caches\Backup\5A37EE96-29A2-45E2-B322-5259D722257F) contains valuable information such as encrypted backup password, device serial number, product type, version and device name.
com.apple.wifi.plist is interested file that located (\private\var\preferences\SystemConfiguration) and contains previously connected wireless SSID names and user names.
Snapshots folder located on (\private\var\mobile\Library\Caches\Snapshots) contains all snapshots taken by pressing home and power buttons simultaneously and categorized in different folders based on the snapshot itself.
List of applications installed can be found in (\private\var\mobile\Applications)
Safari browsing history is very important in any cases. This information can be found in RecentSearches.plist file located in (\private\var\mobile\Applications\4CA48C67-E4B9-4D49-ADE2-BF7B9A0F63A9\Library\Safari)
In (\private\var\mobile\Library\Caches\Maps) file path and SuspendLocation.plist file is the location of the last user Latitude and Longitude
Alternative location to find device information such as Operating system, Model and Serial number is in the general.log file located in (\private\var\logs\AppleSupport)
Keyboard folder located in (\private\var\mobile\Library\Keyboard) contains dynamic-text.dat files, which is kind of a key logger. This folder will contain all installed keyboard along with all words typed into the device
DataAccess folder located in (\private\var\mobile\Library\DataAccess) contains E-mail account information such as E-mail service provider and the username.
Password database can be found in (\private\var\Keychains) folder.
Until the time of writing this paper, there is no mean to physically acquire iOS7 in a forensics sound manner. Beginning of 2014, Elcomsoft announced the ability of their software to physically acquire user data from jailbroken devices only (Elcomsoft, n.d.).
MPE+ is proprietary software and as all closed sources it has a drawback, which is the lack of documentation that describes in details what changes occurred to the system partition during the acquisition process. Hence, it is difficult to assure that there is no footprint left on the device (Luis Gomez-Miralles, 2012).
Some of the data were omitted in this paper due to the privacy. Omitted data were private pictures and wireless username.
MPE+ with the iLogical feature recovered all intentionally deleted media (pictures and videos) in addition to various numbers of SQLite databases and proprietary list files. These results proved that closed source software like MPE+ could provide reliable outcomes to the law enforcement. Moreover, MPE+ does not need iTunes backup presence for the investigation because of its iLogical feature. Additionally, MPE+ dose not require a backup encryption password to retrieve the data yet, the results might be affected.
AccessData. (n.d., n.d. n.d.). Retrieved March 10, 2014, from http://www.accessdata.com/products/digital-forensics/mobile-phone-examiner
Apple Inc. (n.d., n.d. n.d.). iPad2 Specification. Retrieved March 11, 2012, from iPad: https://www.apple.com/ipad-2/specs/
Business Wire. (2013, September 24). MPE+. Retrieved March 10, 2014, from AccessData Announces Mobile Phone Examiner Plus™ (MPE+™) Support of iOS® 7 Devices:http://www.businesswire.com/news/home/20130924006403/en/AccessData-Announces-Mobile-Phone-Examiner-Plus%E2%84%A2-MPE%E2%84%A2#.Ux_vF1FdWc9
Elcomsoft. (n.d., n.d. n.d.). Elcomsoft iOS Forensic Toolkit. Retrieved March 12, 2014, from Corporate & Forensics Solutions: http://www.elcomsoft.com/eift.html?r1=pr&r2=ios6
Elmer-DeWitt, P. (2014, January 22). How many iPads did Apple sell last quarter? Retrieved March 01, 2014, from CNN Money: http://tech.fortune.cnn.com/2014/01/22/ipad-apple-q1-2014/
Hailey, S. (2002, April 04). The Tools “Proven In Court” Question. Retrieved March 02, 2014, from Cyber Security Institute: http://www.csisite.net/tpicq.htm
Luis Gomez-Miralles, J. A.-M. (2012, January). Versatile iPad forensic acquisition using the Apple Camera Connection Kit. Elsevier , 544-553.
N. Kala, R. T. (2013). A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices. Journal of Advances in Library and Information Science, , 2 (2), 82-93.
Rodney, R. (2013, October 17). eForensicsMagazine-RichardRodneyArticle. Retrieved March 01, 2014, from logic Inc.: http://www.sitelogicinc.com/docs/eForensicsMagazine-RichardRodneyArticle.pdf
Zdziarski, J. (2012, May 13). iOS Forensic Investigative Methods. Retrieved March 09, 2014, from http://www.zdziarski.com/blog/: http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf