WHAT YOU NEED TO KNOW
by David Shelton, Advanced Technology Investigations, LLC
Client’s of Advanced Technology Investigations, LLC throughout North Carolina turn to us when there is a possibility of evidence in the form of electronic data with cell phones, computers and other digital devices that hold communication and media. We bring special skills in technology to our Clients to ensure they have all the evidence possible from a team of experienced experts with proven results, giving our Client’s the truth they deserve.
This article is for for experienced Cell Phone Forensic examiners, as well as examiners just getting started with (CPF). Below is what you will learn from this article.
• What you should know about digital forensics on cell phones
• What to expect from a Forensic examination on an Apple iPhone
• Step by Step, conducting the examination
• Plug in tools to assist in interpreting the data
WHAT YOU SHOULD KNOW
• Digital Forensics with Cell Phones is challenging in that, there is no, one tool fits all.
• The Examiner has to have multiple tools, and have a good understanding of data that can be on a cell phone.
• The Examiner must learn a multitude of techniques to make different models of cell phones communicate with the specific workstation.
• Learning as much as possible with continuing training, and experience, will give the examiner the best chance to be successful in their attempts at this ever changing field.
One of the more popular cell phones to attempt a forensic examination on is the Apple iPhone. The iPhone is a smart phone made by Apple. The Apple iPhone can hold tremendous amounts of data. If successful at an acquisition, all the tedious and hard work is quite satisfying to the forensic examiner, in that, the examiner has overcome challenges with each iPhone model and different iOS versions examined, and has most likely used multiple tools to acquire all the available data the iPhone can produce.
WHAT YOU CAN EXPECT FROM AN iPHONE FORENSIC EXAMINATION
Before we began the step by step process we must identify the different types of acquisitions available for the iPhone model and the iOS version running on the particular iPhone. The experienced examiner will know, or will research if the phone to be examined is able to be examined Logically (Data that can be seen), or with a Physical examination (Data that cannot be seen, such as deleted data). There are different tools for each method the examiner can use. The chosen tool will depend on the tools available to the examiner, the circumstances of the case, and the data the examiner is looking for. Several Forensic tools can acquire a physical image of iPhone models previous to the iPhone 4 and below, such as the iphones 3, 3G, and 4. At the time of this paper, there are no forensic tools that will acquire a physical acquisition of the iPhone 4s or the iPhone 5. The examiner will however, still be able to recover a limited amount of deleted text messages located in the logical database file, as well as data that can be carved from application files. Knowing as much information about the case will help the examiner to pick the most appropriate available tools for the case.
There are quite a few challenges with acquiring the data from an iPhone. Several tools are needed to examine the different types of files the examiner successfully acquires. Some of the forensic software’s have several different tools built into the software and automated for the examiner already. There are other software’s that you must conduct separate task with the phone in order to access all the data the iPhone can hold. The Apple iPhone was introduced into the market in 2007. Its proprietary operating system is the iOS. One of the most known challenges of the iPhone is the constant upgrades and patches made with each release of the iOS firmware. As cell phones evolve, the forensic software tools must do the same to attempt to keep up with the newest technology.
There are teams of developers and hackers that constantly work to crack the iOS encryption so the device can be forensically examined. If you start researching iPhone forensics you can find a multitude of books written specifically on topics of the iOS operating systems and how it works, and how to develop apps for it.
PRESERVING THE DATA
The very first and most important step in any Digital Forensic examination is to protect the data from changing so to preserve the source data from changing. There are arguable points as how to accomplish this task. Do you simply turn the phone off or do you protect the device with a Faraday cage to keep the device from communicating with the wireless network? Knowing that a cell phone is a mobile device, there are many possibilities on how the device suddenly became an item of interest to be examined. The first responder at the scene may not be trained in Cell Phone Forensics, and may not have the necessary tools to perform a triage on the spot. Even though a first responder may not be trained in preserving digital evidence, most first responders know that documentation is very important at any incident they may encounter, thus the words document…document…document, must get burned into the first responders brain. Taking a picture of the cell phone, its screen, and any visible ports before deciding to cut the phone off or to faraday protect the phone is a reasonable and smart decision to make.
If the situation is that the first responder has access to a faraday cage, it is important to note that some models of iPhones have a metal exterior showing around the edges of the phone, and if you place a faraday article against the metal of the phone, instead of blocking the cellular signal, the result could be that you actually cause an antenna effect of the phone shell and boost the signal to the iPhone. It’s always good to have some way of isolating the phone from the actual faraday protectant, just in case this situation arises. If faraday protection isn’t an option, placing the iPhone in airplane mode will disconnect the phone from the network as well. It is important for the first responder to document and let the examiner know what state the iPhone will be arriving, so the examiner can reduce the chances that the data can be wiped from the user’s account at a later time by the User. These items conducted properly will allow the examiner to report the proper preservation of the data. The first responder and the examiner will be responsible in establishing a chain of custody to follow the cell phone from the time the cell phone is in possession, until the conclusion of the case.
Once in the lab the iPhone can be examined using a multitude of tools. The examiner needs to be aware of how a physical acquisition is obtained by understanding the iPhone iOS firmware tools which will assist in acquiring a bit by bit image of the target iPhone memory. Some tools will automatically execute commands to the phone while the phone is placed in DFU mode, in order to execute a temporary root which will allow for a bit by bit copy of the phone memory, then restore the iPhone back to its normal state without altering any data on the phone, such as process ran on products like Cellebrite and AccessData’s MPE+. Depending on the tools available, the examiner may have no other choice except to use multiple tools in order to acquire a physical image, then use a other tools to analyze the image. At times when Apple releases a new iOS and before the forensic software manufactures release their update to support the new iOS, the examiner may have no other choice other than to perform a jailbreak on the target iPhone in order to obtain a physical acquisition of a newly released update of the target iPhone. An experienced examiner that has been trained with the iOS developer tools and has a clear understanding of how different tools work with different iOS versions, can be well prepared for any challenges the examiner may face during the forensic examination of the iPhone.
To learn how Forensics can help your case, call for a FREE Consultation at: 336-298-1556