Apple IOS Forensic Primer

iPhoneThe Operating System that Apple licenses to its users is IOS. It is resident and runs on their mobile devices (like the IPOD, IPhone and the IPAD). Legally, Apple specifically states it retains ownership of the IOS. There is legal precedent being argued (by the US DOJ) that will hold Apple to its continued ownership interest in IOS. This means the company can potentially be subpoenaed to assist Law Enforcement in exploitation of software on a target phone (which runs the IOS) in the execution of a search warrant.

While authorities wait for the decision on this particular legal argument, IOS forensics is necessary if the Apple device (in question) has been used in or found to be evidence in a crime. While the DOJ argues the precedent that “a product’s continued ownership interest in a product after it is sold obliges the company to act as an agent of the state”, the administrator needs to be able to pull data off of that device immediately during the conduct of an investigation. Even if an administrator is just trying to see if the user is violating (or has violated) company policy, there is a need to be able to access the data on the device.

There is a lot of data that gets stored on IPhones. Some people have more data on their IPhone than they have on their computers. If you browse the phones hard drive (typically this is done with a phone disk tool) you will not be able to see the full file system but, if you could see it, it bears a strong resemblance to the “MAC OS”. The MAC OS x” is built on a core called “Darwin” and the IPhone has all of the directory structure that the Mac operating system has.

For example, the maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is 65,535. The IOS is basically a “MAC OS” system that has been tuned and tailored to operate on the smaller mobile devices which have different processors in them.

As we examine the directories and analyze their subdirectories, we see what is available as we dig down inside the device. The “DCIM” directory holds the “100 Apple” directory which will show the administrator where all of the pictures are. We also have a downloads directory (which holds all downloads), an iTunes directory (which holds all mp3 files), etc. The significance is that all of these directories give you the ability to see user data on a particular system.

Another place you can go looking for system information is in a terminal window. The terminal window gives an administrator the ability to use the command line interface to examine the device and the device data. Complete device access can be obtained when the “sudo” super user command is invoked. You will type;

$sudo su clyde (The user becomes a super user)

$cd (change directory)

$pwd (Here, we print the working directory)

$/user/clyde (This is our current directory)

The terminal window gives us the ability to examine the data inside the device as a super user (which gives us complete access to the system). When we look inside a device as a super user we know we will have the ability to access all additional files in the system. Instead of looking at the phone itself with different tools, you can analyze the system through a terminal command line.

$cd Library/ (change directory to the Library)
#cd ApplicationSupport/ (Change directory to the ApplicationSupport directory)

$ls (we list the contents of the directory, while we look for the MobileSync directory)

An administrator can examine and analyze the device’s “mobile sync” in relation to the computer the device has been syncing with.

$cd MobileSync (change directory to the MobileSync directory)

$ls (list the contents of the directory)

Backup (this is the contents of the directory)

$cd Backup (Change directory to the backup directory)

$ls (This will list all of the backups in the backup directory)

This is significant because in addition to examining the device data, I can pull up all of the “Backups” and select one of the backups. There is a lot of data stored in the backups. These files are just the backup information that has been stored on the hard drive. When the connected device (whether it is an IPad or IPhone) has its data copied onto the computer, in addition to being able to look at the directory on the phone itself using a utility like “Phone disk”, an administrator could also analyze the data in the backup. If you don’t have the phone but you have the computer, you may have almost as good a set of information as if you did have the phone because the backup stores a lot of information. It has to store all of the information you would need to restore the phone. The backup has got to store everything about your phone that you had previously.

If you have a user’s computer and you find the IPhone backups, you have the information that was stored on the phone. There are utilities that can be used to analyze these IPhone backups which have the ability to extract information from them. This will give an administrator the ability to examine all of the data that was captured in the scheduled backups.

When you are performing IOS forensics, there is not only the question of looking at the phones data because; sometimes an administrator won’t be able to obtain access to the data if the phone has a “Pass Code”. However, if you have access to the backup directory on the computer that the phone “syncs” with, you may have a better chance of getting the data from that device and doing your forensic analysis on the phone while you are actually working on the computer where the backups are stored. This is what eliminates IOS’s ability to thwart administrators and Law Enforcement from performing a forensic analysis.

Read more: Apple IOS Forensic Primer http://www.sooperarticles.com/technology-articles/mobile-computing-articles/apple-ios-forensic-primer-1453263.html#ixzz40dsmaebc
Follow us: @SooperArticles on Twitter | SooperArticles on Facebook

One response to “Apple IOS Forensic Primer

  1. You have mentioned very interesting points! ps nice site.

Leave a Reply