An Introduction To iOS Forensics - Part 1
ABSTRACTIt is known that with the increased use of mobile devices, cyber-crimes in these types of applications have multiplied, forensic science has evolved so that the techniques and tools have become more specific to certain types of platform.
The use of scientific methods for preserving, collecting, restoration, identification, documentation and presentation of digital evidence is what we call computer forensics.
What you should know:
- Readers, for you to understand these items, you just need to have a little knowledge about the rationale behind the technique and analysis of forensic.
- Knowledge of iOS.
- Concepts of "Forensic Investigation".
- Information about the device on which you will apply the method.
What you will learn:
- Dear readers, you will increase your knowledge in the area of preparation and effective methods for applying forensic peripheral.
- Know the best tools for iOS devices.
- Standardized technique to avoid errors.
- Compare software to know which is best for each case.
- Learn the key concepts in a simple manner.
- At the end of the reading, you will understand how to iOS forensic analysis works.
INTRODUCTIONOne of the fundamental principles of forensics is the Locard Exchange Principle. According to this principle , anyone or anything that enters a crime scene, carries something of the place and leaves something behind after parting. In the virtual world of computers , the Principle of Exchange of Locard is still mostly valid: wherever the attacker has been, he leaves traces. These traces can be extremely difficult or virtually impossible to be identified and followed, but they exist. In such cases, the process of forensic analysis can become extremely complex and time consuming, requiring the development of new technologies for searching for evidence.
Any digital information able to determine that there was an intrusion or that indicates any link between the attacker and the victim, between the invasion and the attacker, could be considered as evidence.
The researcher must be able to identify the evidence from the information he has previously collected.
DIGITAL EVIDENCE, INTRODUCTION
- Digital evidence is information in digital format, capable of determining if a computer system has suffered a violation, or that provide a connection to the victim or with the attacker.
- Evidence of this nature can be duplicated exactly.
- You can verify that change with the right methods.
- They are highly volatile and may be modified during the analysis if the proper precautions are not taken.
PRINCIPLE OF EXCHANGE OF “LOCARD”Every person who goes through a crime scene leaves something of himself and takes something with him.
Similarly, any person who commits a digital crime, leaves traces on the compromised system. The tracks can be difficult to follow, but they are still there.
METHODS AND PROCEDURES STANDARDS
- Simplify the process of collecting, storing and analyzing evidence.
- Minimize the panic and negative reactions in circumstances in which expertise is conducted on high levels of stress, avoiding a possible involvement of the evidence.
- Contribute to the validation of the evidence collected, in a criminal prosecution
- Requiring a planning phase for its correct implementation.
METHODOLOGY FOR THE TECHNICAL INVESTIGATION
- Collection of information.
- Recognition of the evidence.
- Restoration, documentation and preservation of evidence found.
- Correlation of the evidence.
- Reconstruction of events.
- Definitions of policies to be followed and actions to be taken during the expert.
- Preventive measures to avoid compromising the computer system.
- Monitoring to detect incidents when they occur.
- Choose the most appropriate tools for data collection and analysis evidence.
TOP iOS Forensics
- There are other tools that help us in the task of performing a forensic analysis on iOS devices, so I will quote the best:
- AccessData MPE+, iXAM, XRY, Neutrino AccessData Forensic Toolkit, iXAMiner, Lantern,iPhone Backup Analyzer, Neutrino,SecureView,SD Flash Doctor.
TOOLS FOR IOS FORENSICSReaders, these tools are for better efficacy in forensic computer expertise. I will quote some of the most known and used analysis software and techniques for collecting digital artifacts.
Forensic Toolkit® (FTK®): “Recognized around the World as the Standard in Computer Forensics Software
FTK is a court-accepted digital investigations platform that is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs”.
More information: http://www.accessdata.com/products/digital-forensics/ftk
“BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, iOS devices (iPhone, iPad, iPod Touch) and Windows computers. It is compatible with all leading logical and physical forensic image formats”. BlackBag Technologies
“Elcomsoft iOS Forensic Toolkit (Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS). Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices running any version of iOS. Elcomsoft iOS Forensic Toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. Access to most information is provided instantly”.
Cellebrite: “The complete solution for Apple devices running any version of iOS! The Cellebrite UFED Series allows extraction of appropriate data for forensic decryption and technical research and analysis for current and deleted data from these devices.
IOS devices: iPhone 2G, iPhone 3G, iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPod Touch 1G, iPod Touch 2G, iPod Touch 3G, iPod Touch 4G, iPod Touch 5G, iPad Mini, iPad 1, iPad 2, iPad3, iPad 4, others.
Different ways to perform data extraction:
Logical and file system extraction (for jailbroken devices) enabled the UFED Touch.
Physical extraction and file system (for locked devices) enabled the UFED Physical Analyzer”. More: http://www.elcomsoft.com/eift.html
Oxygen Forensic® “is a mobile forensic software that goes beyond standard logical analysis of cell phones, smartphones and tablets. Using advanced proprietary protocols permits Oxygen Forensic® Suite 2013 to extract much more data than usually extracted by logical forensic tools, especially for smartphones”.
MPE+ Mobile Forensics “Software Supports 7000+ Devices, Including iOS®, Android™ and Blackberry® Devices, as well as Devices with Chinese Chipsets.
Mobile Forensic Examiner PLUS (R) is AccessData’s market leading stand-alone mobile forensics software solution that delivers an intuitive interface, data visualization and smart device support in a single forensic interface. MPE+ supports even the most challenging mobile device profiles and features advanced carving, deleted data recovery, SQLite database browsing and filtering options. Furthermore, MPE+® images integrate seamlessly with Forensic Toolkit ® (FTK ®) computer forensics software, allowing you to correlate evidence from multiple mobile devices with evidence from multiple computers within a single interface”.
Analysis on mobile devices
- The analysis should be performed on a copy of the original data. the original data must be properly protected. The copy should be bitwise with the aim of preserving and removed files other information.
- The information collected copies thereof shall be certified using cryptographic signatures.
- The analysis of raw data from disk and memory is too slow. The use of tools for recovering files and dump process can streamline the analysis.
- A testing environment may be prepared to assist in the procedure analysis.
The entire process should be documented.
CONCLUSIONForensics on mobile devices is one of the aspects of Information Security that draws enough attention from corporations, common users and members of the scientific community. Despite the various tools available that greatly facilitate the action of the expert, the final conclusion still hangs on experience and integrity of the professional who conducted the investigation.
About the Author
This article has been written by Rafael Souza, who is a senior security researcher at Rhainfosec.