Getting Started with iOS Forensics
With passage of time, mobile cellular subscriptions have risen to a great extent. Mobile phones have become one of the personal and most crucial electronic devices that a user accesses now days. From simple communication (calling, texting) to clicking photos, these smart and small sized devices are used for internet browsing, saving documents and identifying location with GPS and much more. With evolution of these portable data carriers, have got potential to store variety of information in it.
Increasing commonness of mobile phones in daily lives has forced us to find evidence in order to investigate the user database over iOS devices. Mobile forensics is the branch of digital forensics that deals with extracting forensically sound evidences from mobile.
iOS (iPhone OS) Forensics
iOS is a mobile Operating System that is developed by Apple Inc. It is the OS that is a part of most of the applications developed by the company that includes iPhone, iPad, and iPod. It has the file system HSFX to store and manage the database. The key to successful iPhone forensics is analysis of data and converting it to useful evidence
There are two types of timestamps that an iPhone use. While using the tools for forensics purpose, the examiner has to ensure that the tools convert the timestamp properly. If there is access to the raw SQLite files, then the timestamps can be manually verified.
Unix Timestamp: The epoch time of Unix gets started from 1st January 1970. The Unix Timestamp is the number of seconds that offsets the epoch.
Mac Absolute Time: The Mac epoch time starts from 1ST January 2001. There is a difference of 978, 307, 200 seconds between the Mac and Unix epoch.
For forensics of iOS device the logical acquisition of data is require which could reveal the Phone secrets. The data stored in iPhone, iPad & iPod is in SQLite format. SQLite is a database engine of SQL (Structured Query Language) that is an open source. It is transactional in nature and does not require any set-up, installation, configuration files, or administration. This server less database management system is a popular DB format on various mobile platforms.
Like other smart phones in the market, iPhone also makes heavy use of SQLite for storing its database like calendar, messages, notes, phone information etc. Moreover, third party applications that are installed on iOS (For example: Whatsapp, Skype) also use SQLite database to store their data.
The SQLite database is stored in single disk file which may or may not have file extension. Usually, you will find the database saved with .db or sqlitedb file extension but this can vary also vary (according to the application that uses the SQLite).
The address book will contain all personal contact information of the user, except for those from the third party application. This will get saved into the Home Domain file that will be available following location:
'private/var/mobile/library/ addressbook /addressbook.sqlitedb'
When the addressbook.sqlitedb file is further explored in a SQLite browser, three tables will give suitable information to the examiner:
Received, Dialed, or Missed call details of iPhone gets saved into SQLite database along with the metadata like date, time, day, call duration, etc. This information gets saved into WirelessDomain file at:
In this file, details of only 100 calls will be stored (collaboratively received, dialed, and missed) and the older entries will be removed from the records. However, these records can still be recovered from the free SQLite space through manual hex examination.
In the call_history.db file, there will be a table named "call" that will have information about phone number of the other party, the duration for call (in seconds), the UNIX timestamp of when the conversation initiated, the mobile country code etc. This table will also has status flag that helps to identify the call type.
The multimedia messages that are sent from or to the phone along with relation information like date, time, number of the remote party etc. From iOS 5, the iMessage data gets saved into the SMS database only. iMessage is a proprietary service by Apple that allows sending text, multimedia messages, audios, videos from one iOS device to another. This database gets saved into the Home Domain at:
SMS Spotlight Cache
The SMS data of iOS is indexed in a database so that it can be quickly searched. This Spotlight is a search feature that is used for the entire device. The Spotlight Cache database gets saved into Home Domain at:
In Safari browser, the user is allowed to bookmark important websites on machine. This database will be saved into Home Domain at:
While the recently downloaded and cached data gets saved at:
The detailed information of photos stored in the photo album in iOS gets saved in SQLite database at:
'private/var/mobile/library/ addressbook /addressbook.sqlitedb'
The geolocation history of the device is saved in any of the following databases:
These database files are the part of Root Domain. The information about the cell towers that were close to device or the Wi-Fi networks that were available for connection will be saved in this files.
The email database of applications get saved into SQLite database in the Home Domain. The database is saved with no extension and is saved at:
Note: The attachments will be saved at Mail directory.
For viewing the data in SQLite databases, there are free applications available online. However, particularly for forensically examining the database (opening, data recovery, reporting etc.) applications like SQLite Forensics Explorer have been in the market for help.
A Word of Caution!
At the time of seizure from the crime scene, if the mobile phone is switch off, it should be put off into the faraday bag so that when it is switch-on, no changes are made into it. The reason why the iPhone or any other mobile phone should be saved into a faraday bag is it separates the phone from the network.
Mobile phones are made to send and receive the data through varies sources. For example: Bluetooth, Wi-Fi access points etc. In case the phone is in functional state, the criminal can try to make crucial data inaccessible through wipe out commands. So, if possible, disconnect the phone from any network by enabling the airplane mode and put it into a faraday bag.