Blog

iOS Forensic Analysis

Eva Mendis | October 30th, 2017 | Forensics

One of the most dominant challenges that Apple has faced after the launch of iPhone in the market, is the huge group of hackers that have targeted iPhone for accomplishing unlawful activities. The advancement in the count of criminal offenses at a feverish pace, require innovative technologies to perform iOS forensic analysis on iPhone of the suspect. In this write up we will put forth the analysis that we carried out on the operating system of iPhone- iOS.  In order to support the large storage need of iOS, Apple introduced a new file system designed specifically for this operating system- HFS (Hierarchical File System).

Structure of Hierarchical File System

During iOS forensic analysis, firstly we will perform an investigation on HFS blocks i.e. allocation block and logical block.

  • Logical Blocks

The logical blocks are formatted with 512-byte block scheme. They are numbered from the first to the last block present on the given volume and they remain static.

  • Allocation Blocks

The allocation blocks are the groups of logical blocks that are tied together in the form of clumps in order to increase the performance of HFS.

The iOS file system forensics consists of the following:

  • Boot Blocks

The first 1024 bytes in the sector 0 and 1 are known as boot blocks.

  • Volume Header

 The next 1024 bytes after the boot blocks in the volume header of HFS, which contains the information of the entire volume. The last 1024 bytes of the volume is occupied by the backup of the volume header.

  • Allocation File

It tracks the allocation blocks that are currently in use by the system and the ones that are free. The size of the allocation file can be changed.

  • Extent Overflow File

This file tracks the allocation tables that are used by the file. This information is recorded in a proper order in the form of balanced tree format.

  • Catalog File

The HFS uses catalog files in order to describe the files and folders present in the volume. In iOS forensic analysis, it maintains the hierarchy of nodes like header, leaf, index, and map. In addition to this, it also contains the metadata of the files like created, modified and accessed dates.

Partitions In iOS

There are two partitions on an iOS device:

  • System Partition

This partition is a read-only partition but firmware updates can be done on it. When an up gradation is performed, the partition gets overwritten by a new iTunes partition. The size of this partition varies between 0 .9 to 2.7 GB. This does not contain any user data but upgrades files, system files, and basic applications.

  • Data Partition

The data partition contains the user data and is the most important partitions from an iOS file system forensics point of view. This is the place where the entire iTunes applications and the profile data of the user.

Additional Database of iOS forensic analysis

SQLite

SQLite file format is the most popular format for open source applications as well as phones. Due to this very fact, Apple has also embraced SQLite to for storing iOS data in the phones. The native applications, which make use of SQLite database are Calendar, Messages, Notes, Address Book, and Photos.

Property List

The plist is a data file that is used to store data in the iOS operating system. Earlier, Apple deployed binary or NeXTSTEP format for these files. However, presently XLM format is used to designate plist files.

Analysis of iOS Logical Data

The ios operating system provides modified, accessed, changed and born times (MACB) that prove to be crucial evidence in any case involving iOS forensic analysis. These MACB times when used with a timeline, generate essential information for an investigation.

The structure of iOS directory is common for all the iOS devices and is a hub of the entire information. The folder structure is similar to the UNIX layout and the files are stored in text, XML, binary and SQLite database formats. The data of default applications is stored in private/var/mobile/Library folder. These default applications are:

    1. Address Book

The address book is the most important and central database in the iOS system. The location of this file is /private/var/mobile/Library/AddressBook.

There are primarily two databases in AddressBook:

      • sqlitedb: Contains contact information
      • sqlitedb: Contains contact images
    1. Caches

The caches directory of iOS device holds information related to the device, especially the iPhone. The location of this file is private/var/Library/Caches. Some of the directories of importance are:

      • appleWebAppCache: Stores the data which is required by the web apps
      • Locationd: It consists of the entire geolocation data of the iOS devices. This file consist of the following files:

Consolidated.db: It contains the cell tower and the geolocation data

Clients.plist: Contains the list of applications and services that use the geolocation data along with the information of all the Wi-Fi spots the iOS device has come in contact.

    1. Call History

The location of this file is /private/var/Library/CallHistory. While conducting iOS forensic analysis the entire call history is store in call_history.db file. A maximum of 100 calls can be stored in this file and maintains a log of all the missed, incoming and outgoing calls. This SQLite table consists of various tables as follows:

    • Rowid: It is the record number of a call.
    • Address: It is the number of the incoming and outgoing call.
    • Date: Data and time value stored in UNIX format and can be converted with the help of the converter.
    • Duration: Time duration of all the calls in seconds.
    • Flags: Flags display whether it is an incoming, outgoing or missed call.
    • Country Code: This displays the country code from where the call has originated.
  1. Text Messages

The text message is yet another useful piece of information that is helpful in the examination of the iOS device. This information is stored in sms.db file, which is stored at the location /private/var/mobile/Library/SMS. This file contains both deleted and existing messages. It contains the text, phone number of messages, the content of the text, etc. The content of the table includes:

  • ROWID: It is the record ID of the text message.
  • Address: Contact to which the message is sent or received from.
  • Date: The data on which the message was sent or received.
  • Text: The content of the message. It is blank in case it is an MMS.
  • Flags: Describes the type of messages-Sent, Received, and Unsent SMS.

iOS devices store the enormous amount of data that serves to be of importance in an iOS forensic analysis. When extracted in the right form with careful measures, the evidence can prove the culprit guilty or innocent.