iOS Forensic Analysis
One of the most dominant challenges that Apple has faced after the launch of iPhone in the market, is the huge group of hackers that have targeted iPhone for accomplishing unlawful activities. The advancement in the count of criminal offenses at a feverish pace, require innovative technologies for performing forensic analysis on iPhone of the suspect. In this write up we will, put forth the analysis that we carried out on the operating system of iPhone- iOS. In order to support the large storage need of iOS, Apple introduced a new file system designed specifically for this operating system- HFS (Hierarchical File System).
Structure of Hierarchical File System
During iOS forensic analysis, firstly we will perform investigation on HFS blocks i.e. allocation block and logical block.
- Logical Blocks
The logical blocks are formatted with 512-byte block scheme. They are numbered from the first to the last block present on the given volume and they remain static.
- Allocation Blocks
The allocation blocks are the groups of logical blocks that are tied together in the form of clumps in order to increase the performance of HFS.
The iOS file system forensics consists of the following:
The first 1024 bytes in the sector 0 and 1 are known as boot blocks.
The next 1024 bytes after the boot blocks is the volume header of HFS, which contains the information of the entire volume. The last 1024 bytes of the volume is occupied by the backup of the volume header.
It tracks the allocation blocks that are currently in use by the system and the ones that are free. The size of the allocation file can be changed.
This file tracks the allocation tables that are used by the file. This information is recorded in a proper order in the form of balanced tree format.
The HFS uses catalog files in order to describe the files and folders present in the volume. In iOS forensic analysis it maintains the hierarch of nodes like header, leaf, index and map. In addition to this, it also contains the metadata of the files like created, modified and accessed dates.
Partitions In iOS
There are two partitions in an iOS device:
This partition is a read only partition but firmware updates can be done on it. When an up gradation is performed, the partition gets overwritten by a new iTunes partition. The size of this partition varies between 0 .9 to 2.7 GB. This does not contain any user data but upgrade files, system files and basic applications.
The data partition contains the user data and is the most important partitions from an iOS file system forensics point of view. This is the place where the entire iTunes applications and the profile data of the user.
Additional Database of iOS forensic analysis
SQLite file format is the most popular format for open source applications as well as phones. Due to this very fact, Apple has also embraced SQLite to for storing iOS data in the phones. The native applications, which make use of SQLite database are Calendar, Messages, Notes, Address Book and Photos.
The plist is a data file that is used to store data in iOS operating system. Earlier, apple deployed binary or NeXSTEP format for these files. However, presently XLM format is used to designate plist files.
Analysis of iOS Logical Data
iOS operating system provide modified, accessed, changed and born times (MACB) that prove to be crucial evidence in any case involving iOS forensic analysis. These MACB times when used with a timeline, generate essential information for investigation.
The structure of iOS directory is common in all the iOS devices and is a hub of the entire information. The folder structure is similar to the UNIX layout and the files are stored in text, XML, binary and SQLite database formats. The data of default applications is stored in private/var/mobile/Library folder. These default applications are:
- Address Book
The address book is the most important and central database in the iOS system. The location of this file is /private/var/mobile/Library/AddressBook.
There are primarily two databases in AddressBook:
- sqlitedb: Contains contact information
- sqlitedb: Contains contact images
The caches directory of iOS device holds information related to the device, specially the iPhone. The location of this file is private/var/Library/Caches. Some of the directories of importance are:
- appleWebAppCache: Stores the data which is required by the web apps
- Locationd: It consists of the entire geolocation data of the iOS devices. This file consist of the following files:
Consolidated.db: It contains the cell tower and the geolocation data
Clients.plist: Contains the list of applications and services that use the geolocation data along with the information of all the Wi-Fi spots the iOS device has come in contact.
The location of this file is /private/var/Library/CallHistory. While conducting iOS forensic analysis the entire call history is store in call_history.db file. A maximum of 100 calls can be stored in this file and maintains a log of all the missed, incoming and outgoing calls. This SQLite table consists of various tables as follows:
- Rowid: It is the record number of a call.
- Address: It is the number of the incoming and outgoing call.
- Date: Data and time value stored in UNIX format and can be converted with the help of converter.
- Duration: Time duration of all the calls in seconds.
- Flags: Flags display whether it is an incoming, outgoing or missed call.
- Country Code: This displays the country code from where the call has originated.
Text message is yet another useful piece of information that is helpful in the examination of iOS device. This information is stored in sms.db file, which is stored at the location /private/var/mobile/Library/SMS. This file contains both deleted and existing messages. It contains the text, phone number of messages, content of the text, etc. The content of the table includes:
- ROWID: It is the record ID of the text message.
- Address: Contact to which the message is sent or received from.
- Date: The data on which the message was sent or received.
- Text: The content of the message. It is blank in case it is a MMS.
- Flags: Describes the type of messages-Sent, Received and Unsent SMS.
iOS devices store enormous amount of data that serves to be of importance in a iOS forensic analysis. When extracted in the right form with careful measures, the evidence can prove the culprit guilty or innocent.