iPhone Forensic Capture and Analysis Results

by Peter Coons, Senior Vice President, D4 LLC 

Recently Apple claimed that 80% of the Fortune 100 are currently assessing iPhone’s for corporate use ( 50% are assessing the iPad).  Will the iPhone usurp BB as the smartphone leader in the corporate world?  Apple products seem to be everywhere already (I saw the iPod Touch highlighted in a “Toys R Us” Black Friday advertisement).  I don’t consider myself a MAC person yet I own 5 iPods, an iPhone, an iPad and a Mac Book.  OK.  Wow.  Maybe I am a MAC person.  Is there a 12 step program for that affliction?

Regardless of who the leader is today or tomorrow it’s a fact that smartphones and tablets will continue to be used and may even replace the traditional desktop or laptop for everyday business computing needs.  My iPad has replaced my traditional pencil and notepad.  I use it for most everything in my daily business activities.  This is a potential problem or boon for attorneys and eDiscovery practitioners.

D4 recently invested in some wonderful new hardware that allows for the capture of iPhones, iPads, and 3000 other smartphones and tablets!  I thought I would take an old iPhone we had laying around office and give it a test run.  Results are below.

Phone Stats: iPhone 3G 8 GB; Software version 3.1.2

Use: Used for personal and business purposes for about 12 months; heavy texting; pictures of family; heaving web browsing; multiple applications installed

Two Modes Tested (both modes are logical captures and not capturing data at physical device level):

                Basic Capture (“BC”) – Includes captures of Pictures, SMS (texts), call logs, videos, phone book,               audio and music files

                File System Capture (“FS”) – Captures files stored on the iPhone file system – think MAC file     system

Scenario 1: Basic Capture – No deletions performed.  Phone imaged as is.

Scenario 2: BC after manual deletion – I deleted all the pictures, call logs, SMS, videos, and contacts.  I did not delete music files.

Scenario 3: BC after system reset – I used the iTunes application in Windows to reset the device to factory settings.  When undertaking this action I was forced to upgrade the iPhone to version 4.1.2 OS.

Scenario 4: File System capture after manual deletion – I captured the file system after manually deleting pictures, call logs, SMS, videos, and contacts.  I did not delete music files.

Scenario 5: FS capture after system reset – I used the iTunes application in Windows to reset the device to factory settings.  When undertaking this action I was forced to upgrade the iPhone to version 4.1.2 OS.

Scenario 1 Findings:

Basic Capture – No deletions performed.  Phone imaged as is.

Item	1. Basic Capture (BC)
Call Log	22 incoming; 55 outgoing; 23 missed
SMS	4491
Email	NA
Contacts	NA
Calendar	NA
Notes	NA
Pictures	652
Songs	5
Web History	NA
Bookmarks	NA
Cookies	NA
Kayak Travel	NA
Google Maps	NA
Passwords	NA
Plists	NA
Video	1
Phone Information	YES
Podcasts	NA
Network Info	YES
Bluetooth Info	YES
YouTube	NA
HTML	NA
GPS	NA
Google Mobile App	NA
Safari History	NA

Capture reported on all items I expected.  Nothing shocking.

Scenario 2 Findings:

BC after manual deletion – I deleted all the pictures, call logs, SMS, videos, and contacts.  I did not delete music files.

Item	2. BC after manual Delete
Call Log	0
SMS	52
Email	NA
Contacts	NA
Calendar	NA
Notes	NA
Pictures	10
Songs	5
Web History	NA
Bookmarks	NA
Cookies	NA
Kayak Travel	NA
Google Maps	NA
Passwords	NA
Plists	NA
Video	1
Phone Information	YES
Podcasts	NA
Network Info	YES
Bluetooth Info	YES
YouTube	NA
HTML	NA
GPS	NA
Google Mobile App	NA
Safari History	NA

The pictures that remained after the manual deletion were actually album art from iPod.  I did not delete the music when I perfomed manual deletions.  I was surprised to find 52 text messages remaining.  When the texting app was viewed on the iPhone none were viewable.  From a forensics and electronic discovery this is interesting as items can be recovered even after manual deletions.  Other than the texts that were recovered I was not shocked by the results.

Scenario 3:

BC after system reset – I used the iTunes application in Windows to reset the device to factory settings.  When undertaking this action I was forced to upgrade the iPhone to version 4.1.2 OS.

Item	3. BC after system reset
Call Log	0
SMS	0
Email	NA
Contacts	NA
Calendar	NA
Notes	NA
Pictures	0
Songs	0
Web History	NA
Bookmarks	NA
Cookies	NA
Kayak Travel	NA
Google Maps	NA
Passwords	NA
Plists	NA
Video	0
Phone Information	YES
Podcasts	NA
Network Info	YES
Bluetooth Info	YES
YouTube	NA
HTML	NA
GPS	NA
Google Mobile App	NA
Safari History	NA

The only information available was the phone information, which is most likely from the SIM card.  I am not surprised by the results as a full system restore would purge the items purported to be captured by the Basic Capture.

 Scenario 4 Findings:

File System capture after manual deletion – I captured the file system after manually deleting pictures, call logs, SMS, videos, and contacts.  I did not delete music files.

Item	4. File System dump after manual delete
Call Log	0
SMS	52
Email	0
Contacts	210; 26 deleted; 236 total
Calendar	YES
Notes	YES in full
Pictures	264
Songs	20
Web History	YES
Bookmarks	YES
Cookies	YES
Kayak Travel	Evidence it was installed
Google Maps	YES; history
Passwords	None I could Find
Plists	Many
Video	1
Phone Information	YES
Podcasts	None I could find
Network Info	YES
Bluetooth Info	YES
YouTube	YES
HTML	YES
GPS	YES, info from Maps App, previous searches and destinations
Google Mobile App	Search History
Safari History	Search History

 

Jackpot!  Even after the manual deletion of what a typical user would be able to delete through the iPhone interface I was able to recover a lot of great information.  A cornucopia of forensics goodies including browsing history, deleted contacts, the same 52 text messages as in scenario 2, Google Maps information, calendar entries, notes and much more!   

Scenario 5 Findings:

FS capture after system reset – I used the iTunes application in Windows to reset the device to factory settings.  When undertaking this action I was forced to upgrade the iPhone to version 4.1.2 OS.

Item	5. FS dump after system reset
Call Log	0
SMS	0
Email	0
Contacts	0
Calendar	0
Notes	0
Pictures	0
Songs	0
Web History	0
Bookmarks	0
Cookies	0
Kayak Travel	0
Google Maps	0
Passwords	0
Plists	0
Video	0
Phone Information	YES
Podcasts	0
Network Info	0
Bluetooth Info	0
YouTube	0
HTML	0
GPS	0
Google Mobile App	0
Safari History	0

 

Blanked!  I was somewhat surprised of what a good job the system restore did.  The only information was the basic phone information (probably from SIM).

 

Conclusion:  Without a full system restore there is plenty of useful information to be had on the iPhone for forensic analysis and traditional eDiscovery.  If you plan on selling your old iPhone make sure you do a full system wipe through iTunes.  That’s still no guarantee traces of data won’t be left behind but it’s better than a manul deletion of texts, call logs, etc.  In addition to the phone itself, a wealth of information would likely be available on the PC or MAC used to manage the iPhone.  That’s a different article and test! 

Dear Santa: I wish I was able to perform a full forensic physical capture to grab deleted space. With that type of capture I would expect to find deleted photos and other information even after a fully system reset through iTunes.  There are a few methods to accomplish this task and that will be the next test.

Final Thoughts: Attorneys dealing with eDiscovery preservation issues must realize the importance of identifying evidence that may exist outide traditional e-mail boxes and server shares.  The world is changing!