A Framework for Digital Forensics in I-Devices: Jailed and Jail Broken Devices Iphone – a Fascinating Piece of Engineering Changed the Way of Telecommuters
Total Page:16
File Type:pdf, Size:1020Kb
1. Introduction A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices iPhone – a fascinating piece of engineering changed the way of telecommuters. iPad is yet another revelation. The rising popularity these devices have N. Kala made it prevalent more and more in criminal cases. Scientific Officer, There is an increasing need to develop a framework Computer Forensics Division, since there are lots of challenges in performing Forensic Sciences Department examination on such devices. Huge volume of data Chennai – 4 and personal information are stored on these devices and its portability had made the dominance of Apple R. Thilagaraj mobile devices. Individuals store more data on Professor and Head idevices than on their systems or laptops. These Department of Criminology, activities make the iPhone take the place of personal University of Madras, computers (PCs) (Hoog, 2011) and digital cameras. Chepauk, Chennai – 600 005. In addition to the standard capabilities that exist in the iPhone, endless applications are also available for Abstract download to assist with finances or organization, or Prevalence and functionality of mobile devices are simply for entertainment. Recognizing these increasing. idevices such as smart phones, iphones advances and capabilities, it is conceivable that these and iPads are now being increasingly referred for devices could be used to commit or assist in criminal digital investigations, since these are being used by activities. Therefore they must be considered as terrorists, miscreants and contraband across borders viable sources of digital evidence and forensically and are also frequently used in prison despite being sound procedures should be available to support a prohibited. Evidence retrieved from such devices is forensic analysis on the iphone. Digital forensicators instrumental in solving grievous crimes such as are required to recover data from these devices homicide or suicide. Sometimes data exfiltration also during an investigation that is crucial to criminal occurs in reputed organizations and corporate cases today and future. This paper presents a sectors using idevices. A formalized triage of methodology to extract evidentiary data of forensic acquisition process is the need of the hour. idevices significance from idevices. This paper describes are presenting several challenges to digital forensic data extraction from two types of idevices forensicators. This paper focuses on the artefacts of (i.e. iPhone and iPad). forensic significance that are left on the mobile devices such as Apple iPhones and iPad and a 2 iPhone (Smart Mobile Phones) framework has been suggested for acquisition of data from jailed and jailbroken devices The first iPhone was referred to as 2G and was Keywords capable of second generation cellular network edge. It also uses 802.11 technology, Bluetooth for idevices, iPhone, iPad, jailed, jailbroken, Remote accessories and hands free handset in September Wiping option, Evidentiary artefacts 2007. The main functions was just not cellular communication but web access, email, and PDA functions as well The Apple iPhone also connected to Electronic access iTunes and YouTube. Prior to AppStore, web applications were being created for iPhones under The journal is available at www.jalis.in varying categories such as calculate, games, entertainment, search tools, travel, weather, sports and productivity. The second generation iPhones referred to as 3G that switched to faster 3G network in the year 2008. The iPhone 4 was launched in 2010 with a newer and powerful iOS 4. A new application that allowed for video chat via WI-FI. Changing features of iOS which is the operating Journal of Advances in Library and Information Science system for the iPhone, iPod and iPad are tabulated ISSN: 2277-2219 Vol. 2. No.2. 2013. pp. 82-93 hereunder: 82 Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj Table 1: iOS and applications given in Appendix C. iOS data partition comes from the read write partition also known as data partition. Series Version Applications Logical acquisition of the file system can be acquired of OS from this device. SMS, Calendar, Photos, Camera, YouTube, Stocks, Maps, Notes, Mobile devices (mobile Phones/Smart Phones) can 1 iOS 1.0 Clock, Calculator, Settings, provide contextual clues about the owners, about the iTunes, Phone, Mail, safari, iPod person’s the owner knows and communicated with. AppStore( a market place for Investigators are provided with information about applications that could run on the owners close associates from the call logs(received, iPhone), Global Positioning dialled and missed); Short Message Service (SMS) System(GPS), Wi-Fi, airplane text contents and Multimedia Messages reveal mode, Scalable Vector personal communication that the owner never iOS 2 Graphics(SVG), Parental expected others to see. Images and videos reveal 2.0 controls and ability to save what was important to the owner. Audio recordings options from mail application, speak about owner’s personality. A thorough EXIF data – for images are inspection of mobile devices produces intelligence notable applications and that leads to a complete and correct analysis. advancement to iOS 2.0 Evidential points (Mislan, 2010) in the form of data YouTube, Granular Call history, found in mobile devices help construct complete ability to change My Number sketch of the suspect or the victim. field in the phone Settings, video capture with autofocus function 2.1 iPad to the camera (3GS), ability to use MobileMe to Find My iPhone Originally Apple computers wanted to release the feature from a setting on the iPad first and then the iPhone. Instead. iPhone was phone and within the Mobile Me released first and then iPad. It is a tablet device that account. This is an important runs on iOS 3.2 and completed the iDevice line. 3 iOS 3.0 feature that allows you to remote wiping and add a passcode, or 3. The Apple App Store place a message on the screen of the phone remotely, spot light Prior to iPhone 3G there were limited number of searching, Tethering, and Voice applications that were available to the iPhone: memos, voice control, encrypted Calender, Camera, Weather, Maps, Notes, Clock backups, hardware encryption, settings and in the Dock, Phone, mail, iPod. Apple ability to add devices from USB App Store, has actually become one of the greatest ports success of Apple iPhone using which the store has Background audio, Voice over become digital iTunes of the iPhone. Several Apps IP, Background location(GPS), were released in the iPhone SDK. Nearly 500 new Push Notification, Local applications cameup when the developers were called Notification, Task Completion, to create the applications for new 3G and iPhone OS. iBooks, game centre features, 2.0. iAd, Media, Enterprise features such as mail encryption, mobile Today there are more than 300,000 applications 4 iOS 4 device managementMultiple available from apple app store. User has to create an exchange accounts, SSL VPN account by applying through iTunes in order to Supports, core services such as purchase an applications directly on iPhone, iPod or networking, SQLite databases, iPad. This can be done online to the appstore and Core Location, Threads, OS X grab applications either free of cost or paid Kernel that includes, TCP/IP, applications. Sockets, Power Management, File System and Security There are two ways to get connected to appstore on iOs Version and the corresponding name is given in the phone or ipad. First ways is through connecting Appendix B and iOS partition directory structure is the device to the computer and connect to the 83 Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj appstore. Once it is connected the changes are analysis is used by most investigators. Level 3 Hex updated in the next sync. The second way is to add Dump a method that is adopted by the forensic an application to the phone is right from the phone community recently. Level 4 – Chip Off - a new itself. The limitation in this method is that some frontier - the process only just available. Finally, application larger than 20MB to be downloaded via Level 5 is rarely performed as it is extremely 3G and wi-fi connection is requested by the app. technical, very expensive and time consuming. Apps can be searched by name , category or popularity. 3.2 iTunes interaction Various functions are offered by iTunes to manage the files, applications or apps as they are called, software versions and the device. Synchronization can be done by the user and this process will create a sync and all apps, videos, audios, images and the like will be loaded depending upon the settings defined by users. iTunes can be configured to perform either an automatic sync every time it is connected or a Figure 1 iPhone Levelling (Source Sam Brothers) manual sync. Existing forensic tools can be classified under any 3.3 iPhone backup one of these levels suggested by Sam Brothers. Detailed information (Brothers, 2007) regarding the Backups can be created once the iPhone is connected levels, type of extraction and process are shown in to the system. Automated backups is initiated during table 2. a sync process; restore or update, depending upon the Table 2 : Types of extraction process Operating system which is running on the user’s system in specific location. A Manual extraction involves visual acquisition of the data 4. State of Art Forensic Procedures content on the phone directly by viewing it on the screen of With the emergence of diverse nature of the mobile Level Manual the device keypad.