1. Introduction A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices iPhone – a fascinating piece of engineering changed the way of telecommuters. iPad is yet another revelation. The rising popularity these devices have N. Kala made it prevalent more and more in criminal cases. Scientific Officer, There is an increasing need to develop a framework Computer Forensics Division, since there are lots of challenges in performing Forensic Sciences Department examination on such devices. Huge volume of data Chennai – 4 and personal information are stored on these devices and its portability had made the dominance of Apple R. Thilagaraj mobile devices. Individuals store more data on Professor and Head idevices than on their systems or laptops. These Department of Criminology, activities make the iPhone take the place of personal University of Madras, computers (PCs) (Hoog, 2011) and digital cameras. Chepauk, Chennai – 600 005. In addition to the standard capabilities that exist in the iPhone, endless applications are also available for Abstract download to assist with finances or organization, or Prevalence and functionality of mobile devices are simply for entertainment. Recognizing these increasing. idevices such as smart phones, iphones advances and capabilities, it is conceivable that these and iPads are now being increasingly referred for devices could be used to commit or assist in criminal digital investigations, since these are being used by activities. Therefore they must be considered as terrorists, miscreants and contraband across borders viable sources of digital evidence and forensically and are also frequently used in prison despite being sound procedures should be available to support a prohibited. Evidence retrieved from such devices is forensic analysis on the iphone. Digital forensicators instrumental in solving grievous crimes such as are required to recover data from these devices homicide or suicide. Sometimes data exfiltration also during an investigation that is crucial to criminal occurs in reputed organizations and corporate cases today and future. This paper presents a sectors using idevices. A formalized triage of methodology to extract evidentiary data of forensic acquisition process is the need of the hour. idevices significance from idevices. This paper describes are presenting several challenges to digital forensic data extraction from two types of idevices forensicators. This paper focuses on the artefacts of (i.e. iPhone and iPad). forensic significance that are left on the mobile devices such as Apple iPhones and iPad and a 2 iPhone (Smart Mobile Phones) framework has been suggested for acquisition of data from jailed and jailbroken devices The first iPhone was referred to as 2G and was Keywords capable of second generation cellular network edge. It also uses 802.11 technology, Bluetooth for idevices, iPhone, iPad, jailed, jailbroken, Remote accessories and hands free handset in September Wiping option, Evidentiary artefacts 2007. The main functions was just not cellular communication but web access, email, and PDA functions as well The Apple iPhone also connected to Electronic access iTunes and YouTube. Prior to AppStore, web applications were being created for iPhones under The journal is available at www.jalis.in varying categories such as calculate, games, entertainment, search tools, travel, weather, sports and productivity. The second generation iPhones referred to as 3G that switched to faster 3G network in the year 2008. The iPhone 4 was launched in 2010 with a newer and powerful iOS 4. A new application that allowed for video chat via WI-FI. Changing features of iOS which is the operating
Journal of Advances in Library and Information Science system for the iPhone, iPod and iPad are tabulated ISSN: 2277-2219 Vol. 2. No.2. 2013. pp. 82-93 hereunder: 82
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
Table 1: iOS and applications given in Appendix C. iOS data partition comes from the read write partition also known as data partition. Series Version Applications Logical acquisition of the file system can be acquired of OS from this device. SMS, Calendar, Photos, Camera, YouTube, Stocks, Maps, Notes, Mobile devices (mobile Phones/Smart Phones) can 1 iOS 1.0 Clock, Calculator, Settings, provide contextual clues about the owners, about the iTunes, Phone, Mail, safari, iPod person’s the owner knows and communicated with. AppStore( a market place for Investigators are provided with information about applications that could run on the owners close associates from the call logs(received, iPhone), Global Positioning dialled and missed); Short Message Service (SMS) System(GPS), Wi-Fi, airplane text contents and Multimedia Messages reveal mode, Scalable Vector personal communication that the owner never iOS 2 Graphics(SVG), Parental expected others to see. Images and videos reveal 2.0 controls and ability to save what was important to the owner. Audio recordings options from mail application, speak about owner’s personality. A thorough EXIF data – for images are inspection of mobile devices produces intelligence notable applications and that leads to a complete and correct analysis. advancement to iOS 2.0 Evidential points (Mislan, 2010) in the form of data YouTube, Granular Call history, found in mobile devices help construct complete ability to change My Number sketch of the suspect or the victim. field in the phone Settings, video capture with autofocus function 2.1 iPad to the camera (3GS), ability to use MobileMe to Find My iPhone Originally Apple computers wanted to release the feature from a setting on the iPad first and then the iPhone. Instead. iPhone was phone and within the Mobile Me released first and then iPad. It is a tablet device that account. This is an important runs on iOS 3.2 and completed the iDevice line. 3 iOS 3.0 feature that allows you to remote wiping and add a passcode, or 3. The Apple App Store place a message on the screen of the phone remotely, spot light Prior to iPhone 3G there were limited number of searching, Tethering, and Voice applications that were available to the iPhone: memos, voice control, encrypted Calender, Camera, Weather, Maps, Notes, Clock backups, hardware encryption, settings and in the Dock, Phone, mail, iPod. Apple ability to add devices from USB App Store, has actually become one of the greatest ports success of Apple iPhone using which the store has Background audio, Voice over become digital iTunes of the iPhone. Several Apps IP, Background location(GPS), were released in the iPhone SDK. Nearly 500 new Push Notification, Local applications cameup when the developers were called Notification, Task Completion, to create the applications for new 3G and iPhone OS. iBooks, game centre features, 2.0. iAd, Media, Enterprise features such as mail encryption, mobile Today there are more than 300,000 applications 4 iOS 4 device managementMultiple available from apple app store. User has to create an exchange accounts, SSL VPN account by applying through iTunes in order to Supports, core services such as purchase an applications directly on iPhone, iPod or networking, SQLite databases, iPad. This can be done online to the appstore and Core Location, Threads, OS X grab applications either free of cost or paid Kernel that includes, TCP/IP, applications. Sockets, Power Management, File System and Security There are two ways to get connected to appstore on iOs Version and the corresponding name is given in the phone or ipad. First ways is through connecting Appendix B and iOS partition directory structure is the device to the computer and connect to the 83
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
appstore. Once it is connected the changes are analysis is used by most investigators. Level 3 Hex updated in the next sync. The second way is to add Dump a method that is adopted by the forensic an application to the phone is right from the phone community recently. Level 4 – Chip Off - a new itself. The limitation in this method is that some frontier - the process only just available. Finally, application larger than 20MB to be downloaded via Level 5 is rarely performed as it is extremely 3G and wi-fi connection is requested by the app. technical, very expensive and time consuming. Apps can be searched by name , category or popularity.
3.2 iTunes interaction
Various functions are offered by iTunes to manage the files, applications or apps as they are called, software versions and the device. Synchronization can be done by the user and this process will create a sync and all apps, videos, audios, images and the like will be loaded depending upon the settings defined by users. iTunes can be configured to perform either an automatic sync every time it is connected or a Figure 1 iPhone Levelling (Source Sam Brothers) manual sync. Existing forensic tools can be classified under any 3.3 iPhone backup one of these levels suggested by Sam Brothers. Detailed information (Brothers, 2007) regarding the Backups can be created once the iPhone is connected levels, type of extraction and process are shown in to the system. Automated backups is initiated during table 2. a sync process; restore or update, depending upon the Table 2 : Types of extraction process Operating system which is running on the user’s system in specific location. A Manual extraction involves visual acquisition of the data 4. State of Art Forensic Procedures content on the phone directly by viewing it on the screen of With the emergence of diverse nature of the mobile Level Manual the device keypad. The devices, there are several approaches that can be used 1 Extraction information retrieved is to acquire the data from devices. A Key component manually documented through of any acquisition is that the procedure does not photography. At this level it is modify the source information. Different approaches not possible to recover can be used for acquisition and analysis of information that are deleted. information. In the case of idevices, unlike the Connectivity to the mobile conventional digital forensics the storage media device established through cannot be removed and imaged and finally analyzed. either a cable or through NIST has instituted the Computer Forensic Tool Level Logical Bluetooth to the forensic Testing Program. Many different tools are used 2 Extraction hardware and subsequently intentionally and are relied upon to provide electronic analysed in a forensic evidence for criminal cases. Considering various workstation. A command is types of mobile acquisition tools and the data that can initiated be recovered from, a classification system has been A hex dump also called suggested. Accordingly, this classification system “Physical Extraction”, provides a framework for forensic examiners. provides more information about the available data to the Classification system is represented in Pyramid Level Hex investigator. In this process the starting at the bottom and working upward, the 3 Dump methods and tools generally become more technical, device is connected to the invasive, time consuming, forensically sound and workstation via a cable. expensive (Brothers, 2007). Level 1. At the base is Occasionally this connection is the process of manual extraction. Level 2. Logical either through the device’s 84
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
data port, via Wi_Fi, or even file also has the potential to recover GPS coordinates JTAG (an internal test and cell tower locations and even deleted text and connection. Instead of multimedia messages. Metadata information can be initiating a command, an agent extracted for e.g. timestamp of photo taken on the (unsigned code) is copied to device. Various files can be pieced together in order the device memory which to produce additional results. However, the current enables to copy the users data tools does not support for all types of mobile phones onto the workstation. The models, non-standard mobile phones or even some resulting copied data is specific models of standard mobile phones. transferred, stored as a raw disk image. 4.1.4 Non Traditional Method In this level, acquisition of data from the device’s memory Various security settings are available on iDevices chip e.g. iPhone NAND Flash that allow the user to protect unauthorized access to memory. In which case the their devices and data. For instance, iPhone user has chip is physically removed option to set PIN on their device in order to prevent from the device and the data unauthorized access. PIN is a four digit number by stored on it is extracted by a default, a numeric code but by modifying the “Simple Level Chip-Off chip reader. With wide variety Passcode” setting to a variable length. Also by 4 of available chip types used, entering the incorrect Passcode more than specified the raw binary formats number of times (usually 10 times) the device can be examination is tough and time set to automatically erase all the contents. Secure consuming. Also, there is a erase is an option that is available on the idevices risk of causing physical (iPhone and iPad). It is possible “Reset All Settings” damage to the chip during the or “Erase All Content and Settings. Data security for extraction process. iPhone and iPad ensures that secure erase indeed This process involves truly wipes the device. Another security feature that manually viewing and is facilitated is the MobileMe membership. interpreting data that is MobileMe allows the user to remotely set a Passcode observed on the memory chip. in the event that a device is stolen. Additionally, it is This is done by analysing the possible to have hardware encryption through a physical gates on the chip. The feature “Data Protection”. This can be done using a gate status could be translate Passcode. Once Passcode is set, the device settings ‘0’s and ‘1’s to determine the will show “Data Protection enabled”. This enables Level Micro ASCII characters. This process encryption and activates added layer of security for 5 Read is time consuming and email messages and attachments. Encryption expensive and it requires compounds to complexity of forensic acquisition knowledge of all aspects of process. The iOS devices contain the hardware Flash memory and the file encryption from iPhone 4, iPhone 3, iPod Touch, and system. Currently there are no iPads (Apple Inc, 2010). Additionally, an optional commercial tools available to configuration is an automatic lock set after certain perform a micro read on an period of time. The best practice that should be Apple Device. followed while seizing an iOS device is if it is not locked, it is advisable to immediately set the auto- 4.1.3 Physical acquisition lock to “never”. This will enable the forensic examiner to require not to enter a Passcode to access In this process, bit by bit copy of the original file the device. The Passcode will not be an issue if the system is made. Most computer forensic tools have physical acquisition, however, in case of logical the facility to acquire information physically. It acquisition it is essential to set the autolock to involves more complicated process and sophisticated ‘never’. Individual application on idevices also has equipment. In this approach it is possible to obtain features to set passcodes so that unauthorized access the deleted information. Any type of data contained is restricted. on the device can be recovered using this method. Advanced examination of the resulting disk image 85
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
Some less common methods are available to extract disk image contents of the file data from idevices. This method involves a process system. Once the image is that will modify the firmware on the device to allow mounted, the directory for greater functionality. This ruling does not force files in the OS can be Apple to cover jailbroken devices under the viewed. manufacturer’s warranty; it simply means that the File carving is a process to individuals who may decide to modify their device in recover files signatures, this manner will not be criminally prosecuted. In file fragments. This way addition any software downloaded on the device must both active and deleted be legally acquired therefore pirated software is still files can be recovered. It illegal under this Act (Moren, 2010). Other methods is possible to recover in a jailbroken device from which extraction can be deleted files because the done is to connect to such devices using known carving of file involves a commands such as ‘ssh’ or ‘ftp’ using applications process that focuses on Stage such as MobileTerminal and OpenSSH. By this way File Carving the files content rather 4 the examiner can view the file system on the device, that its metadata. Linux and the directory structure is similar to performing a tools are available which physical acquisition not the exactly the same. Both will perform this action, individual files and entire file system can be copied and the tools can be run to a forensic workstation. via a command line against an iPhone, iPad or 4.1.5 Forensics using Linux Platform other iOS device image in order to recover valuable Linux platform provides extremely powerful tools to files. assist in forensic investigation. This process involves Tools are available that various stages such as creating a disk image, image can be run on a disk verification followed by mounting and unmounting a image and list out each disk image to view the file contents, file carving and and every file with the file creating a timeline of events. Various stages that are system, both allocated and involved are shown in table-3. Creating a unallocated. A time line of Stage timeline of events could then be 5 Table 3: Various stages events created that occurred on the device. This process is Stage Stage name Description typically run against a The ‘dd’ command hard drive, but can also be (acquisition utility) can be run on , iPad or other iOS used to image a device device image Stage Creating a disk that such as a jailbroken 1 image Specific keyword search iPhone or iPad (where utilities are available. root access is available for “Strings” command of the forensic examiner). Linux can be used to The forensic process extract printable involves acquisition of characters and recover image of device so that it individual files. does not modify the Stage Searching a Sometimes a hex editor original media. Either 6 disk image could be used to a specific Stage Image MD5 or SHA1 hash value area within an image.(e.g. 2 Verification may be generated. Linux the email address of commands can also be interest in a case can be used to determine either searched and subsequently of these values on an the background image or a file. information /content could Stage Mounting and The image must be be analyzed. 3 un mounting a mounted to view the 86
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
4.2 Recently developed Methods Table 4: Commercial Tools
Recent addition to mobile phone forensic tools is that S. No Tool name of Jonathan Zdziarski( – most popular tool that has 1 CelleBrite UFED been recently tested by the Computer Forensics Tool 2 iXAM Testing Program a joint program of the National 3 Oxygen Forensic Suite 2010 Institute of Justice and the Department of Homeland 4 XRY Security. The tool developed by Jonathan Zdziarski 5 Lantern offers the examiner command line automated tools 6 MackLoc Pick that can be used on Linux machine or Mac 7 Mobilyze workstation. Physical acquisition of iPhone or iPad 8 Zdziarski Technique with zdziarski method has been tested by National 9 Paraben Device Seizure Institute of Standards and Technology (NIST, 10 MobileSync Browser www.cftt.gov/mobile_devices.htm, 2010) 11 CellDEK
12 Encase Neutrino Release of iOS4 has compounded to the complexity of the forensics in idevices. Hardware encryption is 13 iPhone analyzer offered with iOS 4 on iPhone 4, 3GS, iPod Touch, 14 iPhone Extractor and all iPad models. This means even if a full disk image is possible, the data in the devices are still 4.4 Limitation encrypted. There are currently three methods to perform physical acquisition on an iPhone or iPad. Many of the tools do not support iOS 4 until recently. They are the Forensic Telecommunication Services In the case of Jailed idevice if a Passcode is enabled (FTS) iXAM software, zdziarski methods or through then it is difficult to bypass the Passcode or pattern a jailbroken device. This method requires lock. Only recently XRY from Micro Systemation downloading of “automated tools” from his website. have launched their product that will enable to read The tools are strictly command line utilities which even jailed devices. Even if some of the tools are can be used to acquire bit by bit copy of the user data providing facility to retrieve the information, they partition. A recovery agent has to be installed in the support only for specific model. file system partition of the device and a recovery script is used to make a raw disk image of the device. 5. Artefacts of forensic significance This can be copied to the forensic workstation through USB connection. Having copied the image, Backup analysis is beneficial when the device is the device model and firmware version the imaging whether unavailable or unable to be imaged for a process begins through the recovery or DFU Mode. specific reason. Common data is generally stored in Once the imaging is done, the internal data can be SQlite Databases and Property List files. These two analysed. Acquisition can also be done, remotely by are supported by synchronization protocol. Most of creating a wireless network and connecting to the the active data that still remains on the device can be iPhone and then imaging. retrieved. In the case of iPhones, by querying the Sqlite databases directrly, SMS, Call Logs, Contact Preparation phase requires the knowledge of model details can be recovered. Various directories are and firmware version. This is an important step found and in some of them sqlite data bases reside. because in this method, different automated tools are Directories and corresponding items of interest available for unique models and firmware version include CommCenter, Dhcpclient, db, Ea, folders, combination. The model number can generally be keychains.db, Log, Logs(General.log contains the OS seen at the back of the device. It is also essential that version and Serial No and the Lockdownd.log the appropriate iTunes be downloaded else, most conatins the lockdown deamon log), Managed commercial tools will show up and iTunes error. Preferences, Mobile contains the bulk of user data, MobileDevice, Preferences contains the System 4.3 Commercial Tools configuration, Root directory contains the GPS location information cache is available, Lockdown The list of commercial tools available is tabulated pairing certificates and preferences. The Run hereunder: directory contains the system log, tmp directory contains Manifes.plist:plist backup, and VM. When it 87
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
is plugged in the name of the device, capacity, packed’. In order to read this, Apple provides an easy software version, serial number and phone number to use OSX utility called ‘plutil’. It can be obtained (iPhones) are displayed. using ‘plutil – convert xml1
5.1 Apps This is an unencoded standard of Apple Property List file(XML text). This contains repository of Upon initial sync with itunes, an acrchive on the information about the phone. The following are the computer of all the user appls and data from the details found in this list phone are created. Files are updated in place with ICCID – Integrated Circuit Card ID – the every sync of the phone. This archive is used to hardware serial number of the SIM card recover the phone if needed. Archive is located at IMEI – International Mobile Equipment /Library/ApplicationSupport/MobileSync/Backup/
the handset. Phone Number 5.2 Property List Serial Number – iPhone’s Serial number
Apple Property lists are used. iPhones uses 3 main Product Type – information about what kind of phone (capacity 8GB 3GS or 8 GB 3G etc) ‘Standard’ plist. These are Product version – the OS revision number Info.plist, Data of last backup Manifest.plist iPhone preference Status.plist iPhone preferences plist(base 64 encoded embedded These are plain text XML documents. These can be plist) easily viewed but difficult to decipher. Within this Misc. Other stuff encoded/binary application specific substantial information about Base64 chunks data may be stored. When plistlb or python 2.5 is used this can be parsed and the device name, model, GUID etc The following screenshot illustrates the info.plist could be found. from a jailed iPhone showing the Users name, GUID, IMEI & ICCID number. ‘mdinfo’ is another location which is Apple ‘bplist’ files. This is a special kind of plist which is ‘binary 88
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
5.5 Sqlite Databases Plist: bookmarks, 19 Library/safari history Apple uses sqlite databases extensively across their Location of where 20 Library/SafeHarbor platforms and application ranges and it is known as app data is stored ‘CoreData’. It is a open source, file based database SMS and MMS 21 Library/SMS engine. illustrates the directory list that are available data in the backup and the corresponding artefact forensic .amr files: Voice 22 Library/Voicemail significance. messages Sqlite databases: gmail account info, 23 Library/Webkit Table-5: ARTEFACT FORENSIC cached email SIGNIFICANCE messages iPhone Camera 24 Media/DCIM Artefact of Photos S.No Directory Name forensic Additional photo significance 25 Media/PhotoData information and Plists: Property list 1 Mobile/Application thumbnails Sqlite Databases: Contacts and Libraries/Address Sqlite database contains information of addressbooks, 2 imagesSqlite Book application, cache,map, calendar events, gmail Databases: account info data base etc. Sqlite Database: 3 Library Cache MapTiles Simple relational database, supports most of SQL-92. Sqlite Database: 4 Library/Calendar Sqlite3 is OS x built into CLI to access SqLite Events database files. In the CLI, the ‘.schema’ command Sqlite Database: 5 Library/CallHistory shows the database and table schemas.In the case of CallLogs iPhones SMS records are stored in a database called Library/Carrier Carrier information ‘sms.db’ and it is found in location “HomeDomain- 6 Bundles Library/SMS/sms.db”. These are updated during a Library/Caches.app iTunes purchase sync in which case the deleted messages are 7 le.itunesstored information removed and new messages are inserted. However it Library/Configurati Plist: password does not contain MMS information. Simple data 8 onProfiles history structure for the SMS database is tabulated Plist: Internet hereunder: 9 Library/Cookies cookies Email account Table 6: Data structure of SMS database 10 Library/DataAccess information .dat file: Dynamic ROWID Integer 11 Library/Keyboard text Address Text 12 Library/Logs Log files Date Integer Text Text Logical Data, no 13 Library/Mail Flags Integer artefacts Replace Integer Plist:Bookmarks, 14 Library/Maps Svc_center Text directions, history Group_id Integer Library/Mobileinst Plist: Applications 15 Association_id Integer allation that use Locations Height Integer Sqlite Databse: UIFlags Integer 16 Library/Notes Notes content Version Integer artefacts Subject Text Plist: System and Country Text 17 Library/preferences user settings Headers Blob Library/RemoteNot Plist:apps that have Recipients Blob 18 ification push notification Read Integer 89
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
Address is either source or destination phone number suggested to choose extraction of artefacts of forensic in 11 digit intl.format(18885551212). significance from idevices (jailed or jailbroken). The Time is in UNIX epoch format(# of Seconds since scenarios were created for test purpose and the results 1/1/70 0:00UTC). obtained are discussed. Attempt was made to extract Flags field is used to indicate : evidence from both jailed and jailbroken iPhones as ‘2’ = Message received from ‘address’ well as jailed iPad. For this purpose a combination of ‘3’ = Message sent from handset to ‘address’ different applications and tools were used and the ‘33’ = Message send failure (SMS never sent) same are tabulated hereunder:
‘35’ = Message deleted ( but still appears as a row, - not contents) Table 7: Different applications tools
‘129’ = Message deleted (but still appears as a Application row- no contents though) Description tools ‘131 = unknone – no address iTunes To take Backup of Jailed iPhone ‘Text’ field is sometimes a plist – this typically iFunbox To take backup of Jailbroken indicates an MMS was received. MMS text/image iPhone information is stored separately in ‘mmdata’ files iPhone To extract the phone information outside of the SQlite db. extractor
5.6 Third Party application Sqlite browser To extract the Sqlite databases such as address books, friends.db etc Friends.db Skypelog To extract the skype log, chat analyser information Friends.db is another database that is located in Windows To read the calendar information ‘AppDomain-com.Facebook-Documents/friends.db’. calendar from the extracted database This database contains Facebook friends list and tiny Google maps To track geoloction using the lat bit of extra information (i.e) facebook UID long coordinates [www.facebook.com/profile.php?id=
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
and cable when it is connected to the computer. resulting in human readable text. It can also be However, the protocol restricts access or disabled. communication with the entire iPhone memory area and is limited to few files only. Precisely, iTunes 6.4 USB Tunnelling communicates with “jailed” or limited area of the memory, a backup is taken. However this backup is USB tunnelling maps opens Transmission Control not that effective to extract information from raw Protocol ‘tcp’ ports on idevices to pc allowing devices which is essential to physical image. A slight windows program on pc to communicate. Windows modification has to be done to the filesystem to gain program on pc and daemon on iOS need not be aware access into the raw device and get a true physical of the existence of Tunnelling, instead they can bitstream copy. communicate as if they are running on the same machine or a WiFi hotspot. Besides OpenSSH, 6.3 Jailbreaking iphone and iPad apps also have built in HTTP/FTP daemons that can be temporarily activated for A jailed (chrootjail – borrowed from Linux lexicon) exchange of files. iFunbox provides USB Tunnel for environment means that access to certain areas of connecting web browser and FTP client on the PC to memory are restricted. So iTunes accesses the these application. The most usual route to use putty idevices in a jailed environment. This prevents it to the iphone with openSSH installed. It is advisable from accessing the root level or administrative level. to change the root/mobile password after installing Some of the jailbreaks include the following: OpenSSH. Pwnage The first step is to backup the media by using copy Qwkpwn to PC. SMS details will be available in RedSn0w //var/mobile/Library/SMS Yellowsn0w Contact list information will be available in iLiberty //var/mobile/Library/AddressBook Purplera1n Step 3 Browse the Raw File System delete the folder iTunes_Control located in Blackra1n //var/mobile/media/iTunes_Control Greenpois0n
6.5 Geospatial location All these circumvented the security measures of the idevice by either replacing OS with engineered user Geospatial location data is a crucial information of created firmware or just patching the kernel and or forensic significance to identify a where the device bootrom, which allows the device to run unsigned was at a particular point of time. This helps in code. determining the probable location of the perpetrator
during the commission of crime. This artefact is Features such as file permissions, ownership and located in the maps application and is stored under group information, a console for SSH terminal, the folder /library/Maps. There are three property Enhanced AppFastIn(tm) tech for stability and stop lists, mounting, duplicated devices of iOS beta. If History.plist openSSH based feature is used, the ifunbox will promote for SSH password if it is not the default Directions.plist ‘alpine’. iFunbox will record the password and, Bookmark.plist encrypted in //var/mobile/Media/iFunbox_ssh_record.shadow for The query on history.plist will give the values for future use. latitude and longitude. When this information retrieved is placed onto google map the location If the device is using the default password ‘alpine’, information can be obtained and the probable iFunbox will automatically modify it to some strong direction leading to the crime scene can be password to protect idevices from attack of malware ascertained. For eg: the data of lat long and worms. It is also possible to manually change the Lattitude : 36.160000 password by ‘passwd’ command in the SSH terminal. Longitude :76.360000 Moreover, the iFunbox supports auto conversion 6.6 iPhone Extractor when a binary plist is copied from idevice to PC, 91
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
The iPhone Backup Extractor works on windows is in Mac absolute time. The time can be decoded by (XP, Vista, 7), Mac OS X and Linux with iphone, using tools such as decode and be interpreted in a iPad, iPhone 3G, iPhone 3GS, and Iphone backups format that is understandable. Addressbook from all versions of iTunes. It is capable of extracting information is once again stored in the Sqlite contacts, pictures, call histories, MMS, SMS, text database format and can be extracted an viewed using messages, video, voicemail, calendar entries, notes, sqlite database browser. app files, saved games, debug information and data that might be otherwise in accessible. It automatically 6.8 Calendar artefact converts the extracted database into CSV, VCard or ICAL formats, so they can be easily imported into Calendar Events marked by a suspect can be located excel, outlook or webmail. The following screen shot and retrieved from the idevices, which might be a illustrates the iPhone Extractor showing the Mobile clinching evidence in a case. The suspect might store Equipment ID information regarding whom he or she has to meet, where they should meet and what date and time? The screenshot below shows the meeting event information as retrieved from the backup of iPad.
6.9 Books Purchased
Certain books have been purchased online from appstore and certain books have been downloaded using a jailed iPad. The date when it was purchased and when it was downloaded can be ascertained by examining the artefact from the ibook database as read by sqlite browser. This artefact can aid in
finding whether a copyright book is actually It can convert consolidated data into a KML file for purchased or it has been downloaded. The date can use with Google Earth. It also has a feature to extract also be ascertained. It will be in the form of Mac the files from backups iTunes automatically makes absolute time. Tools such as Decode could be used to for iPhone, iPad or iPodTouch. This can be used for convert the date to a readable format. forensic recovery even if the device is not available, the data from iTunes Backup could be used to 6.10 Bookmarks artefact recover the data from idevices which might be a clue of forensic significance. KML is an open standard idevices could be used to browse the internet. If in officially names the OpenGIS (R) KML Encodeing case the user has bookmarked the web pages visited, Standard (OGC KML). It is maintained by Open then the details are stored in a database. This can be Geospatial Consortitum, Inc.(OGC). KMO files can extracted and viewed in a sqlite browser. The be created with google earth interface. KML is a file following screenshot illustrates the bookmark artefact format used to display geographic data in an Earth indicating the browsing habits of the suspect from a browser such as Google Earth, Google Maps, and jailbroken iPhone. Google Maps for mobile. KML uses a tag-based structure with nested elements and attributes and is 7. Conclusion based on the XML standard. Geospatial information if any in the idevices can be interpreted. Technological changes bring new challenges for
digital forensicators. Foremost concern of digital 6.7 Address Book artefact evidence is locating evidentiary artefacts. A
formalized approach is required in acquiring and Address book / contact information of the suspect analyzing the evidence from these new devices. In and accomplices could be retrieved from extracting this study methods of examination of various this database. The following screenshot illustrates artefacts of forensic significance are explored, a the addressbook database extracted from jailbroken frame work of digital forensic process is suggested iPhone. Using this the details such as when a for acquisition in the case of jailed and jailbroken particular contact was saved, when it was modified idevices (iPhone and iPad). In scenarios wherein etc could be ascertained. Here again the time format miscreants, terrorists, copyright violation, data 92
Journal of Advances in Library and Information Science, Vol.2,No.2. April-June, 2013, pp-82-93 A Framework for Digital Forensics in I-Devices: Jailed and Jail broken Devices/N.Kala and Prof.Kaliraj
leakage in corporate sector and other types of case depending upon the gravity of the offense, the proposed method could be used to retrieve evidentiary artefacts from idevices which poses a new challenge in digital forensic investigations.
Reference 1. Hoog, iPhone and iOS Forensics, Investigation, Analysis and Mobile security for Apple iPhone, iPad and iOS Devices, Ed. Robert Maxwell, Syngress publication, 2011.
2. Wired, iPhone timeline highlights the handset through the ages. Wired.com. Retrieved January 19, 2012, from http://www.wired.com/gadgetlab/2008/07/iphonetime line/
3. Brothers, S. (2007). iPhone tool classification. The Apple examiner. Retrieved January 15, 2012, from http://www.appleexaminer.com/iPhoneiPad/ToolClas sification/ToolCla ssification.html
4. Moren, D. (2010, July 26). Jailbreaking officially granted DMCA exemption. Macworld.Retrieved January 24, 2012, from http://www.macworld.com/article/152935/2010/07/ja ilbreak_exemption.html.jailbreak_exemption.html
5. Apple Inc. (2010). Mac OS X Lion Sneak Peek. Mac OS X Lion. Retrieved December 17, 2010, from www.apple.com/macosx/lion
6. NIJ http://www.nij.gov/pubs-sum/232383.htm Special Report 232383, Test Results for Mobile Phone Acquisition tool – Zdziarski’s Method.
7. XRY - MSAB Release notes (29.03.2012) , MSABLabs.com visited on 29.03.2012.
8. Sean Morissey, iOS Forensic Analysis for iPhone, iPad, iPod Touch, APress Publication, page 40, 2010
93