This chapter will provide you with an overview of iOS devices such as iPhones and iPads, as well as an overview of the operating systems and file systems they run. There are many forensic tools that are used in forensic science; these tools are able to handle all forensic process activities. Digital forensic tools for data extraction are categorized into three types: manual, logical, and physical. You will learn after completing this chapter about various third-party tools used for iOS forensics, and you will be able to answer questions about three important topics: the first topic aims to find the difference between acquisition and backup, the second measures and checks the effect of jailbreaking on an iOS device, and the third illustrates the comparison between third-party tools during forensic analysis process.
In this chapter and practical experiment, we will introduce an acquisition for iPhone 6s, and the focus will be on it, as it works on the iOS system. We will use the various forensic tools to try to take several copies of the iPhone 8, analyze the results that can be obtained and the data available from these tools, and see if it is possible to recover and extract the deleted files.
iOS Boot Process
iOS Architecture
iOS Security
iOS Data Extraction Techniques
Understanding Jailbreaking
Data Acquisition from iOS Devices
Data Acquisition from iOS Backups
iOS Forensic Tools
iOS Data Analysis and Recovery
Mobile Forensics Investigation Challenges on iOS
iOS Boot Process
The use of the mobile phone has become more common, so you can conduct your banking and money-related operations on it, which has prompted some people to hack phones to steal sensitive information. Therefore, forensic analysis is considered one of the important skills that an IT employee must have to be able to investigate the crimes committed in Palestine. There are laws to reduce, criminalize, and punish electronic crimes.
This chapter will use a real practical case study related to child pornography to introduce iOS forensics. Child pornography is regarded as a crime punishable under the law in Palestine and elsewhere in the world because it is an immoral act designated to sexually exploit children over the Internet, by which criminals send and receive photos and videos of children. This is a criminal offense.
The Palestinian Cybercrime Law, established in 2018, is based on the Jordanian Cybercrime Law, and it constitutes a line of defense and a deterrent to acts violating the law committed through the Internet using a computer, mobile phone, or any technological means, but there is a gap in the law as penalties and fines do not constitute a deterrent to criminals. In this chapter, we will present some laws related to the sexual exploitation of children and their punishment according to the Cybercrime Law in Palestine [1]. In addition to that, we will present some of the laws related to the sexual exploitation of children stipulated in the Electronic Crimes Law in Palestine, and we will also present a case study that some researchers will address related to the sexual exploitation of children via mobile phone.
Before testing the iPhone, it is necessary to identify the correct hardware model and firmware installed on the device. There are several ways in which you can identify the hardware for a device that is a tool that is a recommended libimobile device. The iPhone is a group of modules, chips, and electronics of various manufacturers. Because of the complexity of the iPhone, the list of hardware parts and internal components for each device is extensive.
iOS Architecture
In this practical case, we will start our investigation on iOS, known formally as the iPhone Operating System. Also, we have to know that the iOS is derived from Mac OS, which in turn is based on UNIX- OS. iOS was at the early stage of the development of a famous application, which is the iPod as the digital storage and application to run music. Later, the development became fast with very common applications like mail, in a browser known as Safari.
iOS is the operating system that runs on a variety of Apple devices as illustrated in Figure 2-1, the iPhone being one of the most popular. In 2007, Apple debuted the iPhone, which revolutionized the smartphone market. It had a huge touch screen as well as remarkable technical characteristics, at least at the time. The Cocoa Touch library is used to develop iOS applications in Objective-C. Objective-C is a C language extension, whereas Cocoa Touch is a collection of classes. While the syntaxes of C# and Java (used for Android and Windows Phone development) are similar, the Objective-C library offers a unique option. Object-oriented programming is supported by Objective-C, as the name indicates. The language and platform have steadily improved over time, with the advent of ARC (Automatic Reference Counting) being a particularly notable advance. As a result of the automated memory management, the amount of boilerplate code was decreased, and memory leaks were minimized in general. A Mac machine is required for iOS development. Xcode is the most often used program for developing iOS apps. It comes with a robust editor, an analytical tool, an iOS emulator, and the SDK (Gronli, Hansen, Ghinea, & Younas, 2014).
As the operating system developed by Apple, iOS constitutes the primary platform for Apple mobile devices (Gyorödi, Zmaranda, Georgian, & Gyorödi, 2017). This system controls all services and parts of Apple devices. The iOS operating system was launched for the first time in 2007 with the launch of the first iPhone device, where the name of the operating system was OS X; the name was changed to iOS in 2010 (Aleem, 2019). The iOS operating system architecture has four layers: the core OS, core services, media, and the Cocoa Touch layer (Yates, 2010).
The iPhone is a collection of modules, chips, and electronic components from different manufacturers. Due to the complexities of the iPhone, the list of hardware components is extensive, and each device should be researched for internal components: for example, iPhone 11 has an A13 Bionic processor; storage (64 GB, 128 GB, or 256 GB); 4 GB of RAM; a 6.1-inch Liquid Retina liquid crystal display (LCD); and a dual-lens 12 MP, rear camera array. As with the iPhone, not all versions of the iPad are supported for file system acquisition; Apple changes data storage locations in iOS versions, which affects iPad devices as well, and so you must be aware of the different models, the released and currently installed iOS version, the storage capability, and the network access vectors. Internal images for all iPhones can be found in the teardown section of https://www.ifixit.com/Device/iPhone.
Just like the iPhone, the iPad is also a collection of modules, chips, and electronic components from different manufacturers. The internal images for all iPads can be found in the teardown section of https://www.ifixit.com/Device/iPad.
The iOS operating system acts as an intermediary between the applications running on the screen and the hardware components of the device. The iPhone has two partitions, the iOS system partition and the iOS data partition (Höne, Kröger, Luttenberger, & Creutzburg, 2012). The contents of the iOS system partition, which is used for the operating system and read-only for the user, may not be evidentiary, but it may be necessary to examine it (Höne et al., 2012). The iOS data partition is used as a read/write for the user and the applications so the evidence can be acquired from this partition (Höne et al., 2012). iOS performs its roles through four layers (Aleem, 2019), as shown in Figure 2-1.
iOS Architecture Layers
1. Cocoa Touch Layer: The top layer of the iOS architecture, this layer consists of a set of basic frameworks for developing the visual interface and providing the basic infrastructure for applications on the iOS system such as touch, multitouch, input services and processes, and high-level tasks (Aleem, 2019).
2. Media Layer: This application consists of basic multimedia frameworks such as audio, video, and graphics. This layer provides an aided environment for programmers to create applications with a distinctive graphic appearance (Aleem, 2019).
3. Core Service Layer: This layer works to provide the basic services required for applications on the system, such as location services, communication services, and iCloud services (Rupesh, 2017).
4. Core OS Layer: This layer is located directly above the device’s hardware, and it deals with basic, low-level functions in the device, such as memory management, file system, communication, and networking (Aleem, 2019).
The iOS system enjoys high protection, and with the development of this system, the protection from the company has increased to the point that Apple offers huge rewards every period for those who can penetrate this system and find a loophole in it. If this indicates something, it indicates the extent of Apple’s confidence in its system and the level of protection it has in it.
The HFS Plus and APFS File Systems
Assume that a law enforcement official legally seizes a certain number of suspicious smartphones during a criminal investigation, which could be analyzed on smartphones using child pornography. The difficulty of identifying and verifying the existence of hidden child pornography on any particular phone is increasing as a result of the ever-increasing number of smartphones and law enforcement files [1]. Some of the forensic equipment on the market is currently being researched. Although many human interventions and manual tasks are required to limit the efficiency of crime scene evidence collection, the Access Data Forensic Toolkit and Guidance Encase are primarily used for collecting information from storage devices. The most common tools for analyzing and detecting nude images are the Paraben Porn Detection Stick and the SDK (Software Analyzer) [2].
The iPhone APFS is a state-of-the-art file system for iOS, macOS, tvOS, and watchOS. It is basically a 64-bit file system that supports over 9 quintillion files on one single volume. APFS is structured in one single container that may contain one or more volumes. Every structure of the APFS file system begins with a block header. The BH starts with a checksum (used Fletcher’s checksum algorithm). The entire block also contains the version of a copy-on-write block, the block ID, and the block type.
iOS Security
Apple iOS devices, like iPhone, iPod, and iPad, have been designed with several layers of security. The low-level security layer consists of hardware features that safeguard from malicious attacks, and the high-level security layer protects OS features from unauthorized access and use. Features provided in the following image are considered the main iOS security features:
- Passcodes, Touch ID, and Face ID
iOS 9 released the option to use a six-digit simple passcode instead of the legacy four-digit option.
Code signing: prevents users from downloading and installing unauthorized applications on the device.
Sandboxing: post-code-execution exploitation by placing the application into a tightly restricted area.
- Encryption:
On iOS devices (starting with the iPhone 4), the entire file system is encrypted with a file system key, which is computed from the device’s unique hardware key. This key is stored in effaceable storage, which exists between the OS and hardware levels of the device.
This is the reason that Joint Test Action Group (JTAG) and chip-off methods are not useful acquisition methods, as the entire data dump will be encrypted.
Data protection: designed to protect data at rest and to make offline attacks difficult, hardware encryption, strong encryption key.
Address Space Layout Randomization (ASLR) : introduced with iOS 4.3. ASLR randomizes the application object’s location in the memory, making it difficult to exploit the memory corruption vulnerabilities.
- Privilege separation:
iOS runs with the principle of least privilege (PoLP). It contains two user roles: root and mobile.
The most important processes in the system run with root user privileges.
All other applications to which the user has direct access, such as the browser and third-party applications, run with mobile user privileges.
Stack-smashing protection: protects the device against buffer overflow attacks by placing a random and known value (called a stack canary) between a buffer and the control data on the stack.
Data Execution Prevention (DEP): portions of memory that are executable code from data.
Data wiping: erase all content and settings
Activation Lock
iOS provides advanced security features, many of which are enabled by default; users don’t need to perform extensive configurations. The key security features are not configurable, so users cannot disable them by mistake. The security features that will be addressed in this study are the code signing and privilege separation features, which get affected by jailbreaking an iPhone.
Code signing: the process by which a compiled iOS application is sealed and users are assured that it is from a known source and has not been tampered with since it was last signed with a certificate issued by Apple. This would prevent Apple users from downloading and installing unauthorized applications on jailed iPhone devices.
Privilege separation: “iOS runs with the principle of least privilege (PoLP). It contains two user roles: root and mobile. The most important processes in the system run with root user privileges. All other applications to which the user has direct access, such as the browser and third-party applications, run with mobile user privileges”.
iOS Data Extraction Techniques
- 1.
Manual Data Extraction: This method is navigating the device as a normal user and taking screenshots of the found evidence. It is not a recommended acquisition method since it involves a high risk of human errors. This might affect the evidence state by accidental deletion of or changes to data. This is a very simple process and shows only what is seen on the device. Can be used only to validate the previous methods’ outcomes in some cases.
- 2.
Logical Data Extraction: Logical acquisition is the second-best recommended acquisition method. It involves copying what the user has access to on their mobile, which means that it is equivalent to iTunes backup. This method requires the device to be unlocked. This method provides readable data, unlike some encrypted parts in the physical image. Recovering data from unallocated space is limited to data recovery from unallocated SQLite records.
- 3.
Physical Data Extraction: This is the best-recommended acquisition method. The copying process in this method includes the device storage and the file system. The copying is done on the bits level acquiring all data. This includes deleted data and the ability to access the unallocated space. Physical acquisition is not useful for iPhone 5s and later. This is due to the Secure Enclave hardware feature in Apple devices. It provides an additional layer of security by its isolation from the main processor. This security mechanism keeps the user data encrypted even if the OS is compromised. This is the reason why physical acquisition will not be useful for iOS devices since the iPhone 5s. File system acquisition now is used for iOS devices. File system acquisition for iOS devices requires a jailbroken device. Applying a jailbreaking technique on the device will change the original data on the device. Jailbreaking is not a reversible change.
Data Acquisition from Backup Devices
Copying the whole contents of a file system to a backup medium is the easiest technique to secure a file system against disk failures or file corruption. A full backup is a name given to the generated archive. A file system can be recreated from a full backup onto a new disk if it is lost later due to a disk failure. It is also possible to recover individual files that have been misplaced. Full backups have two drawbacks: reading and writing the complete file system takes a long time, and keeping a copy of the file system takes up a lot of storage space on the backup media.
An incremental backup strategy replicates just those files that have been created or updated since the last backup, resulting in faster and smaller backups. Because only a tiny fraction of files change on any given day, incremental backups are smaller. A common incremental backup strategy combines complete backups with regular incremental backups. In an incremental backup system, restoring a deleted file or an entire file system takes longer; recovery may entail examining a chain of backup files, starting with the most recent complete backup, and applying changes recorded in one or more incremental backups. Backup is a method of backing up a device’s contents, which includes only the files currently loaded on the device and excludes deleted files. Logical acquisition is the name of this procedure (Chervenak, 1998). Most of these products have been operating independently, and no forensic tool provides more than a technical framework for detecting child pornography. Through careful education, log analysis, file names, and cell location analysis, the proposed design model proposes a method for automatically collecting and processing image films on smartphones to detect child pornography images quickly. This will reduce the amount of human intervention and handling of materials collected and processed by law enforcement officers, as well as speed up investigations.
- (1).
Phone A: Unjailbroken iPhone 4S (iOS 8.4.1).
- (2).
Phone B: Jailbreak iPhone 5S (iOS 9.3.3).
Step A: Take a new photo with Phone A.
Step B: Send photos from Phone A to Phone B via WhatsApp.
Step C: Delete the photo on Phone A after receiving the photo on WhatsApp Phone B.
Step D: Save the photo sent to WhatsApp from Phone A in Phone B’s album.
Acquiring a physical image of an Android device
Imaging the memory card
Create the disk image: dd image of memory
Recovered documents
Examination of memory
Data Acquisition from iOS Devices
obtaining a device, RAM, or cloud forensically;
examining the device’s file system, deleted data, and unique locations;
conducting communication, documents, and media searches;
locating items that were removed on purpose;
detecting implicit traces if artifacts are robustly eliminated;
locating and decrypting encrypted data;
thoroughly examining the SQLite database.
Specification for Seized iOS Phone
Brand | iPhone | Model No. | Apple iPhone 6s |
IMEI1 | 123123123222 | Color | White |
Jailbroken | No. | SIM | Jawwal |
Storage | 32 GB | Phone lock | Yes (password:00000) |
iOS Version | 11 | Battery Percentage | 72% |
Other Notes: - The device was powered on. - the suspect provided us the password with the search warrant, which is 00000. - Height: 5.44 inches (138.3 mm) - Width: 2.64 inches (67.1 mm) - Depth: 0.28 inch (7.1 mm) - Weight: 5.04 ounces (143 grams) | |||
Touch ID: Fingerprint sensor built into the Home button. |
Jailbreaking
Jailbreaking simply means removing limitations imposed by Apple’s mobile OS through the use of software and hardware exploits; this will permit unsigned code to run and gain root access on the OS. The most common reason for jailbreaking is to expand the limited feature set imposed by Apple’s App Store and to install unapproved apps.
Jailbreak Tool According to the Device Model and iOS Version
Version | Release date | Tool |
---|---|---|
iOS 1.0 | June 29, 2007 | (no name) |
iOS 2.0 | July 11, 2008 | PwnageTool |
iOS 3.0 | June 17, 2009 | PwnageTool |
iOS 4.0 | June 21, 2010 | PwnageTool |
iOS 5.0 | October 12, 2011 | redsnOw |
iOS 6.0 | September 19, 2012 | redsnOw |
iOS 7.0 - 7.0.6 | September 18, 2013 | evasiOn7 |
iOS 7.1 - 7.1.2 | May 29, 2014 | Pangu |
iOS 8.0 - 8.1 | September 17, 2014 | Pangu8 |
iOS 8.1.1 - 8.4 | November 17, 2014 | TaiG, PP Jailbreak |
iOS 8.4.1 | August 13, 2015 | EtasonIB |
iOS 9.0 | September 16, 2015 | Pangu9 |
iOS 9.1 | October 21, 2015 | Pangu9 |
iOS 9.3.5 | August 25, 2016 | Phoenix |
iOS 10.0 - 10.1.1 | September 13, 2016 | Yalu |
iOS 11.0 - 11.1.2 | September 19, 2017 | LiberiOS, Electra1112 |
iOS 11.0 - 11.4.1 | July 7, 2018 | Electra1131 |
iOS 11.0 - 11.4.1 | October 14, 2018 | UncOver |
iOS 12.0 - 12.2, 12.4 - 12.4.2 | September 17, 2019 | Chimera, UncOver |
- 1.
Download appropriate iOS firmware image from Apple (called IPSW)
- 2.
Download jailbreak software
- 3.
Connect iDevice to computer via USB
- 4.
Launch the jailbreak app on the computer
- 5.
On the computer, select the IPSW file
- 6.
Put iDevice into Device Firmware Update (DFU) mode
- 7.
Wait
- 8.
Jailbroken iThings now have Cydia.
iOS Forensic Tools
Forensic Tools Comparison Related to iOS Work
Forensic Tool | Purpose/Use | Results |
---|---|---|
BEC | Logical acquisition and database opening | Acquisition succeeded, database file opened and examined |
Magnet Axiom | Logical acquisition and database opening | Succeeded |
Mobiledit Forensic Express | Logical acquisition | No valuable results |
iBackup Viewer | Data extraction from backup | Data have been extracted |
Elcomsoft Phone Viewer | Viewing backup artifacts | Artifacts were viewed |
DB Browser | Viewing and analyzing database files | Db files were viewed and analyzed |
iOS Data Analysis and Recovery Using Belkasoft Tool
Fourth, after analyzing the artifacts on Belkasoft for "Child-pn", which is a child pornographic image, the result we get using this tool indicated that the image was not found.
iOS Data Analysis and Recovery Using Axiom Tool
Mobile Forensics Investigation Challenges on iOS Devices
- 1.
Apple has always been regarded as a leader in the IT sector when it comes to applying more stringent encryption standards. Apple has addressed consumers’ privacy issues on both its macOS and iOS platforms, resulting in safe settings.
- 2.
In the beginning, it is important to note that obtaining the unlock code for the phone is of great importance, as it is difficult or almost impossible to bypass this code, especially with devices with recent versions.
- 3.
The encryption standard that Apple enforces becomes a barrier in forensic examination. Because Apple’s safe erase function allows Mac users to overwrite a system’s space once or numerous times, data recovery would be very difficult.
- 4.
Another built-in feature in Mac is the File Vault, which gives users a safe and secure place to keep their data. The File Vault can only be opened if the encryption is broken or if the password is obtained. Forensic investigators have no access to the data stored in the File Vault unless it is deactivated.
- 5.
Finally, users can back up their device data to Apple’s iCloud platform. Every iCloud user is granted an account. They may use their Apple ID to sync, upload, and retrieve data from the iCloud, including all of their Mac products, like the MacBook, iPhone, and iPad.
- 6.
If a forensic investigator can get the Apple ID and password, they will have access to all information and data connected with all synced devices (Reddy, 2019).
Summary
With the first-generation iPhone in June 2007, iPhone forensics became more challenging when it comes to dealing with file system forensic acquisition methods, as there is no method or tool available to physically recover data from these devices unless they are jailbroken, while the logical acquisition can be obtained if the iPhone is unlocked.
Axiom and Belkasoft are two of the best and most powerful programs in the process of forensic analysis of mobile phones; they both support mobile phones and computers, and this is a good thing. The Belkasoft can retrieve about 700 artifacts. It is easy to use, and it has an easy-to-use scripting module you can write your scripts with, but it is not free and the price may be high. As for Axiom, it can recover about 500 different artifacts and is also not free, but a trial version is available. Axiom is a consumer of computer resources, and it is generally slow and does not respond quickly. In this case, we chose the Belkasoft program for speed because we are at the airport, and we only have two hours. We want a fairly fast program. What is important in our case study is that Belkasoft failed in retrieving deleted images that were downloaded using WhatsApp, in contrast to Magnet Axiom, which successfully retrieved the child pornographic images. Magnet Axiom used a carving method to retrieve the images; this method also exists in Belkasoft but can’t be applied for some reason.
In the end, the Axiom program showed its superiority over Belkasoft, although it was somewhat slow. It succeeded in recovering the deleted image, and it was able to recover the deleted image on the iOS system without jailbreaking.
Practical Lab 2.1
- 1.
Download the libimobiledevice library to access iOS devices with the latest binaries from the following link: https://www.quamotion.mobi/.
- 2.
Unzip the archive with x86 or x64 binaries, depending on your workstation’s version.
- 3.
Open the command prompt and change the directory to the one with binaries (use the cd command for this).
References
- [1].
L. Abu Arram and M. Moreb, “Cyber Security In Mobile Apps And User CIA,” 2021 International Conference on Information Technology (ICIT), 2021, pp. 7–12, doi: 10.1109/ICIT52682.2021.9491657.
- [2].
Gronli, T. M., Hansen, J., Ghinea, G., & Younas, M. (2014). Mobile Application Platform Heterogeneity: Android vs Windows Phone vs iOS vs Firefox OS. Proceedings - International Conference on Advanced Information Networking and Applications, AINA, 635–641. https://doi.org/10.1109/AINA.2014.78
- [3].
Gyorödi, R., Zmaranda, D., Georgian, V., & Gyorödi, C. (2017). A Comparative Study between Applications Developed for Android and iOS. International Journal of Advanced Computer Science and Applications, 8(11). https://doi.org/10.14569/ijacsa.2017.081123
- [4].
Höne, T., Kröger, K., Luttenberger, S., & Creutzburg, R. (2012). iPhone Examination with Modern Forensic Software Tools. Mobile Multimedia/Image Processing, Security, and Applications 2012, 8406(May), 84060R. https://doi.org/10.1117/12.921453
- [5].
Reddy, N. (2019). Practical Cyber Forensics. https://doi.org/10.1007/978-1-4842-4460-9
- [6].
Rupesh. (2017). iOS Layered Architecture, 1 Jan. 1970, https://codeingwithios.blogspot.com/2017/09/ios-layered-architecture.html.
- [7].
Yates, M. (2010). Practical Investigations of Digital Forensics Tools for Mobile Devices. Proceedings of the 2010 Information Security Curriculum Development Annual Conference, InfoSecCD’10, 156–162. https://doi.org/10.1145/1940941.1940972