Deep Insight Into iOS Forensic Analysis

Mariah | November 9th, 2015 | Forensics

With the emergence of Android, things have completely changed. No one will be up there without android systems. It has brought significant impact on Smartphone marketing and along with that also made changes in the iOS forensic artifacts area. Each day new changes are brought into Smartphones and emailing, tasks listing etc. have become possible in this platforms. Earlier, PC and laptops were used for surfing on web but, now this has become possible within the small Smartphones and tablets. Data can be transferred, communication with mail server is possible and much more.

With Apple Operation System i.e. iOS design, records of the emails, chats, browsing history and much more are kept in manner. This has led to forensics as well and so, this session will be discussing on the iOS forensic analysis.

iOS Artifacts Forensic

iOS is the Operating System for mobile, deployed by Apple Inc. It is the OS of applications such as, iPhones, iPads and iPods. For the success of forensics, keen observation of data is very essentials. In iOS devices, you will come across some of the things listed below.

  • Notes
  • Calendars
  • Photos
  • Keystrokes
  • iTunes
  • Map
  • Clock

During iOS forensic analysis, some of the applications such as, Calendar, Notes, Text Messages, Photos etc. use Sqlite database structure for storing and organizing the data.

iOS is the structure common. The on all iOS devices structure corresponds to UNIX layout and the files are stored in text format, enabling an iOS artifacts forensics.

Applications store the data by default in;

private/var/mobile/Library

Photos

Location is;

private/var/mobile/media/DCIM

In this location all the iOS forensic artifacts like photos taken will be stored. The pictures will have timestamp metadata and if the photos are seen within the 100APPLE folder then, it shows that they are taken from the device.

Apart from the ability to take the photos, it facilitates taking screenshots. Users can find these files from DCIM/999Apple folder.

Keystrokes

While conducting iOS forensic analysis “Keystrokes” are seen in;

/private/var/mobile/Library/Keybord

Here, you will find the words typed during the usage of the device. The words typed while using Safari, Messages, Notes, Facebook etc. will be captured up. This will help the agents in finding out the words related with their cases.

Notes

The ‘Notes’ are located in /private/var/mobile/Library/Notes.

Investigators can collect the keyword and other evidence from here. This database consists of 9 tables and among them ZNote is the important one. In ZNote table, you can see ZTITLE that holds the title of note, CREATIONDATE and MODIFICATIONDATE. The ZCONTENT column contains the body of the note.

Call History

The ‘Call History’ file is the most important file in iOS forensic analysis that an investigator will look for since it reveals out many clues or evidence. The call_history.db file contains date of call, duration, phone number and the reference ID of contact. The flag field indicates incoming as well as outgoing; former one with number 4 and other number 5.

Location: /private/var/Library/CallHistory

Browser Cookies

Cookies give the information on the websites visited. These iOS forensic artifacts help the investigator to browse the sites that the suspect has visited.

Located at;

/private/var/mobile/Library

Text Messages

Located in;

/private/var/mobile

Apart from the web browser history, agent can get good pieces of evidence from the text messages and SMS as well.

iOS forensic analysis helps investigator to collect information on SMS from;

/private/var/mobile/Library/SMS

sms.db file will be present which gives the detail of the current i.e. existing and the old conversation, even if it is deleted.

AddressBook

Address book stores the details of the owner and is located in;

/private/var/mobile/Library/AddressBook

The data gets stored in AddressBook.sqlitedb file and the ABPerson table contained in the database file shows the details such as, first name, last name, job, birthday, nickname etc.

The AddressBook.sqlitedb file is a type of Sqlite file that can be viewed by using Sqlite Forensics Viewer.

download

To acquire and analyze the ios forensic artifacts from the database, investigators have to depend on tools that will open the file. There are many tools available in the market that helps experts to perform iOS forensic analysis. Hope this information might have added up your knowledge and will be helpful for investigating.