iOS Mobile Forensics – How do they do it – Series Part one.

Welcome to my very first article on “ iOS Forensics Series” .

In this series I will provide information on mobile forensics, starting from the three main categories: seizure, acquisition, examination, and all the way to analysis.

In this part, we shall cover seizure, and in the future parts of this series we will look deeper into the forensic analysis regarding the acquisition, examination, on iOS devices.

Audience and Expectations

The intended audience is diverse and ranges from Forensic Examiners to Incident Responders to Corporate Investigators but it is my hope that this will be helpful to Law Enforcement in a rural area with budget constraints.

The practices recommended in this series are designed to highlight key technical principles associated with the handling and examination of mobile devices. Readers are assumed to have a basic understanding of traditional digital forensic methodologies and capabilities involving stand-alone computers.

As a natural first step in the digital forensics, the evidence is always adequately preserved, processed, and admissible in a court of law.

The Process, thanks to SANS digital forensics community posters-the process guides elements are to help you illustrate the process so that the results of your examination will hold up under scrutiny.

Link to the Poster Advanced Smartphone Forensics Poster

Confiscation

Seizing mobile devices is covered by the same Legal considerations as other Digital Evidence. Mobiles will often be recovered switched on; as the aim of seizure is to preserve evidence, the device will often be transported in the same state to avoid a shutdown, which would change files. In addition, the investigator or first responder would risk user Lock activation.

Nevertheless, leaving the phone on carries another risk: the device can still make a network/cellular connection. (Data Retention request) This may bring in new data, overwriting evidence. To prevent a connection, mobile devices will often be transported and examined from within a Faraday Cage (or bag starting from $30.00 to $58.00). Even so, there are two disadvantages to this method. First, it renders the device unusable, as its touch screen or keypad cannot be used. Second, a device’s search for a network connection will drain its battery more quickly. While devices and their batteries can often be recharged, again, the investigator risks that the phone’s user lock will have activated. Therefore, network isolation is advisable either through placing the device in Airplane Mode + Disabling Wi-Fi and Hotspots, or Cloning its SIM card (a technique which can also be useful when the device is missing its SIM card entirely). Open source hardware and software exists to aid in reading SIM cards in adafruit.com project, here is link  SIM Reader kit – v1.0 for $17.00 and Software Cross Platform (Python scripts) Cloning SIM cards I have used XRY for creating clone SIM cards in the past but this is a commercial product.

To Be Continued…….

Disclaimer

Tools are mentioned in this series to illustrate concepts and techniques, not to indicate that a particular tool is best suited to a particular purpose. Digital investigators must take responsibility to select and evaluate their tools. Any legal issues covered in this text are provided to improve understanding only and are not intended as legal advice. Seek competent legal advice to address specifics of a case and to ensure that nuances of the law are considered.