iOS Forensic Analysis
One of the most dominant challenges that Apple has faced after the launch of the iPhone in the market, is the huge group of hackers that have targeted the iPhone for accomplishing unlawful activities. The advancement in the count of criminal offences at a feverish pace requires innovative technologies. To perform iOS forensic analysis on the iPhone of the suspect. In this write up we will put forth the analysis that we carried out on the operating system of the iPhone- iOS. So, in order to support the large storage need of iOS, Apple introduced a new file system designed specifically for this operating system- HFS (Hierarchical File System).
Structure of Hierarchical File System
During iOS forensic analysis, firstly we will perform an investigation on HFS blocks i.e. allocation block and logical block.
- Logical Blocks
The logical blocks are formatted with a 512-byte block scheme. They are numbered from the first to the last block present on the given volume and they remain static.
- Allocation Blocks
The allocation blocks are the groups of logical blocks that are link together in the form of clumps in order to increase the performance of HFS.
The iOS file system forensics consists of the following:
- Boot Blocks
The first 1024 bytes in sectors 0 and 1 are known as boot blocks.
- Volume Header
The next 1024 bytes after the boot blocks in the volume header of HFS, which contains the information of the entire volume. The last 1024 bytes of the volume is occupied by the backup of the volume header.
- Allocation File
It tracks the allocation blocks that are currently in use by the system and the ones that are free. However, the size of the allocation file can be changed.
- Extent Overflow File
This file tracks the allocation tables that are used by the file. And records this information in a proper order in the form of a balanced tree format.
- Catalog File
The HFS uses catalogue files in order to describe the files and folders present in the volume. All though, in iOS forensic analysis, it maintains the hierarchy of nodes like header, leaf, index, and map. In addition to this, it also contains the metadata of the files like created, modified and accessed dates.
Partitions In iOS
There are two partitions on an iOS device:
- System Partition
This partition is a read-only partition but firmware updates can be done on it. When an up gradation is performed, the partition gets overwritten by a new iTunes partition. The size of this partition varies between 0 .9 to 2.7 GB. This does not contain any user data but upgrades files, system files, and basic applications.
- Data Partition
The data partition contains the user data and is the most important partitions from an iOS file system forensics point of view. This is the place where the entire iTunes applications and the profile data of the user.
Additional Database of iOS forensic analysis
SQLite
SQLite file format is the most popular format for open source applications as well as phones. Due to this very fact, Apple has also embraced SQLite for storing iOS data in the phones. The native applications, which make use of SQLite database are Calendar, Messages, Notes, Address Book, and Photos.
Property List
The plist is a data file that is used to store data in the iOS operating system. Earlier, Apple deployed binary or NeXTSTEP format for these files. However, presently people use XLM format to designate plist files.
Analysis of iOS Logical Data
The ios operating system provides modified, accessed, changed and born times (MACB) that prove to be crucial evidence in any case involving iOS forensic analysis. These MACB times when used with a timeline, generate essential information for an investigation.
The structure of iOS directory is common for all the iOS devices and is a hub of the entire information. The folder structure is similar to the UNIX layout and the files are storedin text, XML, binary and SQLite database formats. The data of default applications is stored in private/var/mobile/Library folder. These default applications are:
-
- Address Book
The address book is the most important and central database in the iOS system. The location of this file is /private/var/mobile/Library/AddressBook.
There are primarily two databases in AddressBook:
-
-
- sqlitedb: Contains contact information
- sqlitedb: Contains contact images
- Caches
-
The caches directory of iOS device holds information related to the device, especially the iPhone. The location of this file is private/var/Library/Caches. Some of the directories of importance are:
-
-
- appleWebAppCache: Stores the data which is required by the web apps
- Locationd: It consists of the entire geolocation data of the iOS devices. This file consist of the following files:
-
Consolidated.db:
It contains the cell tower and the geolocation data
Clients.plist: Contains the list of applications and services that use the geolocation data along with the information of all the Wi-Fi spots the iOS device has come in contact.
-
- Call History
The location of this file is /private/var/Library/CallHistory. While conducting iOS forensic analysis the entire call history is stored in call_history.db file. It can store a maximum of 100 calls in this file. And maintains a log of all the missed, incoming and outgoing calls. This SQLite table consists of various tables as follows:
-
- Rowid: It is the record number of a call.
- Address: It is the number of incoming and outgoing calls.
- Date: Data and time value stored in UNIX format. And can convert with the help of the converter.
- Duration: Time duration of all the calls in seconds.
- Flags: Flags display whether it is an incoming, outgoing or missed call.
- Country Code: This displays the country code from where the call has originated.
- Text Messages
The text message is yet another useful piece of information that is helpful in the examination of the iOS device. This information is stored in sms.db file, which is stored at the location /private/var/mobile/Library/SMS. This file contains both deleted and existing messages. It contains the text, phone number of messages, the content of the text, etc. The content of the table includes:
- ROWID: It is the record ID of the text message.
- Address: Contact to which the message is sent or received from.
- Date: The date on which the message was sent or received.
- Text: The content of the message. It is blank in case it is an MMS.
- Flags: Describes the type of messages-Sent, Received, and Unsent SMS.
iOS devices store an enormous amount of data that serves to be of importance in an iOS forensic analysis. When extracted in the right form with careful measures, the evidence can prove the culprit guilty or innocent.