1. iPhone Forensics Ruben Gonzalez

2. Agenda • I am the iPhone • iPhone Components • OS and System Architecture • Let’s Dive into iPhone Forensics • Evidence Left Behind • Forensic Software Tools Needed to do the Job • Dissecting One Forensic Tool • Basic Things to Understand • One Last Thing

3. Hello … I am the iPhone and I don’t need introduction! 45 million units will be sold this year!

4. OS and System Architecture • Arm Processor • Contrast with x86 • Hardware • Various sensors • Accelerometer • Proximity Sensor • Multi-touch Capable Screen • Various Radios • User Interface Frameworks • Leopard or Tiger (iPhone Version) • Kernel (Signed Kernel) • Used to prevent tampering

5. iPhone Core Components

6. Let’s Dive into iPhone Forensics • Facts about iPhone (Forensically Speaking) • It is extremely difficult to permanently delete data from an iPhone • Secure wipe has been installed in recent versions • iTunes "restore" process formats the device • In actuality, even this leaves a majority of the old data intact—just not directly visible • A refurbished iPhone may contain last owner’s information

7. Evidence Left Behind • Keyboard caches • usernames, passwords, search terms, and historical fragments of typed communication. • Even when deleted • Deleted images • Browsing cache and deleted browser objects • Exhaustive call history, beyond that displayed, is generally available

8. Evidence Left Behind (… cont) • Map tile images from the iPhone's Google Maps • Application direction lookups and GPS coordinates • Deleted voicemail recordings • Pairing records establishing trusted relationships

9. Forensic Software Tools Needed to do the Job • Commercial Tools • Device Seizure 2.0 (Paraben) • Aesco (Radio Tatics, LTD) • Sixth Legion (WOLF) • Open Source Tools • iLiberty (iPhone v.1.x) • Pwnage (iPhone v.2.x)

10. Dissecting One Forensic Tool • iLiberty • A basic Unix world • OpenSSH, a secure shell • The netcat tool, for sending data across a network • The md5 tool, for creating a cryptographic digest of the disk image • The dd disk copy/image tool • Is it really a forensic tool if you write to the HD? • Other tools may provide a similar solution

11. Basic Things to Understand • Apple File Communication Protocol (AFC) • Uses a framework (MobileDevice) to allow iTunes to write to the Media (jailed) Partition • iTunes can read info from device but not raw data • AFC is used to boot RAM disk containing forensic payload into the iPhone’s running memory • After rebooting, it installs UNIX tools (ssh, dd, … etc)

12. Basic Things to Understand • Where Things are Written and Where can You Write • Think UNIX • There is a System Partition (root) • 300 MB • Read only • Intended to remain in factory state • This is where the Forensic Tool will be installed • Media Partition • The rest of the disk • Mounted as /private/var • Contains all user information • Writing to it = Contamination

13. Basic Things to Understand • Avoid cross contamination • iPhone will Sync if not prevented • You must prevent this before connecting the phone to the desktop • As of today, there is no iPhone write blocker

14. iPhone with Payload Injected UNIX Commands root directory

15. One Last Thing • Because of Apple’s IP • Apple has made it difficult for developers to make Forensic Tools to work as well as their desktop counter parts • Aforementioned tools not able to get a true physical HD image • iLiberty is exception, but not considered forensic • Hacking the System Partition violates Apple’s IP • There is no way at this point in time to get a perfect image from the user partition • Things may change once the new iPhone is released in June • Not necessarily a change for the better

16. Questions?