ios_forenrics
  • Analysis of artifacts on iOS devices

Throughout the following paragraphs, I will be going through a discussion about the artifacts on an iOS device and their analysis. This is regardless whether it was the user’s interaction that generated them or the device itself along with its own features. However, most of the extracted artifacts will be of one of two main formats. These are either the .plist files used for the sake of configuration files or of SQL database file formats.

Let’s discuss the way in which data is stored on an iOS device in the very first place. The location where most of the data reside inside the iOS device is located inside /private/var/mobile or /User/ which is the symlink pointing to the same directory referred to before. To elaborate, /private/var/mobile/Application – /User/Application points to this actual path.

  • /User/Applications/######-####-####-####-########### – #: this actually gets the UUID for the device represented.
  • <Application_Home>/AppName.app: inside this file, any bundle of the application on the iOS device get included. It is worth noting that such file does not get backed up.
  • <Application_Home>/Documents/: inside this folder, any data files which are to relate to applications on the iOS device get included there.
  • <Application_Home>/Library/: if there are any files that are particular or specific for an application, they exist there inside this folder.
  • <Application_Home>/Library/Preferences/: any preference files that are there for applications, they will be all contained inside this directory folder.
  • <Application_Home>/Library/Caches/ inside this folder, there exist any support files that are required specifically for a certain application. Such directory folder does not get backed up as well.
  • <Application_Home>/tmp/ any temporary files are contained there inside such folder.

 

  • AddressBook inside /private/var/mobile/Library/AddressBook addressbook

Investigating through the addressbook of an iOS device is a very important step. This is more so for an examiner when doing the investigation process. The importance of it could be simply summarized. This is in the fact that all personal contacts of a user will be clear and ready for investigation once the acquisition of his or her addressbook is undertaken successfully.

There are several tables residing inside the SQLite database file of addressbook named Addressbook.sqlitedb. In fact, there are two tables which are interesting for the sake of the investigation process essentially.

First of all, there is the table called ABPerson. It contains exciting files such as first name, last name, organization, notes, birthday, jobtitle, nickname, prefix and more. There is a name for the index of this cool table. Such name is in fact ROWID.

Secondly, there is another cool table called ABMultiValue residing inside the addressbook database. Inside this interesting table, important data about the stored contacts such as the used emails and phone numbers essentially stored inside an element of the table called “value”. This shall be linked to the user’s data and names found inside the other table of ABPerson. The index of the ABMultiValue table is called record_id.

From these points, I have to mention accordingly that there is a relationship between the ABPerson table and ABMultiValue table on one side, and all other tables inside the database on another side. In fact, such a relationship is of type one to many. This is where several tables are linked to ABPerson table and ABMultiValue table through the ROWID and record_id respectively.

  • Call history inside /private/var/Library/CallHistory

  • addressbook

A database file with the name of call_history.db is actually of great importance. This is particularly so when it comes to an examiner performing a forensic investigation on an iOS device of any kind. This database file will help an examiner get to understand and know the conducted cellular calls and have this data stored inside it.

There are in fact four main tables and they are all of interest to an examiner. One of such tables is called the “call” table. Inside such table, there will be some exciting data such as the phone number, date, duration and reference ID of the contact.
It is crystal clear that the field of phone number will be responsible for displaying the phone numbers inside the call history. On the other hand, the date field comes at the time format of EPOC. As a result, this time format will need to get converted into an understandable time format. To elaborate, this format will display the number of seconds since the time of 00:00:00 UTC on 1 January 1970. The duration field is for sure relied on for the sake of getting to know the duration of time spent through such phone call with a certain phone number.

Another field is called the id field. The importance of such a field is that it has the id used for this number by the phone. Using this id, and attempting to link it to the id found inside the addressbook, this number will be able to get grasped to belong to which contact name and so. However, sometimes such number is not listed inside the addressbook. Accordingly, this means that there is no id specified for it by the device. In this case, the field ID of will display a negative one value in order to indicate that there is no actual id stored for this phone number.

Last, there is another field residing inside the call table, it is fact named as the flags field. What is the importance of such field then? Basically, this field is utilized for the sake of indicating whether the phone call conducted with a certain phone number was an outbound call or an incoming call. It is worth noting that it is the case that if the call was a received one, then number four will be used for the sake of getting this data identified. Number five, on the other hand, will be depended on to annotate that the call was an outbound one.

References

http://resources.infosecinstitute.com/ios-forensics/

LEAVE A REPLY

Please enter your comment!
Please enter your name here