- What are the operating modes of an IOS device?
When it comes to iOS forensics it is really an important issue to understand and distinguish between the diverse operating modes that an iOS device could be working on.
There are in fact three modes that are available for an iOS device to be working on. These include Normal Mode, Recovery Mode, and DFU Mode. An examiner shall be aware of such modes to turn a device into it while performing forensics on it. This aspect will help with achieving an efficient extraction of data.
What about the Normal Mode?
This mode is the one which runs by default. If a normal user powers on his iPhone, then it should boot an operating system. That is actually what is referred to as the normal mode. Through this mode, a user can perform all activities which they desire from an iPhone. Similarly, they can utilize all its functionalities regularly.
There are actually three steps that happen one after another when switching an iOS device in its normal mode. First, it loads the: Low-Level Bootloader. Then, it gets the iBook. Last, the iOS kernel gets running and operating the device. These boot steps are signed to keep the integrity of the process. This is good for the sake of obtaining a great security inside iOS devices.
- What about the Recovery Mode?
This mode is actually generated due to an occurrence of failure or something wrong. To elaborate, imagine switching on the iOS device in the normal mode but an error is encountered. Remember, Low-Level Bootloader, iBook and iOS kernel have all to get loaded for the operating system to run perfectly. Nevertheless, doing such a thing all the time successfully is not guaranteed for sure. There is a possibility that loading or verifying such things could go to waste and fail.
What about the DFU Mode?
This mode essentially means the Device Firmware Upgrade mode. It is meant to be responsible for performing IOS upgrading. This mode is actually perceived as a low-level mode for diagnosis. It is actually worth noting that during a bootup, if Boot ROM is not getting a load or verification of the needed process to boot in a normal mode, then iPhone presents the Black screen.
How to perform acquisition using logical methods?
Actually, one of the most utilized methods to extract data from iOS devices nowadays is referred to as logical acquisition. In fact, a plenty of tools are being developed by specialists in the market for the sake of performing logical acquisition of iOS’ data and files.
Recovering and analyzing allocated active files of the iOS device can happen through a method of synchronization. This method already exists there on iOS operating system internally. For instance, evidence of vital files has the potential to get extracted and analyzed easily using logical acquisition technique. This may include evidence like SMS, call logs, calendar events, contacts, photos, web history and email accounts
There are some rules that have to be adhered to when using this method of data extraction. An examiner must know that slack space is not accessible using this method actually. To elaborate, if there is a suspicion that evidence exists in slack space, then there is no chance to successfully use logical acquisition. However, the solution in such case is physical acquisition which could be helpful for the forensic purpose.
Also, having the phone connected to the computer or the used forensics workstation is necessary. This is in order to be able to access it with its files. A software is used at this stage then files are selected by the examiner for review and forensics processes.
How to utilize iPhone Explorer to perform iOS logical acquisition?
Macroplant company were able to develop a cool application. It has the potential to help an examiner export the data of their interest. For instance, data on call history, SMS, photos, contacts, bookmarks can all be exported via this application. Another advantage of such an application is that basically, it can run on different operating systems. These includes the popular Microsoft Windows and Mac OS.
Creating a backup initially is sometimes required by the application in some features of it before extracting the desired kind of data. iPhone explorer presents the data of any logical sections after modifications applied on them actually. Sometimes it presents the file size as well.
It is exciting to get to know that a factory reset of the device does not affect the extracted data in this case. For example, if we are to perform a “Reset All” option in the call history of an iOS device, calls will still appear when extracting the logical section of call history. The iOS platform is, in fact, the first responsible for obscuring such data even after resetting the phone or the call history.
However, some techniques of data protection performed on iOS devices have the capability to prevent showing such data like call history, calendar, notes, contacts or messages. Still, if data is extracted successfully, evidence can all be shown since reaching files happen in the clear by a 3GS.
How to relate to the evidence?
It is vital to note that cases for a forensic investigation can be formed basically by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, borndate) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a forensic procedure.
Such timestamps are shown in a format of CF Absolute Time, meaning that the provided time will be in terms of seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable: =CreatedTime/(60*60*24)+DATE(2001,1,1) In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/