Logical Acquisition on an IOS device
- What are the operating modes of an IOS device?
Logical Acquisition on an IOS device: When it comes to iOS forensics it is an important issue to understand and distinguish between the diverse operating modes that an iOS device are working.
There are in fact three modes that are available for an iOS device to be working on. These include Normal Mode, Recovery Mode, and DFU Mode. An examiner shall be aware of such modes to turn a device into it while performing forensics on it. This aspect will help with achieving an efficient extraction of data.
What about the Normal Mode?
This mode is the one which runs by default. If ordinary user powers on his iPhone, then it should boot an operating system. That is actually what is referred to as the normal mode. Through this way, a user can perform all activities which they desire from an iPhone. Similarly, they can utilize all its functionalities regularly.
Three steps happen one after another when switching an iOS device in its normal mode. First, it loads the: Low-Level Bootloader. Then, it gets the iBook. Last, the iOS kernel gets running and operating the device. These boot steps are signed to keep the integrity of the process. It is good for the sake of obtaining a high security inside iOS devices.
- What about the Recovery Mode?
This mode is generated due to an occurrence of failure or something wrong. To elaborate, imagine switching on the iOS device in the normal mode, but an error is encountered. Remember, Low-Level Bootloader, iBook and iOS kernel have all to get loaded for the operating system to run correctly. Nevertheless, doing such a thing all the time successfully is not guaranteed for sure. There is a possibility that loading or verifying such jobs could go to waste and fail.
What about the DFU Mode?
This mode essentially means the Device Firmware Upgrade mode. It is intended to be responsible for performing IOS upgrading. This mode is perceived as a low-level mode for diagnosis. It is worth noting that during a bootup, if Boot ROM is not getting a load or verification of the needed process to boot in a normal mode, then iPhone presents the Black screen.
How to perform acquisition using logical methods?
One of the most utilized methods to extract data from iOS devices nowadays is referred to the as logical acquisition. In fact, a plenty of tools are being developed by specialists in the market for the sake of performing consistent acquisition of iOS’ data and files.
Recovering and analyzing allocated active files of the iOS device can happen through a method of synchronization. This process already exists there on iOS operating system internally. For instance, evidence of vital files has the potential to get extracted and analyzed efficiently using logical acquisition technique. This may include proof of SMS, call logs, calendar events, contacts, photos, web history and email accounts
Some rules have to be adhered to when using this method of data extraction. An examiner must know that slack space is not accessible using this technique. To elaborate, if there is a suspicion that evidence exists in a slack area, then there is no chance to use logical acquisition successfully. However, the solution in such case is physical acquisition which could be helpful for the legal purpose.
Also, having the phone connected to the computer or the used forensics workstation is necessary. This is to be able to access it with its files. The software is used at this stage then files are selected by the examiner for review and forensics processes.
How to utilize iPhone Explorer to perform logical iOS acquisition?
Macroplant company were able to develop a fresh application. It has the potential to help an examiner export the data of their interest. For instance, data on call history, SMS, photos, contacts, bookmarks can all be exported via this application. Another advantage of such an application is that basically, it can run on different operating systems. These include the famous Microsoft Windows and Mac OS.
Creating a backup initially is sometimes required by the application of some features of it before extracting the desired kind of data. iPhone explorer presents the data of any logical sections after modifications applied on them. Sometimes it displays the file size as well.
It is exciting to get to know that a factory reset of the device does not affect the extracted data in this case. For example, if we are to perform a “Reset All” option in the call history of an iOS device, calls will still appear when extracting the logical section of call history. The iOS platform is, in fact, the first responsible for obscuring such data even after resetting the phone or the call history.
However, some techniques of data protection performed on iOS devices can prevent showing such data like call history, calendar, notes, contacts or messages. Still, if data is extracted successfully, evidence can all be demonstrated since reaching files happen in the clear by a 3GS.
How to relate to the evidence?
It is vital to note that cases for a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a judicial procedure.
Such timestamps are shown in a format of CF Absolute Time, meaning that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable: =CreatedTime/(60*60*24)+DATE(2001,1,1) In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/