How to acquire iOS data using physical acquisition techniques?
Acquiring a bit by bit image of a system is always the best case in favor of someone performing forensics on a system. That is what is meant initially by the physical acquisition of IOS data. The next step of the procedure is to check that both the copy and the original data are precisely the same with no slight change.
While this technique can be performed soundly and correctly on computers like laptops and desktops, it cannot be done merely however on mobile devices like iPhone devices. New methods to get physical acquisition smoothly and correctly have been researched nowadays to make the material acquisition on iOS devices. That aspect is attributed to the fact that physical acquisition is the best for a significant acquisition.
What makes the process on iOS device hard? The reason for this is that the storage of iOS devices is embedded in the very first place. Why can this be our concern? That leads to several challenges encountered by an examiner. To illustrate, the drive cannot be removed, and hence it cannot be connected directly to the utilized workstation.
In addition to that, techniques differ according to the platform itself or the version of the iOS inside the device. For instance, a working method to acquire data on iPhone 7 does not necessarily guarantee that it will work for iPhone 5 as well. Also, iOS 9 version can be having security methods that are entirely different from iOS 10 versions. Such changes in security methods prevent an examiner the privilege to access data with the same process on all iOS devices. That drives the motive for researchers to always keep on researching new techniques to perform physical acquisition on iOS devices.
There are some tools developed by organizations, which have to do with the Law Enforcement (LE) space. Such devices could be dedicated actually to LE like the method developed by Zdziarskfor obtaining an iOS acquisition. It depends on the following methodology. The disk software of the Read Only Memory (RAM) is being replaced by another version. Such new version should be capable of running a live recovery agent to get the disk image extracted.
On the other hand, there are some other tools which are not specified for LE. Such tools could be exemplified by Lantern and iXAM. These products are in fact able to modify the RAM as well to execute a recovery agent. This recovery agent could manage to run on the volume of the operating system to perform a physical image of it consequently.
What happens when the physical acquisition is performed? The memory of the phones is accessed. Thereby, all data on the phone is extracted through this method. In fact, there are two types of memory inside an iOS device. One is the volatile memory named Ram and the non-volatile one named ROM.
It is actually of great importance to get the data from the RAM extracted. That is because they have Usernames, passwords, encryption keys and more essential artifacts that could be found from the RAM. What happens is that RAM load as executes necessary parts of operating system or application. It gets flushed once device reboot.
The NAND (Non’-Volatile Memory) is also crucial since it has the data kept in it. It is even when system rebooting happens. System files and user data are stored in NAND flash. Using physical acquisition, bit by bit copy of the NAND can be acquired.
How to use Lantern for physical acquisition?
Katana Forensics INC was able to develop a great tool for iOS physical acquisition. This is the Lantern forensics suite. It can mostly take any physical image of an iOS device for forensic purposes. Most of the iOS versions and iOS devices could be extracted successfully in a physical image taken through this tool.
A GUI interface is provided by Lantern software. This makes an examiner able to get the essential pieces of evidence reviewed. The lantern can decode all the Plists and SQLite files; then such files will be displayed transparently.
An additional application which is to be used besides Lantern is Lantern Imager. Lantern Imager is specialized for getting images of iOS devices in particular. Through the imager, the extracted image becomes decrypted, and then a simple passcode is brutally forced whereas a SHA1 hash value is offered.
How to use iXam for physical acquisition?
Pronounced as ig’zam, iXam was created for the sake of law enforcement investigation. It has the potential to get all data such as photograph, specific map location, a stored contact, or text message to an email. All these can all be provided through a physical image by iXam.
Through the physical data copy which is a byte level, the whole file system can be the target of such data copy or such goal could be an individual data set in favor of the examiner.
What is the output of iXam then? It outputs a file having a unique format of DMG which is a raw disk file image file of an iOS device. It is important to notice that the NAND flash does not get modified or edited by iXam. Moreover, kernel patches are not applied here. Such kernel patches get involved when the used method is the method of jailbreaking.
How to relate to the evidence?
It is vital to note that cases of a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a legal procedure.
Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used to make the shown timestamp much more readable: =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/