How to acquire iOS data using physical acquisition techniques?
Acquiring a bit by bit image of a system is always the best case in favor of someone performing forensics on a system. This is what is originally meant by physical acquisition. The next step of the procedure is to check that both the copy and the original data are exactly the same with no slight change.
While this technique can be performed soundly and perfectly on computers like laptops and desktops, it cannot be simply done however on mobile devices like iPhone devices. New techniques to get physical acquisition in a smooth and perfect manner have been researched nowadays to do the physical acquisition on iOS devices. This aspect is attributed to the fact that physical acquisition is the best for a great acquisition really.
What makes the process on iOS device hard? The reason for this is that the storage of iOS devices is embedded in the very first place. Why can this be of our concern? This leads to several challenges encountered by an examiner. To illustrate, the drive cannot be removed and hence it cannot be connected directly to the utilized workstation.
In addition to that, techniques differ according to the platform itself or the version of the iOS inside the device. For instance, a working method to acquire data on iPhone 7 does not necessarily guarantee that it will work for iPhone 5 as well. Also, iOS 9 version can be having security methods that are entirely different from iOS 10 versions. Such changes in security methods prevent an examiner the privilege to access data with the same method on all iOS devices. This drives the motive for researchers to always keep on researching new techniques to perform physical acquisition on iOS devices.
There are some tools developed by organizations, which have to do with the Law Enforcement (LE) space. Such tools could be dedicated actually to LE like the method developed by Zdziarskfor obtaining an iOS acquisition. It depends on the following methodology. The disk software of the Read Only Memory (RAM) is being replaced by another version. Such new version should be capable of running a live recovery agent to get the disk image extracted.
On the other hand, there are some other tools which are not specified for LE. Such tools could be exemplified by Lantern and iXAM. These products are in fact able to modify the RAM as well to execute a recovery agent. This recovery agent could manage to run on the volume of the operating system to perform a physical image of it consequently.
What really happens when the physical acquisition is performed? The memory of the phones is accessed. Thereby, all data on the phone is extracted through this method. In fact, there are two types of memory inside an iOS device. One is the volatile memory named Ram and the non-volatile one named ROM.
It is actually of great importance to get the data from the RAM extracted. This is because they have Usernames, passwords, encryption keys and more important artifacts that could be found from the RAM. What happens is that RAM load as executes important parts of operating system or application. It gets flushed once device reboot.
The NAND (Non’-Volatile Memory) is also important since it has the data kept in it. This is even when system rebooting happens. System files and user data are stored in NAND flash. Using physical acquisition, bit by bit copy of the NAND can be acquired.
How to use Lantern for the purpose of physical acquisition?
Katana Forensics INC was able to develop a great tool for iOS physical acquisition. This is the Lantern forensics suite. It can essentially take any physical image of an iOS device for forensic purposes. Most of the iOS versions and iOS devices could be extracted successfully in a physical image taken through this tool.
A GUI interface is provided by Lantern software. This makes an examiner able to get the important pieces of evidence reviewed. Lantern has the ability to decode all the Plists and SQLite files, then such files will be displayed in a clear manner.
An additional application which is to be used besides Lantern is Lantern Imager. Lantern Imager is specialized for getting images of iOS devices in particular. Through the imager, the extracted image becomes decrypted and then a simple passcode is brutally forced whereas a SHA1 hash value is offered.
How to use iXam for the purpose of physical acquisition?
Pronounced as ig’zam, iXam was created for the sake of law enforcement investigation. It has the potential to get all data such as photograph, specific map location, a stored contact, or text message to an email. All these can all be provided through a physical image by iXam.
Through the physical data copy which is a byte level, the whole file system can be the target of such data copy or such target could be a certain data set in favor of the examiner.
What is the output of iXam then? Basically, it outputs a file having a unique format of DMG which is a raw disk file image file of an iOS device. It is important to notice that the NAND flash does not get modified or edited by iXam. Moreover, kernel patches are not applied here. Such kernel patches get applied when the used method is the method of jailbreaking.
How to relate to the evidence?
It is vital to note that cases of a forensic investigation can be formed basically by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, borndate) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a forensic procedure.
Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be in terms of seconds since Jan 1st, 2001. The following formula could be used to make the shown timestamp much more readable: =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/