ios_partition
  • What about partitions?

Partitions are the components on which different data could get stored inside a device. It comes without saying that the mechanisms differ according to the user to specify partitions and allocate storage to them when it comes to computers or personal laptops. On the other hand, one does not have that much freedom when it comes to a mobile device. The manufacturer of such a device is the one responsible for such allocation of resources. Hence, Apple is the first responsible for the way in which partitions are created inside their iOS devices.

In fact, there are two partitions on an iOS device: the firmware partition and the data partition. While the first one is basically aimed to contain the software for running the iOS device, the second is meant to include all the files and data which are used and desired by the iOS device user.

Let’s talk more about the firmware partition. This partition always has the rules of read-only as it does not allow writing except when an update is being installed at the moment. iTunes is actually the one responsible for the sake of getting the partition overwritten with a brand-new partition when performing an upgrade to the system.

The size of the firmware partition is in most cases something in between 0.9 and 2.7 GBs. The exact size is determined by the size of the NAND driver in fact. Whereas no user data is allowed to access such crucial partition, some important files are maintained inside this partition. Such files are like system files, upgrade files and basic applications.

The data partition is really another partition which is aimed to be in favor of the device’s user. All the data is maintained inside such partition. Accordingly, when performing an investigation process, such partition is really important to collect evidence out from such data available. Both the portfolio of a user’s data and the iTunes applications can simply be found all there inside this partition.

  • What about SQL Lite Databases? Plist

First of all, let’s take into consideration that SQLite format is an open source and it is widely used when it comes to mobile devices. Such database is referred to as a relational database. Also, a C programming library can carry such database easily and in a small size.

The standard of SQL-92 is adhered to by SQLite, yet not all of the features are included. Although the small size of such a SQLite database, there are a plenty of functions that could be performed by such compacted database.

SQLite databases are widely used by the iOS development community such that a lot of iOS applications depend on this kind of database in order to get their data organized. These applications could be exemplified by Calendar, Text Messages, Notes, Photos, andAddress Book. All of the data related to these apps are stored inside SQLite databases. The main three databases are actually: Call History, Address Book, and SMS databases.

Let’s think about this matter from another important perceptive, the perceptive of an examiner who needs to check evidence on an iOS device.A stable database is then required for an investigation process to be performed in order to serve to the target of the forensics procedures. Well, from the experts’ experience, I can suggest using of Sourceforge.net.

Since Sourceforge.net has its own SQLite browser, it can be relied on when it comes to viewing a SQLite database to collect evidence. All data-stores of SQLite can be viewed using this methodology. In the meanwhile, there is another good to use software named RazorSQL. Nevertheless, this software requires some fees under $100 to become a great solution at the end of the day. There is though a free SQLite Manager plugin available for you without any purchases if you are lucky enough to be one of the users of Firefox.

In addition to what was previously discussed, there is a browser available at the following link: http://sqlitebrowser.org/

Such link provides a downloadable browser that could be installed on the examiner’s machine to use it. It offers a clear and easy means of reading and exploring a SQLite database for further investigations.

  • What about Plists?

Both iOS devices and Macintosh devices utilize what is called the Property List (plist). It is, in fact, a data file and it is sometimes referred to as a property file. Such files are relied on when it comes to the process of storing data on the aforementioned operating systems.

At the very beginnings of iPhones and Mac OS devices, there was another format utilized which was named NeXSTEP. Also, binary formats were utilized for the same purpose. On the other hand, an XLM format which is new came into existence and became used. The formats which could be found nowadays are either an XML format or a binary format.

What type of data could be found inside a plist file then? Basically, data like strings, dates, Boolean values, numbers or binary values could all be stored inside plist files. Examples of the data which use plist file formats to get stored in our browsing history, favorites, configuration data, and others. All of the data of these kinds depend on plist files in the very first place.

How can such plist files be opened? Well there is a chance that such file could open successfully with the use of a standard text editor. However, there is also another chance that it requires a special viewer for the sake of getting it opened. An instance of the tools which could be used is Plutil. It is, in fact, a tool which depends mainly on a command line interface.

Basically, what it does is that it aims to get the plist files which are essentially binary files converted into a format which could be read easily and understood by human beings. The operating systems that could suite such tool are Linux, Microsoft Windows, and also Mac OS. After the conversion is applied to the plist file, an XML property list is available and tags are used to wrap the plist.

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

LEAVE A REPLY

Please enter your comment!
Please enter your name here