iPhone Forensics

Chapter 1. Introduction to Computer Forensics

Forensic science dates back as early as the second century B.C., to Archimedes. Its most modern roots came from the mid to late 1800s, from a man named Henry Faulds. Faulds was a Scottish doctor, archaeologist, and missionary. Discovering fingerprints that had been left in ancient pottery, Faulds published a paper in 1880 suggesting that fingerprints could be used to uniquely identify criminals. This dovetailed the work of William J. Herschel, a British officer stationed in India, who had previously been using fingerprints and handprints as a means of identification on legal notes.

Modern day forensics can be described as the fusion of methodology and science, as it applies to the scientific process of documenting an event or an artifact. As it pertains to criminal and civil court cases, the science and methodology that is performed must adhere to rules of evidence and practices generally accepted within the given legal jurisdiction.

Computer forensics is a branch of forensic science involving the application of science and methodology to preserve, recover, and document electronic evidence. Instead of dealing with dead bodies, examiners in this field deal with dead hard drives. As it pertains to the iPhone, your challenge is even greater in that you will be examining an embedded device, which has been intentionally closed off and was not intended for recovery.

Making Your Search Legal

Before getting started, it’s important to emphasize the need for keeping your search legal. In a corporate environment, the company usually has no legal right to seize or examine a personal device belonging to the employee, but can usually examine devices belonging to the company. In corporate investigations, therefore, it’s important to verify ownership of the device before performing an examination. Your department should implement an inventory procedure to record the International Mobile Equipment Identity (IMEI) and serial numbers of all corporately owned mobile devices to guarantee ownership prior to examination. Otherwise, your evidence may be ruled inadmissible if criminal charges are filed, and you may even expose the company to a lawsuit.

Law enforcement officers should follow the appropriate steps to acquire a search warrant for the device and desktop machine. The search warrant should specify all electronic information stored on the device including but not limited to text messages, calendar events, photos and videos, caches, logs of recent activity, map and direction queries, map and satellite imagery, personal alarms, notes, music, email, web browsing activity, passwords and personal credentials, fragments of typed communication, voicemail, call history, contacts, information pertaining to relationships with other devices, and items of personal interest.

Rules of Evidence

In both civil and criminal cases, five general rules are used to weigh the value of evidence. These five rules are:

Admissible: Evidence must have been preserved and gathered in such a way that it can be used in court. Many different errors can be made that could cause a judge to rule a piece of evidence as inadmissible. These can include failure to obtain a proper warrant, breaking the chain of evidence, and mishandling or even destroying the evidence.
Authentic: The evidence must be relevant to the case, and the forensic examiner must be able to account for the origin of the evidence. For example, intercepting an email transmission is not enough to prove that the alleged sender was responsible for the message. A relationship must be established between the message and the computer it was sent from. It will also need to be established, beyond reasonable doubt, that there was a relationship between the computer, the message, and the person who sent the message.
Complete: When evidence is presented, it must tell the whole story. A clear and complete picture must be presented that can account for how the evidence came to be. If unchecked, incomplete evidence may go unnoticed, which can be even more dangerous than no evidence at all. As a recent example, consider the case of a man who was charged with possession of child pornography. The evidence presented showed that the images had been downloaded onto the man’s work computer, but it wasn’t until much later in the case that the defense revealed that the images had been downloaded by a virus on the machine, and not by the defendant. An innocent man was almost convicted and put in prison because the prosecution’s examiner did not present complete evidence—and a jury is not technically savvy enough to see this. With all of the different processes running on a computer, it’s critical to be able to tie a piece of evidence to its origins and tell the whole story.
Reliable: Any evidence collected must be reliable. This depends on the methodology and science used. The techniques used must be credible and generally accepted in the field. If the examiner made any errors or used questionable techniques, this could cast reasonable doubt on a case.
Understandable and believable: A forensic examiner must be able to explain, with clarity and conciseness, what processes he used and how the integrity of the evidence was preserved. If the examiner does not appear to understand his own work, a jury may reject it as well. The evidence must be easily explainable and believable.

Good Forensic Practices

As you practice the techniques in this book, keep the following in mind.

Preserve the Evidence

Never work on original copies of evidence. As soon as you recover evidence, create a read-only master copy and check it into a digital vault. All further processing should be performed on copies of the evidence. Since you’re dealing with digital evidence, and not old 8-tracks, the copies you make will be identical to the masters. Some tools, if not used properly, can make modifications to the data that’s being operated on.

In addition to this, never run any applications on the device until after you’ve recovered and checked in the evidence. Any time you use the device, something on the disk is likely to be changed. Perform only the tasks that are absolutely necessary, and keep your intrusion into the system minimal.

Document the Evidence

Whenever a master copy is made, use a cryptographic digest such as MD5 to ensure the evidence hasn’t been altered in any way. Digests should be stored separately from the data itself, so as to make it even more difficult to tamper with. Digests and proper documentation will help ensure that no cross-contamination has taken place.

In addition to this, document all of the methods you used to collect and extract the evidence. Detail your notes enough that another examiner could reproduce them. This isn’t a rule of thumb, but rather is required in many cases. Your work must be reproducible should another forensic examiner challenge your evidence. If your evidence cannot be reproduced, a judge may rule it inadmissible.

Document All Changes

Simply walking into a crime scene destroys evidence—footprints, blood, hairs, and even computer bits can get stomped on when processing the crime scene. It’s important to document your entire recovery process, and especially any intentional changes made. For example, if your forensic tool of choice sliced up the disk image to store it, this must be documented. You should document every time you reboot the device, sync it to a desktop case-evidence account, or use an application.

Establish an Investigation Checklist

Every investigation is different, but all should share the same basic recovery and examination practices. Put together a process and create a checklist to dictate how your examinations should be conducted. This will prevent you from forgetting any details, and will also ensure the rest of your team is conducting examinations in the same fashion, so that you can account for others on the stand.

Be Detailed

In addition to this, be detailed to the point of being verbose. It’s better to have too many notes than to not have enough. In the courtroom, the opposing attorney will try to discredit you or your evidence. Your case must be rock-solid, and if the attorney can cast doubt by asking you for details you don’t recall, you may lose the case. As was already mentioned, your notes must be detailed enough for someone else to reproduce them, but that should be a bare-minimum goal.

Technical Processes

This book covers the following key technical processes:

Physical handling: The physical handling of the device, prior to its examination. This includes dusting for prints and ensuring you have the right equipment to keep the device charged and connected. You’ll also want to remove the SIM card from the device or place the device in a Faraday cage. A Faraday cage is a shielded enclosure that blocks electrical fields, including cellular transmissions.
Establishing communication: Unlike a desktop machine, where the hard disk can be removed, mobile devices cannot generally be image-processed unless you have special equipment to perform chip dumps. As a result, the device must be “talked to” in order to recover evidence. Establishing communication with the device means setting up the proper physical and network connections to install a forensic toolkit and perform recovery.
Forensic recovery: The recovery process involves extracting the evidence from the device to create a master copy. This requires special integrity checks to ensure the data hasn’t changed between the iPhone and the desktop.
Electronic discovery: Electronic discovery is the process by which the evidence is processed and analyzed. During this stage, deleted files are recovered and the live filesystem is analyzed. The evidence discovered here will ultimately build an explanation of the evidence that will be delivered through an attorney.