This is the third blog post in a series of three about using IEF and Cellebrite to get more mobile evidence for your digital forensics investigations.
In my previous blog post in this series, I explained how to find more mobile evidence on Android devices using IEF and Cellebrite. Today, we’ll walk through the same steps for iOS.
Here’s the workflow we recommend:
With this in mind, here are step by step instructions on how to use IEF and Cellebrite together to acquire and analyze iOS devices including physical and logical acquisitions to get more mobile evidence.
Cellebrite is able to physically acquire iPhone 4 devices or older using the Physical Analyzer software installed on your examination machine. To begin the acquisition process, open the software and select “iOS Device Extraction” under the “Extract” folder.
A tutorial will begin that will walk you through the acquisition. Follow the detailed instructions noted on the screen to enter recovery mode, load the custom bootloader, and begin the extraction.
Once everything is loaded and prepared, the physical extraction will begin.
Once the extraction is complete, you will be given a .ufd file containing details about the device and search results. Instead of using a bunch of fragmented .bin files like Android physical extractions, Cellebrite creates one large .img file for iOS devices which can be loaded into IEF for analysis.
Similar to the Android acquisitions, Cellebrite has logical options for file system extractions (copying an entire file system) and file dumps (copying only relevant user data such as call logs, contacts SMS, pictures, etc.). As mentioned before, logical acquisition is the only option for obtaining an image from an iPhone 4s device or newer. Like Android logical acquisitions, Cellebrite uploads software to the mobile device in order to pull down the requested data.
For a file system extraction, all logical data is pulled down from the iOS device by Cellebrite and presented in several files noted below. In this example, I have logically imaged an iPhone 5. All of the contents are stored in zip files and depending on the size of the acquisition, you may notice several other zip archives ending in z01, z02, etc. These files are fragmented into 2GB chunks in order to support file size limitations of certain file systems such as FAT32. You will also find a .ufd file which contains acquisition details created by Cellebrite.
When conducting a file dump from an iOS device, Cellebrite will recover data pertaining to SMS, call logs, pictures, etc. The results will also include backed up data, as well as several html reports detailing the results of the recovered data. Pictured below are the results I obtained from performing a file dump on the same iPhone 5 used for the file system extraction.
At this point, we can take our images (in whatever form we chose) and input this data into IEF for a detailed analysis and recovery.
iOS Analysis with IEF
To begin your analysis, upload the newly created Cellebrite image into the IEF. If you created a physical dump, you will need to use the .img file created during the physical acquisition. If you created a logical image, add the first zip archive from the file system extraction or load in the relevant files from the file dump that you wish to examine.
Once IEF is open, select “Mobile” and choose “iOS” as the operating system. For a physical or file system extraction, select “Image” as your source. This will allow you to select either the .img file from a physical acquisition or the .zip archives from a file system extraction. For a file dump, you will instead choose “File Dump” and select the relevant folder. After your image is loaded, you can proceed to select which artifacts you wish to search for in iOS and enter any case details necessary. Finally, you can select the “Find Evidence” button in IEF and being your search.
Once your search is complete, you can analyze the data just like any other investigation with IEF. The artifacts will be extracted and categorized for the investigator and all the details will be sorted into columns for easy analysis and organization.
Find More Mobile Evidence When You Use IEF & Cellebrite’s UFED
Forensic investigators must be prepared to acquire images from a range of mobile devices; then analyze them to find both native and thridy party app data. The more effective your workflow and tool set is at all stages of an investigation, the more chance you have of finding more mobile evidence.
We challenge you to use your acquisition tool of choice (like Cellebrite’s UFED) with IEF, and see what you get!
As always, please let me know if you have any questions, suggestions or comments. I can be reached by email at firstname.lastname@example.org.
Forensics Consultant, Magnet Forensics