Lance posted a great article on iOS forensics last week detailing common steps and details of an examination of an iOS device, and how IEF can be used once you have that physical image or file system dump.
Today I’d like to present some examples of the deleted data IEF Advanced is able to recover from iOS physical images. This is one of our key strengths on mobile (and PC/Mac) images and I think you’ll be excited about some of the artifacts we’re able to recover that you may have been missing using other mobile forensic tools.
But first, some background. The following data is from an iPhone 3G that was factory reset. A cursory look at the phone would yield no results and it would seem as though this is a fresh phone with no data on it, but as you’ll see below, there are lots of goodies to be found.
First up are Kik Messenger chat messages. As you can see from the screenshot above, there was a wealth of Kik Messenger chat still available on the device to be recovered (929 messages). We also know that this message (and in fact, all 929 of those Kik chat messages) is in unallocated clusters at physical sector 862938. I opened the image file in a hex editor and went to that offset (sector 862938 * 512 bytes per sector = byte offset 441,824,256) and you can see the raw data for the highlighted message below.
Next, let’s take a look at some deleted SMS:
Again, the artifact is from unallocated space on the mobile device. Depending on the type of SMS/iMessage artifact, more or less data is available to be recovered (in this case, a sent date/time, the message, and the partner ID/phone number are available).
Moving along to some email:
Thousands of emails found on this image, with a sanitized sample shown above. Just to be clear (no matter what Lance might try to tell you) this is not my phone.
As you can see above, these are plaintext emails with full header information. This can provide valuable IP address data, just like what you might find in emails from a PC/Mac image.
Next up, a quick look at some recovered voicemails:
To play a recovered voicemail (AMR data) within IEF, click on a record and then click the Play button at the top left of the bottom right pane. This allows you to quickly review the recovered recordings without having to export them first.
Finally, here’s some recovered Safari web browser history:
Again, I’d like to re-iterate that this is not my iPhone. 🙂
To recap, all the artifacts that were shown above were recovered by IEF Advanced from the unallocated space of an iPhone which had been “factory reset”.
I’ve always been eager to find deleted data in my examinations and we all know that feeling of being handed a “wiped” or reset device and asked to find that smoking gun. This can mean a lot of tedious, time consuming manual searching, sometimes not knowing what exactly to look for and running the risk of missing critical evidence.
With IEF Advanced (and IEF in general), we hope to help you out in those situations by either finding that smoking gun for you, or providing a starting point that helps you focus your investigation, whether the device has been reset or not. To request a free 30-day trial of IEF, please click here.
As always, we welcome your feedback and comments; if there are ways we can improve or new artifacts/functionality you want us to take a look at, please let us know.
Thanks for your support!
Jad and the Magnet team