Four Apple iPhones in a row

iPhone Forensics: Part 3

iPhone Forensics

Catherine Stamm

The Senator Patrick Leahy Center for Digital Investigation

LCDI Logo

After a few days, I created three contacts and then deleted two of them. Next I attempted to set up a VPN. It took some time, as the iPhone had a lot of trouble connecting to the server. Eventually it worked and I was able to browse the web using IPSec. I validated that I was in fact connected to the server by using the iPhone to Google what my IP address was before and after turning on the VPN. They both were different which allowed me to continue with my research.

The next day I began taking pictures with the iPhone. I took four pictures and turned on the location for two of them. I then deleted two of the pictures and downloaded the application Record Video, since the iPhone 3G doesn’t have that capability. I enabled the application to use my location while taking a video and then deleted the video after emailing it to myself.

Later, I used Google maps to search for Dunkin Donuts, 175 Lakeside Avenue, and Champlain College. I added Dunkin Donuts and Champlain’s Bookstore to my bookmarks, and then deleted Dunkin Donuts.

After that I created a lock on the iPhone with the passcode 0428. I turned the option on to erase all data on the iPhone after having 10 failed passcode attempts. Before purposely entering the wrong code 10 times, I analyzed the iPhone with Oxygen to see what kind of data I would find and to also see if Oxygen would still work if there was a passcode on the phone (Device Seizure did not). I could go into a lot of detail about what I found, but for the sake of this blog, I will leave that for my final report.

I found consistency throughout all the data. Whether I was looking at data coming from an application, the web browser, the SIM card, or elsewhere I did not find nearly as much evidence as I had expected. Most of the evidence found was evidence that was still on the iPhone. The majority of the things that had been deleted were not found by Oxygen. I looked through every single plist and database file, as well as every folder provided to me by Oxygen and found nothing substantial. The only deleted information I could find was the two deleted contacts, the two deleted pictures, and under the suspendstate.plist file I found information regarding deleted internet history.

While I was a bit disappointed by the lack of deleted data I found, I was able to see the username and passwords of some of the accounts created on the iPhone in the keychain-backup.plist file. There I was also able to see what network the iPhone connected to when using Wi-Fi. Within the dynamic-text.dat file, I was able to view some of the words typed in with the keyboard, although it did not provide me with all of them.

After analyzing all of the data I found, I purposely entered the wrong passcode into the iPhone ten times so that it would delete everything. This took about 2 hours because it would lock itself and I would have to wait a while before being able to enter a passcode again. Once I entered it in wrong ten times, the phone restarted and deleted all data. I then examined it with Oxygen to see if I could find anything at all. The iPhone was completely clean and there was nothing indicating there had ever been data on it. Once again, I think if I were able to do a physical acquisition instead of a logical one some data would have been retrieved.

The final part of this project was to jailbreak the iPhone. I did so successfully, and then generated some history and put data on the phone just so I could have something to look for. I analyzed it with Oxygen and realized it was extremely difficult to find anything. Since jailbreaking the phone, a lot of folders that weren’t originally there were all of a sudden available. I don’t know much about jailbreaking software, but I think most, if not all, of these new files came from the software itself.

For now, this project is complete, but if I or anyone else comes up with other aspects of the iPhone to research, I am very open to doing so. A lot can be done on this topic and with the tools given to me I think this project turned out to be more successful than I originally thought. I’ve learned a lot about an operating system I was not very familiar with and I got hands on experience with a new forensic tool.

For the full detail report on this project please check back at LCDI’s homepage, www.LCDI.chmaplin.edu or email LCDI if you have any comments, questions and/or suggestions LCDI@champlain.edu, with “iPhone Forensics” in the subject.