±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 4 Visitors: 116

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Spyware detection methodologies on iOS

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

giuseppem
Member
 

Spyware detection methodologies on iOS

Post Posted: Jun 29, 17 02:43

Good evening!

As the subject, I would like to know which is the best/right way to detect a spyware on iOS system.
I'm analyzing a iphone on behalf of the Public Prosecutor. The goal is to determine if a spyware has been installed, because the victim has reported being controlled by his former boyfriend. She reported that he was aware of her SMS, chat and always knew where she was.
I already performed a file system acquisition of the device and I also performed on this image a virus scan with the antimalware embedded in UFED Physical Analyzer (nothing detected). I also looked at one by one the list of installed applications. Obviously, this is not enough. I emphasize that the cell phone is that of the victim and not of the suspect.


Which way can I proceed further?  
 
  

Igor_Michailov
Senior Member
 

Re: Spyware detection methodologies on iOS

Post Posted: Jun 29, 17 03:03

Is the iphone JailBroken?
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 
 
  

giuseppem
Member
 

Re: Spyware detection methodologies on iOS

Post Posted: Jun 29, 17 12:48

- Igor_Michailov
Is the iphone JailBroken?


No, for what I have seen it is not jailbroken.  
 
  

RolfGutmann
Senior Member
 

Re: Spyware detection methodologies on iOS

Post Posted: Jun 29, 17 14:10

As iOS itself is heavily safeguarded e.g. every App sandboxed I would focus on finding a removed spy App. As an App can be installed by a second Apple ID and after logged out its difficult to find this App.

Do have the timeline out of iCloud App backup?  
 
  

giuseppem
Member
 

Re: Spyware detection methodologies on iOS

Post Posted: Jun 30, 17 13:12

- RolfGutmann
I would focus on finding a removed spy App.

Ok. But if the spy app is removed, how can it spy the phone??

- RolfGutmann
Do have the timeline out of iCloud App backup?

I have performed advanced logical extraction method with UFED. Where can I find the timeline of iCloud backup?  
 
  

SamBrown
Senior Member
 

Re: Spyware detection methodologies on iOS

Post Posted: Jun 30, 17 13:38

I get these cases from time to time and am never really sure what to do with it.
On Android I can at least create a physical dump of (most) phones and run a malware search with PA. But I never actually found anything this way except some false positives.

On a jailbroken iPhone everything is possible, but I think less than 1% of iOS devices I get are jailbroken.

On a non-jailbroken iPhone i would argue that it is almost not possible that there is any spyware installed as software can only come from the Apple App store. The only exception is if there is some additional software installed via a developer certificate but then there is still the sandbox concept active so an app can't access another app's data.
If you look at Flexispy or mSpy homepage they state that the iPhone must be jailbroken and be on iOS 9.
So I would argue that if you have an iOS device which is running the (a) current iOS version which cannot be currently jailbroken than it is almost impossible that you could install spyware on it.

As far as I know, it is also not possible to remove a jailbreak without restoring the iPhone so it is not possible to jailbreak, install the spyware and then quietly un-jailbreak and leave the spyware running on the phone.

Maybe the attacker knows the iCloud Credentials and is able to download the backups. So I would alreays advice the client to use the latest software version, change their passwords and enable 2-factor authentication.


Of course, the above is only valid for "normal" cases like ex-partner is suspected for spying. If it is a very, very, very high profile case, I guess everything is possible, see en.wikipedia.org/wiki/...(spyware). I guess only a handful devices were infected with Pegasus since it is very expensive if zero day exploits are burned.  
 
  

droopy
Senior Member
 

Re: Spyware detection methodologies on iOS

Post Posted: Jun 30, 17 19:00

Check if the icloud password is compromised.  
 

Page 1 of 2
Page 1, 2  Next