Interesting Files on iPhone / iTouch Devices

Our approach to iPhone investigations is now pretty much the same as computer investigation. The main difference being the acquisition process which unless specifically requested is a logical recovery (XRY, UFED, Oxygen etc). Following that the recovered files are investigated via traditional methods (i.e. Encase).

Lots of great data in plain text within sql, plsit, db and xml files (amongst others).

Doug
WiFi connections history (with dates/times)
/private/var/Preferences/SystemConfiguration/com.apple.network.identification.plist

Known WiFi networks list
/private/var/Preferences/SystemConfiguration/com.apple.wifi.plist

IMSI/ICCID data
/private/var/mobile/Library/Preferences/com.apple.commcenter.plist

Installed applications list
/private/var/mobile/Library/Preferences/com.apple.springboard.plist

Last displayed map
/private/var/mobile/Library/Maps/Directions.plist

alex101
Just wanted to inform that Oxygen Forensic Suite automatically decodes and shows binary iPhone .plist files as a readable text.
SQLite .db browser is on the way.

alex101
Just wanted to inform that Oxygen Forensic Suite automatically decodes and shows binary iPhone .plist files as a readable text.
SQLite .db browser is on the way.

Thank you, I am aware of Oxygens's decoding abilities and do use them occasionally. However, due to the vast quantity of software available for this device (even more so on jailbroken devices) a lot of other data can be identified via tools such as Encase, FTK etc.

Has anyone had any luck recovering deleted images from the image backup files?

The ones I have looked at only seem to contain live images, is that the same for anyone else?

Thank you Oxygen_Software, I was aware of those files apart from the 'Last SIM' one. Always handy to learn things like that!

The more that we all look into these files just goes to show that this really is a computer that has the facility to make use of the mobile networks.

This post has shown me that other companies do treat iPhone examinations as computer examinations and I see this to be the on-going trend for most smart phones. The days of something being just a phone are very much behind us!

The more that we all look into these files just goes to show that this really is a computer that has the facility to make use of the mobile networks.

This post has shown me that other companies do treat iPhone examinations as computer examinations and I see this to be the on-going trend for most smart phones. The days of something being just a phone are very much behind us!

Doug, this is where your conclusions and my conclusions about mobile telephones part company.

The computer plays no part in having a facility to make use of the mobile networks merely because computation is used in the background to perform prefunctionary duties set for it.

With respect to mobile telephone examination, if you are saying you untether or load agents on the defendant's hard disc drive in order to enable it to communicate with forensic software you are using for the purpose of extracting data then that process makes computer forensic examination more akin to examining mobile phones and not the other way around.

This post has shown me that other companies do treat iPhone examinations as computer examinations and I see this to be the on-going trend for most smart phones. The days of something being just a phone are very much behind us!

I would disagree with this as well. I do agree that cell phones (or smart phones as I tend to think of them) are not simply phones, but cell phone/PDA forensics is, I think, quite a distinct beast from computer forensic examinations, even live computer examinations.

Put another way, we don't treat iPhone examinations as computer examinations although there are issues common to both. The knowledge and skill required to do a legally accepted smart phone examination is quite specialized, as is that required for computer forensic examinations, and one can't assume that expertise in one qualifies as expertise in all.

With respect to digital forensics, I think iPhones have more in common with forensic computing than mobile phone handset examinations. I think one could argue for both sides equally well but having secured forensic images of iPhones and examined the data therin using EnCase, I found that there was nothing that my examination could evidence that a standard mobile phone examination would have produced.

The main difference between the two standpoints does however encapsulate the fundamental difference between forensic computing and mobile phone forensics.

Treating an iPhone as a computer requires that you acquire a forensic image of the device and examine the forensic image. This preserves the evidence and this process can be repeated exactly without changing anything on the areas of the device that a User had access to.

Treating an iPhone as a standard mobile phone and performing a standard examination, will usually mean extracting a logical copy of folders and files on the device. In most cases this will alter data or file attributes in the areas that a User had access to and this is best avoided if possible.

Finally, the evidential possibilities for recovery of deleted data, system file data and slack space data are made much easier by examining a forensic image of an iPhone and these opportunities will be missed if we treat iPhones as phones and not as computers.

Sorry, I missed the point of the original post!
I recently examined an iPod Touch using EnCase, a Google Mail SQLite database file was identified that contained email messages of invaluable significance to the investigation.

Another interesting email artifact on the iPhone appears in the form of a file called the EnvelopeIndex.dat file, again this is an SQLite database file containing tables with email data.

Deleted jpg files in the unallocated areas of the iPhone contain snapshots of the Home screen, very usefull in some circumstances.

Neddy