iPhone investigation with Lantern

Hello friends,

I used the software Lantern (of Katana ; http//katanaforensics.com/use-our-tools/) for forensic search on an iPhone.
I give you feedback about.

First, the essentials
Lantern extracts easily all it's not erased, without jailbreacking the iPhone.
Its price is reasonable 499 $, and 399 $ for law and police services.
It runs only on Mac Intel OS X 10.6 (exactly on 10.6.4).

To run Lanter, you need
I used the 1.0.7.0 version, the latest one at the moment.
It needs a Mac with OS X 10.6.4, with 2GB RAM (this is minimum, but really sufficient ; I had 2 GB and Lantern ran quickly).
It's compulsory to have this OS version. In fact, Katana has other versions for older OS versions, but I felt a strong uncertainty about a good working of these versions.
If you have not the 10.6.4, all remains possible if you have at least 10.5 (Leopard) and if your Mac is a Intell Mac (no upgrade possible for a PowerPC Mac).
The upgrade from Leopard (10.5) to Snow Leopard (10.6) costs 29 $. If your Mac runs 10.4 (Tiger), the upgrade is impossible.
If you have 10.6.x (x=1,2,3), don't worry the upgrade to 10.6.4 is free.

Using Lantern
You will receive from Katana 3 codes Agency name, serial number, licence code, with which you will register Lantern.
The iPhone has to be charged and connected to the Mac via USB. The SIM card is not needed at all (so, it is better to keep it off). The iPhone, connected via USB, is immediatly recognized by the Mac.
However, the connected iPhone is, by the fact, automatically switched on. But Lantern does not write nothing in the iPhone.
It is now possible to start Lantern, to create the "New case", and to run the Acquire. Acquiring data is fast. After it, you can disconnect the iPhone.
Now, you can run Report which produces a complete report, in various format (PDF, Word 97, XLS, …). This report is heavy enough, not because it is too wordy, but because of a good presentation (for instance, 3 SMS on a page).
So, for more concise, it is better to use the icon vertical list at the left Calls, Voice Mails, Contacts, Messages (SMS), Notes, Calendar, Internet (Bookmarks and History), Media (music), Photos, Dictionary (it did not see the interest of it), Maps (very usefull if the iPhone was used as GPS ; I did not test this, because (it's a pity) my iPhone did not use GPS), Voice Memo. I will treat later about the first icon (Info).
Clicking on one of these, we obtain the informations and we can click on Export to export to a file. This file will be a sheet of NeoOffice (the Mac Open Office), unique possible format. But, with a doble click on the exported file, it is opened by NeoOffice and you can save it as an XLS file (if you work, as I, with Windows). So, the presentation is with colomns and lines of array.
It's allways possible to continue later the investigation, without the iPhone. For this, you click on Open case (the case file is named case.lcf).
Lantern recovers allmost all which is not erased.
However, there is a big deficiency it does not treat emails. Probably it's true that the iPhone's users use webmail (without mail client). But a mail client software exists on iPhone "mail app". If this one is used, there is nothing to recover the emails.
There is another small deficiency Lantern does not show the cookies (they are not in the report and not reported by the icon Internet). But it's possible to get its by another way (see below).

Advanced investigations
With Info icon, we get
- informations about the iPhone its name (put by the user), the IMEI, the serial number, the MAC adresses of Bluetooth and WiFi, and the "Unique Devide ID" (40 hexa digits)
- access to the acquired row data, via 4 buttons Artifact Root Directory, Library Directory (which is a sub-directory of the previous one ; it's the more interesting), Photo Directory (no more informations that these of the Photos icon), and 3rd Party App Directory.
The Library Directory has 17 sub-directories. Some of these (as AddressBook, CallHistory, for instance) do not bring more information that the corresponding icons.
The directories which did not give me informations are Caches (I had hope with these, but nothing), ConfigurationProfiles (nothing), Mail (nothing, but perhaps it's because my user did not use "Mail App" ; I don't know), ManagedPreferences, MobileInstallation, Preferences, RemoteNotification, Webclips.
Now, the directories which bring new informations
Cookies Directory, where is the cookies.plist file. Usually, the .plist files are configuration files used by developers. Here, it's text files (in html) which is easy to open with the text editor of the Mac and copy in NeoOffice to treat its. The Cookies.plist file contains all the cookies.
In the Keyboard Directory, there is a xx_XX-dynamic-text.dat file (for instance, for a French keyboard, the file was fr_FR-dynamic-text.dat) which records the characters from the keyboard (as a keylogger). As the .plist, you can open it with a text editor. It is not in html, only portions of text, separated by #, readable.
The History.plist file, in the Safari directory, brings no more than the Internet icon. But, with the SuspendStat.plist of the same directory, I got some additional Internet history informations not recovered by the Internet icon.
In the SMS directories, there are, as well as the Draft and Parts directories, 2 .db files. The sms-legacy.db seems not interesting. The sms.db is the SMS database. We can open it with a database browser (as SQLite Database Browser). The table "message" contains all the SMS. I would know if a deleted sms remains or not in the database, with a flag for deleted, but I did not find the information (and I could not test). If you know about this, I would be very interested.
Below the directory Parts, in the 2 levels of sub-directories of this one (which names are 2 hexa digits), I found others photos not brought by the Photos icon.
I did not exploit the 3rd Party App Directory which sub-directories have long names of hexa digits.

Lantern versus MobilEdit!
For the iPhone, MobilEdit! does not recover information about Internet history and nor about GPS. It treats the iPhone as a simple telephone.
So, Lanter is better, but it is specialized (only for iPhone, iPad and iPod) and it runs only on Mac Intel OS X 10.6 (10.6.4).

Help and support
The help is very succinct, but sufficient for basic investigation.
On the other hand, there is absolutly no help for advanced investigations.
The support seems not well organized. I was in contact with Mr Sean Morrissey (Managing Director) who is very kind. I ask him (at the begining of my use) who I have to contact for support, if needed. He did not answer. So, I reported to him for my questions.
He answered, but never bringing satisfactory answer to an accurate question. I found by myself all I wrote above about advanced investigations, without help about.

Best regards.