Colleagues,
I am hoping for some feedback and opinions on Physical versus Logical collection of smartphone ESI.
As a matter of background, I work in civil discovery in the U.S. and do not work in criminal cases, although the cases I support in my Pro Bono practice for the Domestic Violence court seem to be crossing over into criminal matters.
When I perform a physical image of a workstation hard drive, which collects and preserves unallocated clusters and file slack space, I am able to perform a "full" forensic analysis of the imaged evidence.
For example, I am able to mount the physical forensic image file as a virtual drive, restore VSC (volume shadow copies) for analysis, and carve unallocated and slack space for deleted information.
With a logical forensic image of a workstation, I am not able to mount the forensic image file as a virtual drive.
If I only perform a logical forensic image of folders and files on a workstation, although I can prove that the forensic copies are true and exact copies of the original evidence through hash value calculation, the level of forensic analysis I can perform is limited compared to the level of forensic analysis I can perform had I created a physical image of the drive.
I theorize, but have not confirmed, that if I use a tool such as FTK Imager to create a logical image of just folders and files from a workstation, due to the fact that I have not collected the Windows Registry, if I later extract files from archives (ZIPs, TARs, etc.), some metadata related to the files that I am now extracting from archives that is contained with the uncollected Windows Registry will be lost and thus replaced with today's creation date, for example.
In short, I explain to my clients that if they wish me to perform a full forensic analysis of workstation ESI, they will need to allow me to perform a physical forensic image.
So here is my question in regards to smartphone ESI
1) For criminal matters, does LE always, where permitted by tools to do so, "Root" or Jailbreak smartphones so that a physical image can be made?
In my civil practice, I historically have not "Rooted" nor "Jailbroken" my clients' smartphones for several reasons; the client typically wants the phone back to continue using it and if I "Root" or "Jailbreak" their phone, I could cause major licensing issues and also make their phones inherently less secure. Imagine a scenario in which one were to Jailbreak 100 corporate owned iPhones that leads to Apple suing the corporation.
2) Do other civil practitioners offer their clients the option to "sacrifice" their phone to the "Rooting/Jailbreaking" process so that a physical image can be made? Civil litigants find discovery ridiculously expensive already, so I have hesitated to offer this option as it would force my clients to buy a new phone in addition to all of the other litigation expenses they are facing.
3) What specific level or examples of forensic analysis of smartphones is eliminated when only a logical collection can be made?
For example, my Compelson Mobiledit Forensic software can expose SQLite databases (KIK, Skype, etc.) on non-jailbroken iPhones so that I can export those SQLite databases for analysis in other tools.
** This is a very specific question, but do SQLite databases extracted from non-jailbroken iPhones contain less "forensic" evidence than SQLite databases extracted from jailbroken iPhones? Meaning, in order to truly carve SQLite databases, must they be collected from a physical image of a phone?
Is there potentially information stored in a phone's protected storage that SQLite databases stored in unprotected storage reference such that only exporting a SQLite database from a logical collection will be missing this linked information?
4) Is there a comprehensive list of which communication applications store some information within a non-rooted/non-jailbroken phone's protected storage that can only be accessed via rooting and jailbreaking?
My understanding is that Apple's iMessage data, for example, is stored in an "SMS.db" file in a location that can be accessed through a logical collection, whereas other communication applications may choose to store their data totally or partially within protected storage.
** Is it the case that more "unallocated/slack" data could be collected related to the "SMS.db" file via a physical image of an iPhone?
Basically, what I am trying to determine is if I should offer my civil litigation clients an option to "sacrifice" their phone by allowing me to Root/Jailbreak their devices so that a more thorough analysis can be performed???
I would also like some guidance from our community here if there are specific examples of analysis that cannot be performed with only a logical phone collection (like the examples I gave for workstation images above), so that I can alert not only my clients, but the opponent's attorney and the court that results from my reports are limited by the fact that a logical image was made.
Thanks in advance and I hope my questions made sense.
I thought it had already been established in the US that rooting or jailbreaking phones was legal?
That aside as a general rule I won't do it to any phones due to problems that can occur when the procedure fails.
Where the software/tool allows a physical dump I will always do that as a preference for the collection of unallocated data. Where physical is not possible then I revert to logical.
In both cases I use UFED for the phone dump and analysis, then also throw Xways and IEF at it for further analysis.
Ill try to give some quick examples which emphasize differences…
- Having only a logical extraction you can hardly "say" in what way your aquired data is limited. If you do an android backup for example of a collection of unknown/new apps - how would you determine what kind of data the app stores on the device and what part of that data is processed via backup. Without ever beeing able to see the "complete" folder via root there is little you can tell.
So that (at least for me) is always a bit frustrating, because you rely on what the "BackupProcess" or "ForensicAgent" etc. has given to you..
I remember having an Iphone 5s that (without jailbreak) would only do an itunes backup and no complete dump of the filesystem. The whatsapp folder i got contained the chat-database and some media files, which is fine at first but as i looked into the whatsapp folder after jailbreak i found thousands of cache images which (of course - and only these files) contained relevant data.
Additionally i was able to process the whatsapp logfiles which contained even more information about the corresponding chatpartners and some timestamps. All this information was no longer stored inside the database itself. Having only the logical extraction…i would have had no clue about the existence of these cache files.
- Carving…Having an android physical dump youre able to carve files in unallocated areas and even fragments of sqlite databases or images (for example a fulldump of the internalSD partition). Concerning SQLite Databases You are limited to the database itself (Freepages etc.) but maybe the data from write-ahead-logs or journal files isnt copied by your agent/backup…how would you even know ?
In my opinion logical dumps are fine for a quick overview and if they contain what youre looking for no one will probably question the results…
But as soon as youre trying to say whats not on the device…its gonna be a hard time to speak about something you didnt have a chance to look at.
THANKS!!! for your detailed answer - exactly what I was asking.
My understanding is that iOS stores email in encrypted storage (as an MBOX file) on iPhones and thus is inaccessible to a person performing a logical extraction directly from iPhones 4S and up.
I have been informed that this otherwise protected email content can be accessed however from a mobile backup.
My question to you, Zergling, is in an iOS mobile backup, are the same folders of data encrypted that are encrypted on a live iPhone and thus inaccessible without a jailbreak?
Is it possible or even necessary to "jailbreak" a mobile backup?
My understanding is that an iTunes password can be used to encrypt an entire mobile backup, but I am wondering if a mobile backup that is not protected with an iTunes still contains sub folders of encrypted content. I would guess that individual files such as those storing keys/passwords would be encrypted within a mobile backup.
I understand I could test all of the scenarios myself, but if you would be willing to share more of your expertise, I would be very grateful.
Regards,
Larry
Hey,
well..the backup process of a mobile device is often different from..lets say a "copy & paste" backup of a desktop pc.
let me explain it this way
The itunes backup gives you a selection of files that are within the filesystem of the device. AFAIK these files itself contain the same data as the originals on the device.
The backup process may encrypt these files and the "folder structure" is not a 11 copy of the data structure of each file that is on the device sometimes it only contains a part of that structure.
its not quite a "dump" of the file system but a collection of files spread across the disk…i hope i can clarify the point iam trying to make here ? )
example
Iphone 5 file system - sms.db (as presented by UFED physical analyzer)
path = private/var/mobile/Library/SMS/sms.db
this folder might also contain sms.db-wal (write-ahead-log file)
In the Backup it is only shown as
/Library/SMS/sms.db
and does not contain any .db-wal file.
So there is no jailbreaking the backup itself because it doesnt contain this file in the first place.
Jailbreaking the phone on the other hand would allow a different approach on getting the files. like connecting via ssh shell as "root" and copy everything…
similar to the windows "documents" library…instead of looking whats inside this library, just copy the whole disk.
On Android its a similar story…
Especially for newer devices (like android 5.0) the android backup is quite picky when it comes to "what files are copied and which are not" Youre not even close to getting a "real filedump" from the /data/data/ folder that contains a lot of application/userdata.
So getting root (or any kind of physical dump or filesystemdump) is the way to go here (IMHO)