Forensic Extraction Of Data From Mobile Apple Devices

This article examines the fundamentals of a forensic examination covering Apple mobile devices. A step-by-step guide describing the process of forensic data extraction and analysis exemplified by Apple mobile devices (iPhone) will be given below. This article will also familiarize its readers with such special-purpose software used in digital forensics as Belkasoft Acquisition Tool and Belkasoft Evidence Center. It will also show how to utilize them to examine devices of this type.Analysis of mobile devices is of great importance when it comes to incident investigations since a lot of information about the owner of a device and other sensitive data is stored on them. Apple’s mobile devices, such as iPhones and iPads, make up roughly 15% of the mobile device market. That is why forensic laboratories have to deal with them quite often. Correspondingly, this piece will examine the following two key points related to forensic analysis of such devices: i.e. extracting data from the Apple mobile devices together with forensic analysis of such data.

Mobile Data Extraction Types

There are four main types of data extraction in the field of mobile forensics:

1.Logical extraction which handles only certain types of data such as contacts, calls, SMS, etc. Normally, such extraction is performed by installing special software on a mobile device. However, this method is not applicable here because of some features of data organization and security rules covering the Apple devices.

2.Creating a backup copy implies the extraction of logical data that is stored on a device’s memory and which can be extracted according to the security regulations. This is the most widespread data extraction method regarding Apple devices.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

3.File system extraction. With this method, one can extract all the logical data from a device. It is applicable to all the Apple devices after jailbreak and makes it possible to extract the maximum amount of data from such devices. At the same time, not every Apple device can be jailbroken. For example, it is not possible when it comes to Apple devices with the latest iOS version.

4.Creating a physical dump. As for this method, one can extract not only logical but also deleted data. Unfortunately, this method can be used only with iPhone 4 and earlier models now.

iPhone Data Retrieval

In this article, it is an iPhone’s data that exemplifies the process of Apple data extraction for the creation and analysis of a forensic copy (the process is identical when it comes to iPads).

Let us use the free Belkasoft Acquisition Tool utility program. It is worth mentioning that it is impossible to extract data from a blocked Apple device. To confirm this statement, we can recall the following notorious story: the US Government, represented by the Department of Justice, requested Apple to unlock a terrorist’s device. Another article will tell which forensic methods can be used to unblock such devices. As of now, it is time to launch Belkasoft Acquisition Tool.

Then click on ‘Mobile Device’ on the screen.

Click to read full text at https://belkasoft.com/forensic_extraction_of_data_from_mobile_apple_devices

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...