Learning iOS Forensics

Reviewed by Scar de Courcier, Forensic Focus

Learning iOS Forensics is a practical textbook that aims to help digital forensics examiners of all levels to get to grips with the procedures involved in forensically analysing iOS devices.

The book opens with a preface, which describes how the various sections are set out and delineates the recommended audience. It explains that the book can either be read sequentially or used as a reference work in ongoing investigations. My own experience of reading the book would back this up – I read it from cover to cover and found it to be an excellent resource for iOS forensics, both as someone who has not yet come across an iOS device in an investigation, and as someone who is interested in digital forensics as a discipline.Although those new to iOS forensics should have no trouble understanding the book, it is aimed at a technical audience and therefore a certain level of knowledge is required. An understanding of file system organisation is useful, for example, as the book moves relatively quickly from an overview of current iOS devices into methods of forensically analysing them.

The initial few pages are taken up with an attempt to define digital forensics on the whole, and what constitutes ‘digital evidence’ in particular – which, as the authors point out, is no mean feat.

For the purposes of the book, the definition of digital forensics set out in Chapter One is as follows:

“The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitation for furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”

In turn, ‘digital evidence’ is defined as:

“Digital data that supports or refutes a hypothesis about digital events or the state of digital data.”

Following the definitions of terms, there is a brief discussion of how to identify, collect and preserve evidence at crime scenes, which will be particularly useful for anyone who is just starting out in their career as a forensic analyst.

One useful element which crops up throughout the book is the use of bullet pointed lists when documenting how a given situation should be approached. The first instance of this appears when discussing points for consideration when in the presence of mobile devices to be collected. The lists are laid out in such a way that they are both easy to find on the page and straightforward to read through – it would be simple to find a key piece of information, or to briefly skim-read a list to ensure that all points had been covered in an investigation.

Throughout the book there are also boxes featuring case studies of real investigations. These help to illustrate the points being made and to demonstrate the reasoning behind some of the instructions. Partly because of this, I believe the book would be a good introduction for university students who are studying digital forensics but who have little or no experience in the field – it is always useful to be able to understand how the techniques one is learning can be applied in the real world.

Chapter One also contains a template for an evidence chain of custody tracking form; another element that would be useful for investigators who are new to the field.

The self-test questionnaires at the end of each chapter are another particularly useful feature of Learning iOS Forensics. With short multiple-choice questions recapping the themes discussed in the preceding pages, the quizzes help to refresh the memory and serve as a way to gauge a student’s understanding of each section.

Chapter Two provides an overview of current iOS devices, incuding iPhones, iPads and iPad Touch devices. Details of software versions, strings of identification, memory capacity and authentication systems are included, which serves as a useful overview for anyone who needs a snapshot of the device they have seized and its capabilities. This is followed by a brief guide to iDevice identification – once again with an accompanying bullet-pointed list – which should help an investigator to easily work out which iOS device they have come across in the course of an investigation.

Attention is then given to the file system structure of iOS devices, including tables which delineate the field names for each file under each file heading (for example, those contained within the ‘volume header’ and ‘catalog’ files), their size and a brief description of their use.

A particularly useful portion in Chapter Three discusses how to calculate the UDID (unique device identifier) for the various iPhone versions. Screenshots are also prvided of where to find and how to identify the serial number, wifi address and bluetooth identifier of the devices. Once again, this is followed up with real-life examples to demonstrate how the process is to be followed.

The book then moves on to discuss acquisition of an iDevice, starting from the very basics – setting the device to Airplane mode, turning off auto-lock, and uncovering any passcode that may have been set. If this is not possible, the final part of Chapter Three deals with acquisition of devices using iTunes backup.

An extensive case study is then provided, demonstrating how the steps should be followed and how some commonly used forensic software suites can aid in iOS device acquisition.

For cases where a logical acquisition cannot be performed, steps for performing a physical acquisition of iOS devices are then set out. Once again, this includes a breakdown of how to break through a device’s passcode, followed by a case study using forensic software to uncover digital data from the device.

Jailbreaking is the next subject of discussion, with a description of how jailbreaking works and a recommendation for where to find the latest jailbreaking tools for iOS devices.

Chapter Three is then brought to a close with two useful flowcharts, which show the processes an examiner should go through when searching and seizing a device, and then when extracting data from it.

Chapter Four gives an overview of how data are stored on iOS devices, followed by a discussion of timestamps and plist files. A rundown of iOS configuration files is also given, along with a guide to the information contained within each of them.

The chapter goes on to describe each application common to every iOS device – email, calendar, contacts, and so on – along with links to blog posts where further information and updates can be obtained. Once again, this makes the book a great resource for either students or digital forensic examiners – it provides an excellent starting point for any level of technical examination, and also gives information about further reading where possible, meaning it is appropriate for a wide-ranging audience within the digital forensics field.

Following the discussion of native applications, the book then goes on to provide instructions concerning the acquisition of evidence from some of the most commonly installed third-party apps, including WhatsApp, Facebook and Google Drive. Deleted data is the subsequent topic of conversation, with recommendations of further reading on the topic and a discussion of how Apple’s policy updates for recent models have complicated matters when analysing iOS devices.

Extracting data from iTunes backup was briefly touched upon earlier in the book, but the fifth chapter is devoted entirely to this technique, and will no doubt be useful in cases when an investigator has access to a person’s computer or laptop but where the phone is encrypted or otherwise unavailable for analysis. This chapter gives an overview of which items are stored encrypted and which are unencrypted, as well as an overview of the iTunes backup structure and the standard backup files which can be found therein.

iCloud is another possible point of entry when analysing iOS devices, and Chapter Six looks at how to acquire data from this service. iCloud is enabled on almost all devices as the user has to turn it off manually if they do not want their data to be backed up. This can provide a wealth of useful information to the digital forensic examiner.

The majority of this chapter is taken up with case studies of how various items were extracted from different iCloud backups, which provides both an overview of the methods used and some excellent examples of the types of evidence that can be collected.

Although malware tends to be less common on iOS devices than on other counterparts, it is still an area of consideration, particularly with devices that have been jailbroken. Chapter Seven discusses this in detail and talks the reader through various tools that can be used to identify and analyse malware on a device.

The book draws to a close with a final self-test questionnaire and a list of references for further reading.

One of the particularly useful elements of the book was that the authors recommended not only the most commonly used commercial tools, but also open-source and free software which is available for anyone to use. With this in mind, the book can be recommended to a wider audience, including individual practitioners and people working for smaller forensics labs that may not have the budget for the larger forensic solutions.

The commercial software solutions themselves are presented in an unbiased manner and a range of the are used throughout the book, alongside explanations of what each item is referring to in the accompanying screenshots. This means that even if you or your company do not use the specific type of software being demonstrated in a given chapter, it should be easy to work out the corresponding items in your own solution.

Overall, Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo is a highly useful book for digital forensic exmainers of all levels, and recomemnded reading for students and professionals.

Learning iOS Forensics is written by Mattia Epifani and Pasquale Stirparo and is available for purchase via Packt Publishing.

A 50% discount on the 'Learning iOS Forensics' eBook is available for Forensic Focus readers. Click this link and enter the code LEARNIOSF50 to access the offer before October 24th 2015.

Leave a Comment