Friday 22 June 2012

iPhone forensics: Beware expert witness!


iPhone forensics is not easy as it sounds!

It is not like computer forensics whereby you could apply all sorts of techniques to process it. It is a matured field and there are thousands of references you could get from the Internet. No problem at all.

But for iPhone forensics, it is different. The process is not straightforward as you might have thought. The iOS has security features, complicated mobile phone system and the technical information is difficult to obtain.

Developing a software/tool will double your effort aka ‘headache’ because it is massive. It could be done but need proper planning.

To start with, you must have knowledge on the hardware components that make up the iPhone. Then you need to understand the software components that work together to get the iPhone operational.

This is a daunting task but iPhone Dev Team and Zdziarski have done it even though some may question whether it is forensically sound or not. 

I concur with Carrier that open source tools are better because anyone can review its source code. Just like Foremost by Kornblum et al. 

How did they do it and get all the resources mentioned above?

Most likely with sheer determination, connections, working in a team, hacking skills, equipments and etc, you could do it. Also, you may need some LUCK! Don’t dream of doing it alone with only Internet access. God bless you!

However, for basic iPhone forensics, there are two main things that you need to be familiar with,
  1. Imaging – physical or logical acquisition of data.
  2. Extraction – export of relevant data, e.g. videos and pictures.
Imaging an iPhone is easy when you have an expensive tool but without it is really a painstaking job.

But, can you clearly explain how did the commercial tool conduct the imaging and extraction of all files?

Most probably it would only be brief description and not detail enough because you are not the tool developer.

Then, how are you going to do well as an EXPERT WITNESS?

Bear in mind that the lawyers are not the ones that you met ten years ago! Some of them are tech savvy with technical qualifications and certifications. Or they could consult the other experts to go against you in the court of law (a lot of hackers/digital forensics analysts are becoming technopreneurs these days).

Imaging process of an iPhone is complicated. Just visualize it like having a separate special bootable system to access the iPhone user partition and bit-to-bit copying it.

Let’s say that you have done the imaging, then comes the file system analysis part and user data extraction. File system, container, format and timestamp expertise is essential for you (I will cover this in my next blog). It is not easy and it takes time to understand the iPhone file system. The system is huge and complicated. When the file system is corrupted, you need to resort to file CARVING.

As an EXPERT WITNESS, you are expected to explain the entire process. You can’t afford to rely on the commercial tool report alone. You should know how the tool did its work or the least you must do is to convincingly articulate the imaging and extraction concept.

I must say that tool dependent EXPERT WITNESS is going to have a tough time because you cannot 100% trust your tool. Why, because you won’t get the same results between the two tools [1]. Let me give you some examples.

I’ve used a commercial tool to get the physical image of an iPhone. The same tool retrieved some files e.g. pictures and a total of 657 jpegs were extracted. 


But, when I used a specialized carving tool on the same image, I got more jpeg files, i.e. 1242 altogether and almost double than the commercial tool did. 

What happen here? This is very interesting!


I’m not trying to assert that commercial tools aren’t good enough but merely to find the reason behind this awkward finding (I will cover this in my next blog).

It must be noted that the burden of proof (digital evidence) lies on the EXPERT WITNESS. It will not be an easy ‘journey’.

Usually, in iPhone or mobile phones forensics you need a few tools [1] to process it. There is no one dedicated tool that could do everything.

I would like to remind you again that the ability to understand the whole technology and forensic process (the principle of don’t ever change a single bit) is compulsory. If too complex, the least that you must do is to master the file system, container, format (example below), timestamp and carving.


Whatever it is, I pity the honorable judges for them to understand all these intricacies.

[1] G. Grispos, T. Storer and W. B. Glisson. “A comparison of forensics evidence recovery techniques for a windows mobile smart phone.” The Journal of Digital Investigation, pp. 23-36, 2011.

P.S. Additional info on iPhone and iPhone forensics.





iPhone Forensics Book

Mobile Phone Based Cases

Smart Phone Forensics: Strip 'em all!