Insights: Article

iPhone Forensics

Here's what you need to know

By   Trent Leavitt

January 23, 2018

Do you need your iPhone examined?

This page is meant to be an introductory into iPhone forensics. The practice of computer forensics is broken down into three parts.

  1. Hardware. Hardware is at the backbone of what we do. If we didn’t have computers and specialized equipment such as cables, write blockers and forensic duplicators, we would not have much of a job to do.
  2. Software. Software makes everything possible. Certain software is designed to handle broad amounts of data. Other software is designed to take on a specific task.
  3. Knowledge. Knowledge of computer forensic principles and practices, along with the knowledge of how to operate not only the hardware, but the software as well, rounds out the trifecta of computer forensics.

It is no difference with iPhone forensics. It requires, at times, certain hardware, as well as software and knowledge in order to successfully extract and decipher data from an iPhone.

The following will be a general overview of what can and cannot be done on iPhones. We receive phone calls daily from people who want to know what can be done on a particular iPhone.

On June 8, 2009, Apple introduced the iPhone 3GS. This was followed by the iPhone 4. From a cellphone forensic standpoint, these were great phones to work on. Both allowed for what we in the industry call a physical extraction. This simply meant that we could grab all of the available data whether it has been deleted or not.

Note: It is not possible to recover everything that has been deleted. When an item has been deleted, it is now available to have new data overwrite the space on the which it resided. Deleted data is only available for recovery if it has not already been overwritten by new data.

With that in mind, an iPhone 3 and 4 are great candidates for physical extractions. Items, like deleted photos, videos, text messages, phone calls and contacts can typically be extracted. The basic rule of thumb is this on the iPhone 3 and iPhone 4: If it has been deleted, it can be recovered as long as it has not been overwritten.

iPhone 4S, 5 and 6

On October 14, 2011, the iPhone 4S was released. To the general consumer, the best feature was the increased battery life of the iPhone.

A major point of differentiation is that the iPhone 4S is a dual-antenna equipped “world phone” that supports both GSM and CDMA networks—UMTS/HSDPA/HSUPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz), and CDMA EV-DO Rev. A (800, 1900 MHz)—and the “antenna automatically switches between send and receive.” It supports 802.11b/g/n and Bluetooth 4.0, too. HSDPA is up to a theoretical maximum of 14.4 Mbps.

It's easy to look up the differences between between the 4 and the 4S. The biggest difference between the two phones that you won’t typically read about is iPhone encryption. The encryption developed by Apple is second to none. At the time of this writing, nobody has been able to break the encryption on iOS device. Many have tried and many have failed. Hackers from around the world have failed to break the encryption. What does this mean to you? Once an item has been deleted, it is encrypted and it is gone for all practical purposes. It’s not coming back. iOS encryption applies to deleted data on an iPhone. So within the forensics world, deleted photos, videos and call logs that have been deleted are deleted. Did you notice that I left out an item or two of particular importance? Text messages and certain app data?

What? How can this be? You might be thinking, “Hey this guy just told me that once an item is deleted on a iPhone 4s and forward that it is gone and not coming back?” You are correct I did say that, but fortunately Apple runs a large number of its apps and programs in an SQLite database.

SQLite is not as powerful as other DMBSs, such as MySQL or SQL Server, as it does not include all of their features. However, its greatness lies mostly in these factors:

  • It’s lightweight, yet robust.
  • It contains an embedded SQL engine, so almost all of your SQL knowledge can be applied.
  • It works as part of the app itself, and it doesn’t require extra active services. ( a key ingredient)
  • It’s very reliable.
  • It’s fast.
  • It’s fully supported by Apple, as it’s used in both iOS and Mac OS.
  • It has continuous support by developers in the whole world and new features are always added to it.

I am not a SQLite database expert but here is what I know. For lack of a better term, the SQLite database acts as force field from iOS encryption upon deletion in many circumstances. In a SQLite database, when you delete a text message for example, it is gone from being pulled up again by the operating system. In many circumstances, it still resides in the bubble of the database, for lack of a better term. Because of that, you are able to “carve” out the data in a readable format. I did not say a perfect format, but a readable format. In a perfect situation, you can find the phone number, the time stamp and the message itself. In a not-so-perfect world, different text messages might reveal the phone number and the time, but no message, or the message with no time. I think you get the idea.

This also applies to different apps used on the iPhone. SQLite databases are very popular for many different types of apps. Because of this, a vast amount of data can be recovered from various apps. We have done research on dozens of apps in banking, social media, texting, dating, photo sharing, and more. Each app discloses data but the data given up varies from app to app.

To discuss your case or potential case involving an iPhone, iPod, or iPad, talk with one of our expert examiners. Fill out the form to the right or give us a call.