Smartphone Forensics: Part 2
The iPhone is widely used today. Numerous survey results not surprisingly indicate that the IPhone has now grown to 50 percent of the smartphone market. Market leading technology spawns supporting technology, and the iPhone is no exception. While doing research for writing this blog entry I found that over ten forensics tools for the iPhone exist. However, despite the availability of numerous iPhone forensics tools (some of which are free), I cannot honestly say which one I would use if I had to perform a forensics analysis of an iPhone at this minute, because all of these tools have at least some significant limitations.
The essence of conducting forensics investigations in computing systems is making bit-by-bit copies of original data without changing anything in the to-be-analyzed system, including any data that reside on the hard drive and in memory. In conventional computing systems, the technology and procedures for accomplishing these goals are well-established; the same is not true for iPhones or any other type of smartphones, however. In conventional systems (but not smartphones) hard drives can easily be physically detached from the rest of the computer hardware, helping ensure that other parts of a system such as memory are not changed. The only exceptions in iPhones and other smartphones is removable SIM cards and memory cards. Furthermore, in conventional systems it is usually possible to boot into a special read-only mode that allows forensics analysis to occur without the risk of changing anything. But because iPhones and other smartphones do not have complete operating systems, they almost always lack this ability. Additionally, integrity checking through obtaining and comparing hash values before and after copying data for forensics purposes is another major hurdle in iPhones and smartphones, but not in conventional computing systems. Again, the lack of a complete operating system in these phones is the problem.
Another very significant obstacle to forensics analysis applies only to iPhones, not other types of smartphones. To install some applications on an iPhone it is necessary to “jailbreak” the phone. When an iPhone is installed, it stays in a “factory state” that is intended to be changed only as the result of Apple upgrades. Jailbreaking means overwriting the phone’s firmware to install application bundles and/or unlock baseband firmware that keeps the iPhone from doing things such as connecting to another service provider’s 3G network. Jailbreaking may not sound like such a big deal, but it is in at least three respects, namely that it:
1. Voids the iPhone service warranty.
2. Produces numerous changes in the iPhone that may cause the best of iPhone forensics efforts to be thrown out in a court of law.
3. Can expose the iPhone to a wider range of attacks.
Andrew Hoog wrote a very nice white paper (see viaforensics.com/wpinstall/wp-content/…/03/iPhone-Forensics-2009.pdf) in which he as objectively as possible compared major iPhone forensics tools on a number of differentially weighted criteria, including:
1. Installation (which covered the installation, activation and update process)
2. Data acquisition
4. Accuracy and completeness of data that were obtained. Data include call logs, SMS messages, contacts, email messages, calendar information, notes, pictures, songs, Web history, bookmarks, cookies, applications, Google maps, voicemail, passwords, configuration files, phone information, video, podcasts, details, VPN configuration, Bluetooth information, GPS information, file hashes, HTML files, and Office documents.
Perhaps not surprisingly, no tool obtained anywhere near a perfect score. What I found eye opening, however, was the types of data that iPhone forensics tools failed to capture—in some cases, forensics tools missed five or more types of data. It is thus difficult to think that forensics investigations using most of these tools would be very complete.
The tool that scored the highest was not a single tool, but was instead a method called the “Zdziarski method,” one that utilizes several tools and methods, as follows:
1. Use the Pwnage Tool to build a custom firmware package that must be modified later and to pave the way for the boot ROM to accept special unsigned images.
2. Use the xpwntool to build a Stage 1 custom firmware package to update the NOR (kernel cache) while not erasing any live user data.
3. Use the xpwntool to build a Stage 2 custom firmware package to install a special forensic recovery toolkit that creates a forensics image using the dd command and computes an MD5 hash value for the contents of the user partition.
4. Run iTunes and install the Stage 1 firmware package, then the Stage 2 firmware package by putting the iPhone in DFU (Device Firmware Update) mode.
Some of the many advantages of using the Zdziarski method include:
1. This method creates a bit-by-bit copy of the content of the user partition.
2. Data integrity can be verified through computing MD5 hashes.
3. No “jailbreaking” or any other similar method that can compromise the integrity of the iPhone itself with the exception of a few changes in the system partition is used. The data in the user partition, which are of major interest in most forensics investigations, are unchanged.
4. All of the types of data (call logs, SMS messages, and so on) used as criteria in Hoog’s comparison of the different forensics tools is captured.
Is the Zdziarski method too good to be true? The answer, unfortunately, is no. The major downside associated with this method is that it is very difficult to use, and even the most technically knowledgeable person can easily make a tiny mistake that forces him/her to become stuck or to start over.
The good news is that iPhone forensics tools are just in their infancy. The iPhone itself is, after all, not all that old. These tools will become better and better in time. Until this happens, it is imperative to do what Hoog did by testing available tools to determine which is most suitable from the standpoint of both forensics proficiency and usability.