iPhone Forensics – What Lawyers Should Know

Posted · Add Comment

While the common procedure to forensically process a laptop or desktop involves an image of its data repositories (meaning the disk or disks where the information being handled by the device, including it OS, is stored), this is not the case when the device is a smartphone. Although in this post we address only iPhones, this limitation is common with Android smartphones devices, which will be discussed in a future post. For most new iPhone models, and newer iOS versions, the content of the iPhone can only be accessed using the interfaces offered by the iOS (operating systems for iPhones) or through Apple APIs. The reason is that content in an iOS device is encrypted, and the decryption key is unique for each device, and embedded in its hardware. Thus, even if the physical memory was extracted, the decryption key would be required. The most common way to extract iPhone information is by using Apple APIs, either directly or, more commonly, using iTunes as a kind of intermediary. The issue is that only information that is normally including in iTunes backups is extracted and the data for many apps are not included. Normally, Apple or the developer decide what should or should not be included within an iTunes backup.

Readily Recoverable Content from iPhones

Any information that is normally included in an iTunes backup is readily available for forensic extraction. There are several tools that do this job in a forensically sound manner, like Cellebrite, Oxygen Forensics, Elcomsoft and others. There also many lower-cost tools that extract the same information as well, although not in a forensically sound manner. Of course, the passcode of the device is needed in most cases. Normally, what can be extracted includes: media on the device (picture, audio/music, videos), SMS and MMS messages and attachments, call logs, calendar information. Sometimes other user data, like WhatsApp, health, and other, when the corresponding app is included in the iTunes backups. All of this may be limited if the user had previously set a password protected iTunes backup, in which case, the password would be needed to parse the information (if it is not available, the backup could be decrypted using specialized decryption software, but there is no assurance of success).

Readily Recoverable Content from iPhones

Any information that is normally included in an iTunes backup is readily available for forensic extraction. There are several tools that do this job in a forensically sound manner, like Cellebrite, Oxygen Forensics, Elcomsoft and others. There also many lower-cost tools that extract the same information as well, although not in a forensically sound manner. Of course, the passcode of the device is needed in most cases. Normally, what can be extracted includes: media on the device (picture, audio/music, videos), SMS and MMS messages and attachments, call logs, calendar information. Sometimes other user data, like WhatsApp, health, and other, when the corresponding app is included in the iTunes backups. All of this may be limited if the user had previously set a password protected iTunes backup, in which case, the password would be needed to parse the information (if it is not available, the backup could be decrypted using specialized decryption software, but there is no assurance of success).