iPhone forensic analysis

There are many challenges facing the computer forensic investigator when acquiring data from iphones and the iOS operating system. Many different tools are required to access all the data that can be found on an iPhone. Essentially the iOS is a proprietary encrypted operating system and the constant patches and upgrades mean that forensic tools struggle to keep pace.

The first challenge is to protect the data. Simply switch off or create faraday protection so the device cannot communicate with any wireless network? Turning the iPhone into airplane mode is often one of the best ways to preserve the evidence. The most common way of acquiring data from an iOS device is through the iTunes backup. When the iOS device is not available this is the only option. iTunes performs an automated backup during the sync process and it is this backup that will provide the most useful information for the forensic examiner.

Multi-platform forensic software can be used to interrogate the actual iPhone. When executed alongside the iTunes backup, the evidence can be assumed to be forensically ‘sound’. Logical methods of acquisition include the synchronisation utility build into the iOS operating system, allowing the forensic analyst to gather information on usage. The downside is that this method does not report on slack space.

iOS devices store an enormous amount of user activity data – often more than the user is aware of. Locations, messages, contacts, web surfing habits, notes, pictures and more are available on iOS devices storage media, many with time stamped data

Cyber Security

Find out how you can strengthen your cyber security. Call us today for advice on how to protect your information systems.

+44(0) 29 2010 0982