Read an Excerpt
iPhone and iOS Forensics
Investigation, Analysis and Mobile Security for Apple iPhone, iPad, and iOS Devices
By Andrew Hoog Katie Strzempka SYNGRESS
Copyright © 2011 Elsevier, Inc.
All right reserved. ISBN: 978-1-59749-660-5
Chapter One
Overview
CHAPTER POINTS:
• iPhone Models
• Forensic Examination Approaches
INTRODUCTION
Mobile devices have come a long way over the past few years. For a while, cell phones were simply used for making phone calls. As they continued to mature, the capability to send and receive text messages, create calendar events, and save contacts became readily available. Fast forward to the present day, and mobile devices are now being used extensively and serve many purposes. Around 4.6 billion individuals owned cell phones as of early 2010, and the number was expected to reach 5 billion by the end of the year (CBS, 2010). With this increase in popularity came an enormous demand for mobile forensics.
The iPhone was first released to consumers in June 2007. Ever since the first release, the device has increasingly gained in popularity, partly due to its advanced functionality and usability. With the iPhone, individuals now have the capability to check e-mail, take photos, browse the Internet, and do much more. These activities make the iPhone take the place of personal computers (PCs) and digital cameras. In addition to the standard capabilities that exist in the iPhone, endless applications are also available for download to assist with finances or organization, or simply for entertainment.
In the late 1980s, the Newton platform was the company's main focus. This platform was a personal data assistant (PDA), which never really took off. The project ultimately failed in 1998. One year prior to that, Steve Jobs became the CEO of the company. Before the idea of the iPhone was actually formulated, Jobs decided to have Apple start focusing on the idea of touch-screen development rather than PDAs and tablet PCs. Believing that cellular devices were going to become very popular, the company began developing a mobile device that could display pictures and videos and would ultimately have the capability to sync with iTunes. On November 2006, a patent was granted for the Apple iPhone, and in January 2007 Jobs announced the release of the iPhone at MacWorld (Wired, 2008).
Strategy
Apple's strategy over the past few years has shifted away from traditional computing. New and innovative ideas have been developed, disrupting the existing business model. In the music and video genre, several different applications and devices have been developed including the Apple TV, iTunes, and various iPod devices. The mobile category includes the iPhone, while the class of delivery channel items includes both iTunes for synchronization and downloads and the App Store. Finally, the development of the iPad (and previously the Newton device) falls within the Tablet category.
Many of these newer devices have been consolidated on to the iOS platform, with the exception of the Macintosh workstations, which are running OS X. There has been some debate in the past on whether Mac OS X will transform to iOS or perhaps a platform more similar to iOS. The Mac OS X Lion is to be released in the summer of 2011. This operating system is said to have similar qualities as the iOS devices, with the exception of a touch-screen feature. A Mac App Store was released in January of 2011, which enables Mac users to purchase software straight from their computer, similar to the way applications can be purchased through the iTunes App Store (Apple Inc., 2010).
As of 2009, the iPhone had taken third place in smart phone sales worldwide, which constituted 4.4% of the market share (McGlaun, 2010). During the first quarter of 2010 alone, 8.75 million were sold, which was more than half the number for the same period in 2009. Just prior to the release of the iPhone 4, over 50 million iPhones had been sold, and statistics from Q4 2010 show that Apple controlled 25% of the smart phone market in the United States (Slashdot, 2011). With the extreme popularity of the iPhone and the increasing number of devices sold, this mobile device has become one of the main focal points of many forensic investigations.
Development community
Apart from sales, the iPhone has an active hacking community, which has yielded research and tools that support forensic investigations. Some of these tools and techniques were originally used to assist with forensic imaging and are currently used for testing in order to better understand the device. Cydia is a popular application used for these purposes. It allows users with a modified phone to download and run iPhone or iPad applications that are not available in the App Store. More specifically, applications can be found here that may allow an examiner to better understand the iPhone file system and other data contents, such as Mobile Terminal. Jailbreaking, or modifying an Apple device, is not suggested, as it is not a forensically sound method; however, having the capability to remotely connect to a test device for educational purposes can be an invaluable learning experience for an examiner.
Another technique that is commonly used on the iPhone is referred to as "unlocking." From 2007 to early 2011, AT&T was the only provider that offered service for the iPhone in the United States. In order to function properly, an AT&T SIM (subscriber identity module) card had to be placed into the device to identify itself on the carrier's network. In February 2011, the iPhone 4 became available through another carrier, Verizon. With the device being so exclusive and only available under these two carriers, many iPhone users search for other options. Unlocking an iPhone is a method that allows the device to be used on alternative networks, and various Apple tutorial sites, such as iClarified, provide steps on how to do this. The process typically involves installing an application, running it, and replacing the AT&T SIM card with that of a different carrier. As Verizon is on the CDMA (code division multiple access) network rather than GSM (global system for mobile communications), its version of the iPhone does not come with a SIM card. For this reason, unlocking the iPhone 4 from Verizon's network is impossible using the current methods. Having said that, the Apple user community will undoubtedly develop an alternative method in the future.
The Apple developer site is another resource that can benefit developers, examiners, or individuals interested in the iOS or OS X environments. Once a registered Apple developer, an individual can download Xcode and the iOS software development kit (SDK) to assist in application development. Included in this development suite are an Xcode integrated development environment (IDE), iOS simulator, and additional tools required for iPhone, iPad, and iPod touch application development.
Once the Xcode and iOS SDK are downloaded, the installer must be run in order to use the tools. Once installed, the tools and files shown in Figure 1.1 can be found in the following path: /Developer/Platforms/iPhoneSimulator.platform
One of the most useful tools within this package is the iOS simulator (as shown in Figure 1.2). This program allows the investigator to select an Apple device and version and use the simulator to test this particular model. For this example, the iPhone running firmware version 4.2 was selected. Among the other options were versions 3.2 (for the iPad) and 4.0.2 and 4.1 (for the iPhone). The software is memory intensive, so one can expect the testing to be a little slow. The simulator starts up with just a few general apps, including Photos, Settings, Game Center, Contacts, and Safari. The user is able to go into these apps, use them as though they were a real device, and even perform additional functions including Toggle In-Call Status Bar, Simulate a Memory Warning, Simulate a Hardware Keyboard, and Lock the device. Lacking from the simulator are some of the more common apps, such as SMS, Calendar, Camera, Notes, and the App Store in order to download additional applications.
The main purpose of the simulator is to be used by application developers in conjunction with Xcode. When Xcode is used to develop an iPhone or iPad application, the code can be tested and run using the simulator on various firmware versions. Testing on the simulator will ensure that the application is performing the way it is expected to.
iPHONE MODELS
The original iPhone 2G was released in the United States in June 2007. Simultaneously, iTunes version 7.3 was also released, which would support synchronization with this device. Subsequent models were released in the following years: the 3G in July 2008, 3G(s) in June 2009, and the iPhone 4 in June 2010.
Each device arrives with its own firmware version, which can be found by navigating to Settings > General > About > Version. The purpose of the firmware is to enable certain features, fix bugs or security holes, and assist with the general functioning of the device. Apple will occasionally release new firmware upgrades to resolve some of these issues.
Table 1.1 displays the model number and the initial iOS versions for each device.
In order to identify the device model with the phone powered off, there are a few different things to consider. The first to look for is the model number etched at the back of the casing. Also, the original iPhone had a metal casing, whereas the 3G and 3G(s) had a plastic casing. The 3G(s) has the writings at the back etched in silver to differentiate it from the 3G, which has only the Apple logo in silver. Finally, the iPhone 4 has a unique square design. The corners are less rounded, making it easier to differentiate between the earlier versions. Apple's knowledge base articles can be helpful for this purpose. Details on identifying iPhone models can be found at the following link: http://support.apple.com/kb/HT3939
Table 1.2 shows the specifications and features of each of the models, depending on the storage size (Costello, n.d.).
There were three main differences that separated the 3G from the original iPhone device. One of these features is the addition of the CDMA cellular protocols. W-CDMA is the air interface standard for 3G networks. The intent of adding this protocol was for increased connection speed as well as more efficient support for a greater number of users. The second feature to differentiate the 3G from the 2G is the integrated global positioning system (GPS), which is also found in the 3G(s) and iPhone 4. Finally, the amount of NAND Flash memory increased by a factor of 2 (Semiconductor Insights, n.d.).
iPhone hardware
The iPhone, like most complex electronic devices, is a collection of modules, chips, and other electronic components from many manufacturers. Due to the complex and varied features of the iPhone, the list of hardware is extensive. Table 1.3 consists of a list of many of the components of an iPhone 3G(s), including the manufacturer and model or part number.
The Samsung CPU is an RISC (reduced instruction set computer) processor that runs the core iPhone processes and works in conjunction with the PowerVR co-processor for graphics acceleration. The CPU is underclocked to 412 MHz (from a possible 667 MHz), presumably to extend battery life. Many of the internal components vary depending on the iPhone model. Semiconductor Insights is a significant resource in understanding the inner workings of many different types of devices. Their device library includes many mobile devices, including the iPhone. A report is completed for each device, which includes a description of the product, details on how to disassemble and reassemble the device, tear down photos, hardware components, and much more (Semiconductor Insights, n.d.).
The baseband is another essential component on the iPhone. The baseband manages all the functions that require an antenna, notably all cellular services. Unlocking the device was mentioned earlier. During this process, the baseband is the part of the device that is hacked in order to allow the iPhone to connect to a different cellular network. There are different baseband versions, which is why the unlocking process must constantly be modified. When a new device comes out, such as the iPhone4, it will arrive with a different baseband version. The baseband version can be found under Settings > General > About > Modem Firmware, as shown in Figure 1.3.
The baseband processor has its own RAM and firmware in NOR Flash, separate from the core resources. It functions as a resource to the main CPU. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM.
The images displayed in the next page, courtesy of Semiconductor Insights, were taken after an iPhone 3G(s) was manually dismantled: Figure 1.4 is an image of the top of the device and Figure 1.5 is of the bottom.
(Continues...)
Excerpted from iPhone and iOS Forensics by Andrew Hoog Katie Strzempka Copyright © 2011 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
