iOS Forensics


Apple is a successful company, to say the least. In 2015 alone, they saw profits of $53 billion. In fact, if Apple was a country, they would be the 55th richest country in the world. Much of this success can be traced to their immensely popular line of smartphones, tablets, and music devices, or iPhones, iPads, and iPod Touch devices respectively. Each of these devices runs an operating system known as iOS and is essentially Apple’s mobile version of their flagship operating system, or Mac OS X. While the two operating systems are comparable, iOS has a gesture-based touch screen interface and manages files differently than OS X. It should come as no surprise that iOS forensics work is routinely required for iOS devices, given their popularity. Apple’s focus on security and robust encryption of iOS devices can often make it difficult to perform forensics work on these devices. Regardless of these difficulties, Gillware Digital Forensics is able to perform iOS device forensics on a number of iOS device models and we continue to expand our capabilities over time.


The Necessity of iOS Forensics

As some of the most popular mobile devices on the planet, Apple’s line of iOS products is used by millions of people all over the world. These devices come equipped with calling, texting, email, high resolution cameras, voice recording, GPS data, and over a million other applications that can be downloaded. With these capabilities, it becomes apparent just how useful they can be in an inquiry. With access to the data on a suspect or victim’s phone, you can often find out who they talked to and when, where they were or where they were going, which applications they used and a whole host of other potential evidence.

With the help of skilled forensics examiners, any iOS forensics case can potentially yield fruitful results with the right tools, knowledge, and expertise. The robust security of iOS devices can often make it difficult to access these devices, but evidence can still be found from other associated data sources if a forensic investigator knows where to look. Digital forensics experts can also help in the court to explain these technologies and the ramifications of any evidence found.


iOS Overview

iOS devices encompass numerous models released over the past nine years, beginning in 2007. The first iPhone was released in 2007 followed shortly after by the first iPod Touch, with the first generation iPad not arriving until 2010. With so many different models released over a decently long period of time, there’s a great deal of variety between these devices. Since all of them are from Apple, there is certainly nowhere near the variety as seen in Android devices, but there are significant differences nonetheless.

Similar to most smartphones, iOS devices store data on NAND flash memory chips within the device. However, unlike many other mobile devices, iOS devices don’t have a removable battery or slots for external storage. All user data is stored in the NAND and an HFS+ file system is used. This closed-off design is consistent with the rest of Apple’s products, favoring design over user customizability.

One common trend seen with iOS devices is that generally, security has become more robust as you move towards newer models. Forensics work is easier to perform on older model devices using the A4 chip and below, at least as it pertains to locked phones without passcodes. This includes all devices released before the iPhone 4s.

iOS devices also have free methods for backing up data, such as with iTunes and iCloud. The latter provides up to 5GB of free storage for each device and offers the feature known as “FindMyiPhone,” a service that examiners obviously want to be wary of when working on an iOS device. It’s extremely important that these devices be isolated from any remote access, as this service can also be used to remotely erase data. Conversely, these services can also be useful to examiners since backups on associated computers can provide legacy information and data from a previously backed up phone.


What Services Does Gillware Digital Forensics Offer for iOS Forensics?

With a new iPhone every year, new iPod Touch and iPad models every few years, and new versions of iOS all the time, there’s always more iOS forensics research to be done by examiners. Whether that’s obtaining the newest models to tinker with or creating new forensics techniques for older models, each year our capabilities grow.

iPhone 5s iOS forensics

Internals of an iPhone 5s

With the many years of digital forensics experience our President Cindy Murphy brings to the team, in conjunction with her experience with law enforcement and as a member of the Madison Police Department, she has a wealth of information and experience to draw from in conducting iOS forensics cases.

In addition to her expertise, our own data recovery engineers have over a decade of experience doing complex physical and logical recoveries on a variety of devices. This of course includes iOS devices. We are also able to utilize tools such as Cellebrite as well as proprietary recovery and forensics tools to aid us in our iOS forensics work. As mentioned before, there are varying degrees of success in these cases and they are contingent upon a number of factors such as we saw with the San Bernardino FBI-Apple case in early 2016, but even now there are new methods to bypass issues such as the iPhone password lockout that didn’t exist earlier this year. Technology moves quickly and digital forensics experts are doing everything in their power to keep up.

 iOS Malware

One new change in recent years in the digital forensics world is the arrival and proliferation of mobile malware. As secure as the iOS platform is, it is not immune from malware. Recent iOS malware includes late 2015’s XcodeGhost, a modified version of Apple’s programming framework known as Xcode that mines user data on applications it has infected. Another more recent example is the AceDeceiver Trojan which infects iOS devices that are connected to Windows-based PCs. AceDeceiver is also somewhat unique because iOS devices do not have to be jailbroken in order to be infected by the malware.


One advantage that iOS devices have over Android devices is that in order to install spyware on them, iOS devices must be jailbroken. “Jailbreaking” a device means using software exploits within the device’s operating system in order to remove certain restrictions on the device. This can be useful in many ways, but also adversely affects the security of the device. Spyware is typically used to track the device activities of the owner and is commonly seen in cases of overbearing (or even malicious) employers, abusive partners, and similar undesirable situations. If you need to know if an iPhone has been jailbroken, we can help.

Recovering Data from Broken iOS Devices

Plenty of broken devices have come through Gillware’s lab throughout its history. Whether it’s fire, water, or in one case, even acid, Gillware has recovered data from devices so damaged that they were unrecognizable from their original state. Our forensic data recovery experts use advanced data recovery techniques and proprietary equipment to attempt to create a forensic image of the internal NAND flash memory chips in the hope that data may be recovered for analysis. Deciphering the data and piecing it together in a way that makes sense can often be the greatest challenge with these cases, but our engineers have the necessary experience to figure out these problems when data is recovered.

Expert Testimony

Gillware’s digital forensics experts are also able to provide expert testimony services in a court of law, whether that is to evaluate an opposing expert’s findings or to testify about the findings of your own forensics case. One of the most critical aspects of a forensics case that ends up in court is being able to clearly communicate the findings and provide an accurate analysis of the data to the court. If technical confusion is allowed to happen, there is a chance that reasonable doubt will enter the case where it would otherwise not occur. To ensure your case has the best chance of being understood and communicated clearly in a court of law, use Gillware Digital Forensics.


Use Gillware Digital Forensics for Your iOS Forensics Case

With our world-class digital forensics experts and the right tools to handle difficult cases, use Gillware Digital Forensics for all your iOS forensics needs. To get started, follow the link below to request an initial consultation with Gillware Digital Forensics.