Evaluating Digital Forensic Options for iPad
Added on 2022-08-29
17 Pages6364 Words25 Views
Chapter 20
EVALUATING DIGITAL FORENSIC
OPTIONS FOR THE APPLE iPAD
Andrew Hay, Dennis Krill, Benjamin Kuhar and Gilbert Peterson
Abstract The iPod Touch, iPhone and iPad from Apple are among the most
popular mobile computing platforms in use today. These devices are
of forensic interest because of their high adoption rate and potential
for containing digital evidence. The uniformity in their design and un-
derlying operating system (iOS) also allows forensic tools and methods
to be shared across product types. This paper analyzes the tools and
methods available for conducting forensic examinations of the Apple
iPad. These include commercial software products, updated method-
ologies based on existing jailbreaking processes and the analysis of the
device backup contents provided by iTunes. While many of the available
commercial tools offer promise, the results of our analysis indicate that
most comprehensive examination of the iPad requires jailbreaking to
perform forensic duplication and manual analysis of its media content.
Keywords: Apple iPad, forensic examinations, iOS logical file system analysis
1. Introduction
Launched in April 2010, the iPad [2] joined the iPhone and iPod
Touch to become the latest mobile device to adopt Apple’s iOS operating
system [13]. With three million devices sold in the first 80 days since its
launch [2] and 250,000 third party applications available on the platform
[13], the iPad is a major addition to the crowded mobile computing
market. The iPad supports multiple networking protocols and GPS, and
provides up to 64 GB of storage [4]. As such, it represents a fusion of
technology, which is of interest to digital evidence examiners for many of
the same reasons as traditional computing hardware and mobile phones.
In contrast with the relatively open security models embraced by OS
X and the iPods that preceded it, iPhone OS (the predecessor to iOS)
is a closed operating environment without a traditional file system and
G. Peterson and S. Shenoi (Eds.): Advances in Digital Forensics VII, IFIP AICT 361, pp. 257–273, 2011.
c© IFIP International Federation for Information Processing 2011
EVALUATING DIGITAL FORENSIC
OPTIONS FOR THE APPLE iPAD
Andrew Hay, Dennis Krill, Benjamin Kuhar and Gilbert Peterson
Abstract The iPod Touch, iPhone and iPad from Apple are among the most
popular mobile computing platforms in use today. These devices are
of forensic interest because of their high adoption rate and potential
for containing digital evidence. The uniformity in their design and un-
derlying operating system (iOS) also allows forensic tools and methods
to be shared across product types. This paper analyzes the tools and
methods available for conducting forensic examinations of the Apple
iPad. These include commercial software products, updated method-
ologies based on existing jailbreaking processes and the analysis of the
device backup contents provided by iTunes. While many of the available
commercial tools offer promise, the results of our analysis indicate that
most comprehensive examination of the iPad requires jailbreaking to
perform forensic duplication and manual analysis of its media content.
Keywords: Apple iPad, forensic examinations, iOS logical file system analysis
1. Introduction
Launched in April 2010, the iPad [2] joined the iPhone and iPod
Touch to become the latest mobile device to adopt Apple’s iOS operating
system [13]. With three million devices sold in the first 80 days since its
launch [2] and 250,000 third party applications available on the platform
[13], the iPad is a major addition to the crowded mobile computing
market. The iPad supports multiple networking protocols and GPS, and
provides up to 64 GB of storage [4]. As such, it represents a fusion of
technology, which is of interest to digital evidence examiners for many of
the same reasons as traditional computing hardware and mobile phones.
In contrast with the relatively open security models embraced by OS
X and the iPods that preceded it, iPhone OS (the predecessor to iOS)
is a closed operating environment without a traditional file system and
G. Peterson and S. Shenoi (Eds.): Advances in Digital Forensics VII, IFIP AICT 361, pp. 257–273, 2011.
c© IFIP International Federation for Information Processing 2011
258 ADVANCES IN DIGITAL FORENSICS VII
device disk mode. The version of iOS launched with the iPad addition-
ally supports security features such as application sandboxing, manda-
tory code signing and 256-bit AES hardware-based data encryption [3].
These features prevent many of the traditional digital forensic media
duplication and analysis processes from being employed effectively on
the iPad.
The iPhone OS has also largely invalidated the existing strategies
available for iPod forensics [16, 22], a problem addressed by Zdziarski in
the case of iPhone forensics [25]. Zdziarski’s process requires an iPhone
to be hacked in a process known as “jailbreaking.” Before the develop-
ment of this process, several commercial forensic tools were developed.
Hoog and Gaffaney [11] present a survey of the principal tools, and Mis-
lan [19] discusses iOS analysis in the context of general mobile device
forensics. However, existing tools and methods do not yet support iOS
versions 3.x and above, and the manual extraction and analysis of the
iTunes backup file from a computer system paired with an iPad. Both
these research gaps are addressed in this paper.
This paper makes four contributions to the field of mobile device foren-
sics. The first is a survey of commercial software tools marketed for the
forensic analysis of iPads, which have yet to be formally reviewed by
NIST [20]. The second is a variation of Zdziarski’s method [25] for
manually imaging iPad media using jailbreaking techniques. The third
is the enumeration of the forensically relevant content available on an
iPad and the specification of the locations of target files in the file sys-
tem. The fourth contribution is an analysis of the reviewed tools and
methods along with a technique for recovering evidence from the device
backup file generated by iTunes. Note that our analysis does not include
any of the optional security measures that may be enabled on an iPad,
such as remote wiping, passcode locking and iTunes backup encryption.
Zdziarski [25] has addressed the issue of passcode locking for iPhone OS
2.x, but iTunes backup encryption remains a major obstacle for many
of the tools and techniques discussed in this paper.
2. Commercial Software Tools
Three untested commercial tools with iPad compatibility are currently
being marketed: Lantern [14], Mobilyze [5] and Oxygen Forensics Suite
2010 [21]. Our analysis focuses on the evidence extracted using these
tools and the suitability of these tools when there is an expectation of
forensic soundness. Note that the analysis is limited to the free trial
versions of the marketed products whose capabilities may differ from
the fully licensed versions.
device disk mode. The version of iOS launched with the iPad addition-
ally supports security features such as application sandboxing, manda-
tory code signing and 256-bit AES hardware-based data encryption [3].
These features prevent many of the traditional digital forensic media
duplication and analysis processes from being employed effectively on
the iPad.
The iPhone OS has also largely invalidated the existing strategies
available for iPod forensics [16, 22], a problem addressed by Zdziarski in
the case of iPhone forensics [25]. Zdziarski’s process requires an iPhone
to be hacked in a process known as “jailbreaking.” Before the develop-
ment of this process, several commercial forensic tools were developed.
Hoog and Gaffaney [11] present a survey of the principal tools, and Mis-
lan [19] discusses iOS analysis in the context of general mobile device
forensics. However, existing tools and methods do not yet support iOS
versions 3.x and above, and the manual extraction and analysis of the
iTunes backup file from a computer system paired with an iPad. Both
these research gaps are addressed in this paper.
This paper makes four contributions to the field of mobile device foren-
sics. The first is a survey of commercial software tools marketed for the
forensic analysis of iPads, which have yet to be formally reviewed by
NIST [20]. The second is a variation of Zdziarski’s method [25] for
manually imaging iPad media using jailbreaking techniques. The third
is the enumeration of the forensically relevant content available on an
iPad and the specification of the locations of target files in the file sys-
tem. The fourth contribution is an analysis of the reviewed tools and
methods along with a technique for recovering evidence from the device
backup file generated by iTunes. Note that our analysis does not include
any of the optional security measures that may be enabled on an iPad,
such as remote wiping, passcode locking and iTunes backup encryption.
Zdziarski [25] has addressed the issue of passcode locking for iPhone OS
2.x, but iTunes backup encryption remains a major obstacle for many
of the tools and techniques discussed in this paper.
2. Commercial Software Tools
Three untested commercial tools with iPad compatibility are currently
being marketed: Lantern [14], Mobilyze [5] and Oxygen Forensics Suite
2010 [21]. Our analysis focuses on the evidence extracted using these
tools and the suitability of these tools when there is an expectation of
forensic soundness. Note that the analysis is limited to the free trial
versions of the marketed products whose capabilities may differ from
the fully licensed versions.
Hay, Krill, Kuhar & Peterson 259
Lantern (version 1.0.6.0 demo; now 1.0.9 with iOS 4.2.1 support) pro-
vides an easy-to-use interface for reviewing a limited subset of iPad data.
The extraction of information is quick – it took less than seven minutes
for an iPad configured with minimal media content. Multiple process-
ing errors were listed in the error log after extraction, but no explicit
warnings were raised to notify the user that something had gone wrong.
Lantern [14] extracts evidence into two categories: media and ev-
erything else. The product does not support the manual browsing of
extracted data, most of which is hidden in a single file with a propri-
etary format. All media is stored and hashed individually; everything
else is maintained in the archive file, whose hash value is displayed on
the main Lantern screen. Files are hashed using MD5, but there is no
facility for verifying that the exported evidence matches the archive be-
cause of a format conversion during exportation. A usability bug was
identified with respect to Lantern’s export data feature: the output file
is written without an extension, although the file is in the CSV format
and can be manually opened as such.
Mobilyze (version 1.1), which is now part of the BlackLight Forensic
Suite, provides graphical information in an intuitive and organized fash-
ion, but it only permits the viewing of a limited selection of iPad data.
Device acquisition took 27 minutes – the process copies the majority of
files in the iPad’s user partition and includes all the media resources.
The copied files are individually hashed with MD5 and the values stored
in a separate log. The files are archived in a non-propriety package that
can be browsed manually using the OS X file browser or the built-in
Mobilyze browser. Mobilyze also offers built-in viewers for SQLite and
Property List files, for which no graphical module is available.
One of the major advantages of Mobilyze is the flexible and intuitive
evidence tagging and reporting facility. All the items of interest in the
graphical modules can be tagged, and individual data files may be ex-
amined using the application file browser. Tagged items are formatted
in rich HTML when exported as a report, with the data files clearly
displaying the associated file path and hash value.
Oxygen Forensics Suite 2010 (version 2.8.1) reportedly supports evi-
dence acquisition and analysis for more than 1,650 mobile devices. The
Oxygen Connection Wizard requires the installation of OxyAgent on
many target devices before acquisition can take place. Device acquisi-
tion took seventeen minutes; the process individually hashes all the files.
The Oxygen Connection Wizard provides an extraction option for a full
reading of the iPad file structure, but this option yields files from the
user partition and does not capture any system resources. The company
has released several updates since our analysis. However, while the re-
Lantern (version 1.0.6.0 demo; now 1.0.9 with iOS 4.2.1 support) pro-
vides an easy-to-use interface for reviewing a limited subset of iPad data.
The extraction of information is quick – it took less than seven minutes
for an iPad configured with minimal media content. Multiple process-
ing errors were listed in the error log after extraction, but no explicit
warnings were raised to notify the user that something had gone wrong.
Lantern [14] extracts evidence into two categories: media and ev-
erything else. The product does not support the manual browsing of
extracted data, most of which is hidden in a single file with a propri-
etary format. All media is stored and hashed individually; everything
else is maintained in the archive file, whose hash value is displayed on
the main Lantern screen. Files are hashed using MD5, but there is no
facility for verifying that the exported evidence matches the archive be-
cause of a format conversion during exportation. A usability bug was
identified with respect to Lantern’s export data feature: the output file
is written without an extension, although the file is in the CSV format
and can be manually opened as such.
Mobilyze (version 1.1), which is now part of the BlackLight Forensic
Suite, provides graphical information in an intuitive and organized fash-
ion, but it only permits the viewing of a limited selection of iPad data.
Device acquisition took 27 minutes – the process copies the majority of
files in the iPad’s user partition and includes all the media resources.
The copied files are individually hashed with MD5 and the values stored
in a separate log. The files are archived in a non-propriety package that
can be browsed manually using the OS X file browser or the built-in
Mobilyze browser. Mobilyze also offers built-in viewers for SQLite and
Property List files, for which no graphical module is available.
One of the major advantages of Mobilyze is the flexible and intuitive
evidence tagging and reporting facility. All the items of interest in the
graphical modules can be tagged, and individual data files may be ex-
amined using the application file browser. Tagged items are formatted
in rich HTML when exported as a report, with the data files clearly
displaying the associated file path and hash value.
Oxygen Forensics Suite 2010 (version 2.8.1) reportedly supports evi-
dence acquisition and analysis for more than 1,650 mobile devices. The
Oxygen Connection Wizard requires the installation of OxyAgent on
many target devices before acquisition can take place. Device acquisi-
tion took seventeen minutes; the process individually hashes all the files.
The Oxygen Connection Wizard provides an extraction option for a full
reading of the iPad file structure, but this option yields files from the
user partition and does not capture any system resources. The company
has released several updates since our analysis. However, while the re-
260 ADVANCES IN DIGITAL FORENSICS VII
lease notes include several references to Apple, they do not specifically
mention the iPad or the latest Apple iOS.
3. Manual Search Methodology
The iPad file system is “jailed” by firmware restrictions that prevent
users from accessing it directly. The device itself has no disk mode to
facilitate the viewing and copying of media content. Apple’s philosophy
is that all interactions with the device should occur through the iTunes
portal. Similarly, third party applications are restricted to executing in
a sandbox to prevent subversion of the iOS environment.
Three methods exist for manually recovering digital evidence from an
iPad, and several tools are available for performing an analysis. Apple
may assist law enforcement examinations with disk-mode unlocking of
the device, essentially enabling the iPad to function as a regular exter-
nal USB drive. The other two methods are jailbreaking the iPad and
analyzing the iTunes backup file.
3.1 Jailbreaking and Imaging
One means of gaining root access to the iPad file system is to jail-
break its firmware. With such access, the examiner can install third
party packages to image and transfer the device data to a computer
via SSH. Zdziarski [25] has described the jailbreaking process for the
iPhone OS v2.x. Updates are available for law enforcement [26], but
further information is only available via an access-controlled site [12].
Unfortunately, the jailbreaking and package installation strategies that
are publicly described are not effective for the iOS software on an iPad,
although the imaging and transfer steps remain largely unchanged.
For iOS version 3.2, the user space jailbreaks, Spirit [23] and Jail-
breakMe [6], provide access and automatically install the Cydia package
manager [10] to support the installation of additional software. Cydia
is decidedly forensically-unfriendly – it installs several files in the user
partition, and while its code is open source, the same cannot be said
for its jailbreaking technique. Current (publicly available) jailbreaks for
the iPad do not permit an examiner to access the device by installing a
forensically-friendly jailbreaking tool that write-protects the user parti-
tion. Additionally, while the Spirit jailbreak can be performed without
user manipulation, both methods require interaction with the iPad user
interface to install the OpenSSH and netcat packages required for imag-
ing and transfer.
Two jailbreaks can be applied to devices running iOS 4.2.1: Pwnage-
Tool 4.1.3 [7] and redsn0w 0.96b6 [7]. PwnageTool does not currently
lease notes include several references to Apple, they do not specifically
mention the iPad or the latest Apple iOS.
3. Manual Search Methodology
The iPad file system is “jailed” by firmware restrictions that prevent
users from accessing it directly. The device itself has no disk mode to
facilitate the viewing and copying of media content. Apple’s philosophy
is that all interactions with the device should occur through the iTunes
portal. Similarly, third party applications are restricted to executing in
a sandbox to prevent subversion of the iOS environment.
Three methods exist for manually recovering digital evidence from an
iPad, and several tools are available for performing an analysis. Apple
may assist law enforcement examinations with disk-mode unlocking of
the device, essentially enabling the iPad to function as a regular exter-
nal USB drive. The other two methods are jailbreaking the iPad and
analyzing the iTunes backup file.
3.1 Jailbreaking and Imaging
One means of gaining root access to the iPad file system is to jail-
break its firmware. With such access, the examiner can install third
party packages to image and transfer the device data to a computer
via SSH. Zdziarski [25] has described the jailbreaking process for the
iPhone OS v2.x. Updates are available for law enforcement [26], but
further information is only available via an access-controlled site [12].
Unfortunately, the jailbreaking and package installation strategies that
are publicly described are not effective for the iOS software on an iPad,
although the imaging and transfer steps remain largely unchanged.
For iOS version 3.2, the user space jailbreaks, Spirit [23] and Jail-
breakMe [6], provide access and automatically install the Cydia package
manager [10] to support the installation of additional software. Cydia
is decidedly forensically-unfriendly – it installs several files in the user
partition, and while its code is open source, the same cannot be said
for its jailbreaking technique. Current (publicly available) jailbreaks for
the iPad do not permit an examiner to access the device by installing a
forensically-friendly jailbreaking tool that write-protects the user parti-
tion. Additionally, while the Spirit jailbreak can be performed without
user manipulation, both methods require interaction with the iPad user
interface to install the OpenSSH and netcat packages required for imag-
ing and transfer.
Two jailbreaks can be applied to devices running iOS 4.2.1: Pwnage-
Tool 4.1.3 [7] and redsn0w 0.96b6 [7]. PwnageTool does not currently
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
MARKETING MANAGEMENT ANALYSIS OF APPLE 21 21 Marketing MANAGEMENT ANALYSIS OF APPLE Name of the University Authorlg...
|24
|4454
|271
Analysis of Applelg...
|5
|1185
|67
Forensic analysis of Kik messenger on iOS deviceslg...
|15
|11413
|45
Digital Forensics and Investigation | Article Studylg...
|7
|1078
|34
Marketing Strategy and Plan for Apple Inclg...
|19
|2531
|455
Analysis of the Forensic Traces Left by Airprint in IOSlg...
|6
|6139
|29