iPhone models
The iPhone is among the most popular mobile phones on the market. Apple released the first generation iPhone in June 2007. Ever since the first release, the iPhone has gained a lot of popularity due to its advanced functionality and usability. The introduction of the iPhone has redefined the entire world of mobile computing. Consumers started looking for faster and more efficient phones. Various iPhone models exist now with different features and storage capabilities to serve the consumer requirements. The following table lists all iPhone models with their initial iOS versions:
The iPhones released since the first edition of Practical Mobile Forensics, the iPhones 6, 6 Plus, 6S, and 6S Plus, remain difficult when dealing with physical forensic acquisition methods. Just like the devices released since the iPhone 5, there is no method or tool available to physically recover data from these devices, unless they are jailbroken. However, the file system and a logical acquisition can be obtained if the iPhone is unlocked. Acquisition methods for data extraction are available and will be discussed in Chapter 4, Data Acquisition from iOS Devices, and Chapter 5, Data Acquisition from iOS Backups.
Identifying the correct hardware model
Before examining an iPhone, it is necessary to identify the correct hardware model and the firmware version installed on the device. Knowing the iPhone details helps you to understand the criticalities and possibilities of obtaining evidence from the iPhone. For example, in many cases, the device passcode is required in order to obtain the file system or logical image. Even if the device is supported physically, the passcode is needed to decrypt artifacts such as e-mail and passwords. Depending on the iOS version, device model, and passcode complexity, it may be possible to obtain the device passcode using a brute force attack.
There are various ways to identify the hardware of a device. The easiest way to identify the hardware of a device is by observing the Model No. displayed on the back of the device. The following image shows the model number etched on the back of the casing. Apple's knowledge base articles can be helpful for this purpose. Details on identifying iPhone models can be found at http://support.apple.com/kb/HT3939.
The firmware version of an iPhone can be found by accessing the Settings option and then navigating to General | About | Version, as shown in the following screenshot. The purpose of the firmware is to enable certain features and assist with the general functioning of the device.
Alternatively, the ideviceinfo command-line tool available in the libimobiledevice software library (http://www.libimobiledevice.org/) can be used to identify the iPhone model and its iOS version. The library allows you to communicate with an iPhone even if the device is locked by a passcode. The software library was developed by Nikias Bassen (pimskeks), and it was compiled for Mac OS X by Ben Clayton (benvium).
To obtain the iPhone model and its iOS version information on Mac OS X 10.10.4, follow these steps:
- Open the terminal application.
- From the command line, run the following command to download the
libimobiledevicelibrary:$ git clone https://github.com/benvium/libimobiledevice- macosx.git ~/Desktop/libimobiledevice-macosx/
The command creates the
libimobiledevice-macosxdirectory on the user's desktop and places thelibimobiledevicecommand-line tools onto it. - Navigate to the
libimobiledevice-macosxdirectory, as follows:$ cd ~/Desktop/libimobiledevice-macosx/ - Create and edit the
.bash_profilefile using thenanocommand, as follows:$ nano ~/.bash_profile - Add the following two lines to the
.bash_profilefile, as follows:export DYLD_LIBRARY_PATH=~/Desktop/libimobiledevice- macosx/:$DYLD_LIBRARY_PATH PATH=${PATH}:~/Desktop/libimobiledevice-macosx/
- Press Ctrl + X, type the letter
y, and hit Enter to save the file. - Return to the terminal and run the following command:
$ source ~/.bash_profile - Connect the iPhone to the Mac workstation using a USB cable and run the
ideviceinfocommand with the-soption:$ ./ideviceinfo -s
Output of the ideviceinfo command displays the iPhone identifier, internal name, and the iOS version, as shown here:
Free tools, such as iExplorer and others, will provide access to similar iOS device information on a Windows PC, as shown in the following screenshot. Both Mac and Windows methods for recovering iPhone device information will work on the iPad devices as well. Here, iExplorer is being used to obtain device information from the iPhone:
Every release of the iPhone comes with improved or newly added features. As previously stated in this chapter, knowing the iPhone details helps you understand the criticalities and possibilities of obtaining evidence from the iPhone. The examiner must know the model of the device to ensure that their tools and methodologies support that iPhone. They must determine the internal storage size of the iPhone to ensure that the evidence container is large enough for the entire forensic image. Most tools will not alert the examiner that there is not enough disk space on the evidence drive until space has run out. This will waste time and force the examiner to acquire the device a second time. Finally, the network capabilities of the device must be noted, so the examiner properly isolates the device to prevent remote access or wiping during examination. This will be discussed further in Chapter 4, Data Acquisition from iOS Devices.
The following table shows the specifications and features of legacy and current iPhone models:
The later iPhone releases and features are shown in the following table:
One of the major changes in the iPhone 5, iPhone 5C, and iPhone 5S is the lightening connector, which is used to charge and synchronize the device with the computer. Devices prior to the iPhone 5 use a 30-pin USB dock connector, whereas the newer iPhones use an eight-pin lightning connector.
The most recent iPhone releases and features are shown in the following table:
Again, some familiarity with iPhone device hardware will aid the examiner in determining how to handle the device during a forensic investigation. Certain models enforce full disk encryption, while older models do not. Encrypted devices require additional steps during acquisition if access is even possible. The examiner must be prepared for all hurdles they may be required to clear during the acquisition and analytical stages of the investigation. In addition, knowing the capabilities that iPhone has and the initial and current OS version makes a difference is the data you will be able to recover from the device. Apple is not consistent with data storage locations across iOS versions. Thus, the examiner must know the original version installed when the phone was first in use to ensure that the forensic tools do not overlook data that could aid in the investigation. Topics such as iOS upgrades will be discussed in Chapter 6, iOS Data Analysis and Recovery.