Apple iphone pro on laptop keyboard

Apple iPhone Forensics: An Update from the Trenches

Share this article

Since the first-generation iPhone model released in 2007, thirteen years have passed with more than twenty different style iPhones being released. With each model comes better hardware specs alongside newer features contained within every major iOS update. Digital forensic capabilities have grown over time and examiners are able to recover and analyze more data than ever before that may prove vital to your case during litigation. The increase in capability allows for new types of data to be extracted and recovered, including communications and other important user generated data.

Deleted Data

One of the most common types of forensic analysis performed on Apple iPhones is the recovery of deleted data. It is often possible to recover significant amounts of deleted information, including internet history, search queries, along with communications and attachments (iMessages, text messages, and third-party chat applications.) When information is deleted from an Apple iPhone device, data is stored within the free space of the device or the structure of a database file (mainly SQLite format) and can potentially be overwritten with new information coming onto the phone. Unfortunately, overwritten data is unrecoverable. Attorneys should be wary if an expert guarantees the recovery of any specific deleted information the attorney is seeking.

Since Apple’s implementation of the encrypted file system on its iPhones, when images and videos are deleted they are immediately removed from the device and cannot be recovered. However, deleted images and videos may exist within a previous backup of the device, so be sure to ask users about those. iPhone backups can exist within Apple’s iCloud Service or as a locally created backup stored on a computer system. In addition, thumbnail views of the deleted images may be recoverable from the device.

Location Data

Phones rely upon location data to improve overall user functionality and experience. Examples of this include using GPS coordinates for travel directions, health information – such as how far you walked, and location data that is collected and used for targeted advertisements. Location data can be stored within photographs taken from the device, just one of many Exchange image file format (“EXIF”) metadata values stored within a photograph. On iPhones, location data is stored by default within photos taken with the device. There may also be additional metadata of interest such as the creation date, time, and the model of the original device the photo was taken with.

Communication Data

Another popular type of forensic analysis is examining the recovered communication history, including active and deleted content. Messages from third party applications may not be stored locally on the device but rather a server. Messages contained within these applications cannot be recovered during a forensic examination of an image, but possibly through the “live” application itself. Consulting with a digital forensics expert will be your best bet if messages from a third-party application are of the utmost concern. This will allow your expert to determine the best course of action to preserve and obtain the third-party communications.

New Capabilities

Recently, a new Apple iPhone exploit has surfaced allowing even more data to be collected and extracted from iPhones. This game changing exploit has been named “checkm8” (pronounced: ‘checkmate’) and is a potential evidence goldmine for forensic examiners everywhere. This bootrom jailbreak allows for alternative software to load at device start up when the phone is powered on, providing the examiner access to additional areas of the file system not previously available through the typical acquisition process of an iOS device.

The forensic science and capabilities of Apple iPhone examinations are rapidly changing, just like the technology and software of the devices. It is best to consult with a forensic expert who specializes in mobile device forensics before any steps are taken to extract content from the device to ensure best practices are followed when dealing with potential evidence that may be vital to the case.

Michael Maschke on Email
Michael Maschke
Chief Executive Officer at Sensei Enterprises, Inc.
Michael Maschke is the Chief Executive Officer at Sensei Enterprises, Inc. Mr. Maschke holds a degree in Telecommunications from James Madison University. Mr. Maschke is an EnCase Certified Examiner (EnCE), a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker (CEH), an AccessData Certified Examiner (ACE), and a Certified Information Systems Security Professional (CISSP).

He is an associate member of the American Bar Association and has spoken at the American Bar Association’s TECHSHOW conference on the subject of cybersecurity. He is currently an active member of the ABA’s Law Practice Division: Technology Core Group and is on the Fairfax Law Foundation Board of Directors. Mr. Maschke is a 2019 Fastcase 50 award recipient.

He is also a co-author of Information Security for Lawyers and Law Firms, a book published by the ABA in 2006 and The 2008-2020 Solo and Small Firm Legal Technology Guides (American Bar Association, 2008 – 2020).
Brandon Barnes on Email
Brandon Barnes
Digital Forensics Examiner at Sensei Enterprises, Inc.
Brandon Barnes is a Digital Forensics Examiner at Sensei Enterprises, Inc. and specializes in electronic evidence analysis, data recovery, and forensic reporting. Brandon is an EnCase Certified Examiner (EnCE). He originates from Pennsylvania, where he received his Bachelors of Science in Digital Forensics at Bloomsburg University.

Share this article