Since the first-generation iPhone model released in 2007, thirteen years have passed with more than twenty different style iPhones being released. With each model comes better hardware specs alongside newer features contained within every major iOS update. Digital forensic capabilities have grown over time and examiners are able to recover and analyze more data than ever before that may prove vital to your case during litigation. The increase in capability allows for new types of data to be extracted and recovered, including communications and other important user generated data.
One of the most common types of forensic analysis performed on Apple iPhones is the recovery of deleted data. It is often possible to recover significant amounts of deleted information, including internet history, search queries, along with communications and attachments (iMessages, text messages, and third-party chat applications.) When information is deleted from an Apple iPhone device, data is stored within the free space of the device or the structure of a database file (mainly SQLite format) and can potentially be overwritten with new information coming onto the phone. Unfortunately, overwritten data is unrecoverable. Attorneys should be wary if an expert guarantees the recovery of any specific deleted information the attorney is seeking.
Since Apple’s implementation of the encrypted file system on its iPhones, when images and videos are deleted they are immediately removed from the device and cannot be recovered. However, deleted images and videos may exist within a previous backup of the device, so be sure to ask users about those. iPhone backups can exist within Apple’s iCloud Service or as a locally created backup stored on a computer system. In addition, thumbnail views of the deleted images may be recoverable from the device.
Phones rely upon location data to improve overall user functionality and experience. Examples of this include using GPS coordinates for travel directions, health information – such as how far you walked, and location data that is collected and used for targeted advertisements. Location data can be stored within photographs taken from the device, just one of many Exchange image file format (“EXIF”) metadata values stored within a photograph. On iPhones, location data is stored by default within photos taken with the device. There may also be additional metadata of interest such as the creation date, time, and the model of the original device the photo was taken with.
Another popular type of forensic analysis is examining the recovered communication history, including active and deleted content. Messages from third party applications may not be stored locally on the device but rather a server. Messages contained within these applications cannot be recovered during a forensic examination of an image, but possibly through the “live” application itself. Consulting with a digital forensics expert will be your best bet if messages from a third-party application are of the utmost concern. This will allow your expert to determine the best course of action to preserve and obtain the third-party communications.
Recently, a new Apple iPhone exploit has surfaced allowing even more data to be collected and extracted from iPhones. This game changing exploit has been named “checkm8” (pronounced: ‘checkmate’) and is a potential evidence goldmine for forensic examiners everywhere. This bootrom jailbreak allows for alternative software to load at device start up when the phone is powered on, providing the examiner access to additional areas of the file system not previously available through the typical acquisition process of an iOS device.
The forensic science and capabilities of Apple iPhone examinations are rapidly changing, just like the technology and software of the devices. It is best to consult with a forensic expert who specializes in mobile device forensics before any steps are taken to extract content from the device to ensure best practices are followed when dealing with potential evidence that may be vital to the case.