Mobile devices: iPhone risks and Forensic Tool capability

Knight, Benjamin Andrew
Cusack, Brian
Item type
Degree name
Master of Forensic Information Technology
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

The research evaluates the capability of software based tools that extract data stored on an Apple iPhone. A literature review is performed covering material on: mobile devices, iPhone, hard disks, networking connectivity, usage environments, data integrity, evidence volatility, data extraction methods and operating systems. Literature shows that iPhone data extraction is complex due to hardware and software limitations. Understanding the capability of the tool used to retrieve data is important in ensuring a sound investigation. Based on literature a research methodology is defined. A descriptive approach is selected. The research process is split into three phases: test iPhone capability, evaluate extraction tools and compare extraction tools. At each phase data is collected, processed and analysed. At the first stage a “catalog” of known data stored on the iPhone is collected. At the second phase an audit “journal” of procedure and “extraction log” of extracted data is collected. At the last phase a sample set of weighted scenarios are used to analyse tool capability. Research findings indicate 12,963 files were extracted from an iPhone and classified in the catalog. Operating system limitations restrict user access to the iPhone file system. A method of opening access, known as jailbreaking, can be used to bypass such restrictions. Of the files in the catalog the highest result obtained by an extraction tool is 797 from Oxygen Forensics Suite 2010 and the lowest result is 178 from Device Seizure. Scenario analysis indicates Oxygen Forensics Suite 2010 works better in case scenarios whereas non-forensic tools have more limitations. Discussion of findings indicates that SQLite and Property List files are common sources of data storage on the iPhone. Analysis into the iPhone operating system shows that Apple has put multiple controls to limit access to the stored data. There is potential for further research in expanding research into extraction tool capability.

Forensics , iPhone , Computer forensics , Digital forensics , Tool capability , Mobile devices
Publisher's version
Rights statement