BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE

Similar documents
Case Study: Smart Phone Deleted Data Recovery

Successful ediscovery in a Bring Your Own Device Environment

Mobile Devices in Electronic Discovery

ACQUISITION AND ANALYSIS OF IOS DEVICES MATTIA EPIFANI SANS FORENSICS PRAGUE PRAGUE, 10 OCTOBER 2013

Harry Fike Frostburg State University Office of Information Technology Technical Services

Case Study: Mobile Device Forensics in Texting and Driving Cases

Backing up your digital image collection provides it with essential protection.

NHSmail mobile configuration guide Apple iphone

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

Managing Mobility. 10 top tips for Enterprise Mobility Management

iphone in Business How-To Setup Guide for Users

A White Paper from AccessData Group. The Future of Mobile E-Discovery

A White Paper from AccessData Group. The Future of Mobile E-Discovery

How To Protect Your Business Information From Being Stolen From A Cell Phone Or Tablet Device

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Apple Deployment Programs Apple ID for Students: Parent Guide

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

How To Protect Your Mobile Devices From Security Threats

APPLE & BUSINESS. ios ENTERPRISE SECURITY ENTERPRISE NEEDS CONFIGURATION PROFILES

Dacorum U3A Apple Mac Users Group Agenda TUESDAY 7th July 2015 Time Machine Backups for your MAC & ipad?

Mobile Operating Systems & Security

E-commerce: Competing the Advantages of a Mobile Enterprise

Mobile Device Management (MDM) Policies

iphone in Business Mobile Device Management

Cisco Mobile Collaboration Management Service

ios How to Back Up from icloud

BYOD and Its Impact on IT. Making it easy to deploy, integrate and manage Macs, iphones and ipads in a Windows environment

Mobile Security: Controlling Growing Threats with Mobile Device Management

PMDP is simple to set up, start using, and maintain

Systems Manager Cloud-Based Enterprise Mobility Management

Absolute Manage MDM. John Wu Systems Engineer

A Brief Insight on IOS deployment in Education System- need for 3 rd Platform implementation in Schools

umobilecam Setup Guide All-in-One Mobile Surveillance for Android, ios, Mac, Windows Webcam, IP camera (version 1.0)

Systems Manager Cloud Based Mobile Device Management

IBM Endpoint Manager for Mobile Devices

BYOD Policy Implementation Guide. February 2016 March 2016

Bring Your Own Device (BYOD) Mobile Device Management (MDM) Joshua Jacobs, Sawyers & Jacobs LLC jjacobs@sawyersjacobs.com. Presented by Joshua Jacobs

Asset Management In A Consumerized World

Information Systems. Connecting Smartphones to NTU s System

ShareSync Get Started Guide

EOH Cloud Mobile Device Management. EOH Cloud Services - EOH Cloud Mobile Device Management

ipad in Business Mobile Device Management

Security and Privacy Considerations for BYOD

An Overview of Samsung KNOX Active Directory and Group Policy Features

Students Mobile Messaging Registration & Configuration

Exchange ActiveSync Configurations for GroupWise

Mobile Devices Using Without Losing

Mobile Tablet Devices

Cortado Corporate Server

Symantec Mobile Management 7.1

Smart Ideas for Smartphone Security

Guideline on Safe BYOD Management

Cell Phone Operating Systems

Mobile Device Management AirWatch Enrolment ios Devices (ipad, iphone, ipod) Documentation - End User

Frequently Asked Questions & Answers: Bring Your Own Device (BYOD) Policy

Mobile Device Management (MDM) Policies. Best Practices Guide.

Deploying iphone and ipad Mobile Device Management

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Mobile Iron User Guide

How to wipe personal data and from a lost or stolen mobile device

ShareSync Get Started Guide

Certified Digital Forensics Examiner

Symantec Mobile Management 7.2

Symantec Mobile Management 7.2

itunes: About ios backups

Why you need. McAfee. Multi Acess PARTNER SERVICES

iphone in Business Security Overview

There are two new acronyms affecting most businesses today. And, like all change, these can have both positive and negative impacts on your business.

Five Steps to Android Readiness

CDW PARTNER REVIEW GUIDE MOBILE DEVICE MANAGEMENT

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Access Tropical Cloud Desktop from Any Device

10 Hidden IT Risks That Might Threaten Your Business

Apple Configurator MDM Site - Review

Wrapping Your Arms Around Mobile Security in the Enterprise Nathan King, Senior Manager, IT Security Systems United Airlines

What We Do: Simplify Enterprise Mobility

User Manual for Version Mobile Device Management (MDM) User Manual

The Incident Response Playbook for Android and ios

What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes

Quick Start Guide. Version R9. English

An innovative option for fast ipad and iphone development

iphone in Business How-To Setup Guide for Users

2011 International Field Directors & Technologies Conference

Symantec Mobile Management 7.1

Quickstart Guide Vodafone Mobile Wi-Fi R216-Z

Back it up. Get it back. Simple.Secure.Affordable.

How To Manage A Mobile Device Management (Mdm) Solution

Athena Mobile Device Management from Symantec

Choosing an MDM Platform

Daylite Server Admin Guide (Dec 09, 2011)

Sophos Mobile Control User guide for Apple ios. Product version: 2 Document date: December 2011

ONE Mail Direct for Mobile Devices

CERTIFIED DIGITAL FORENSICS EXAMINER

Backing Up Your Files. External Hard Drives

EXECUTIVE SUMMARY Cloud Backup for Endpoint Devices

An introduction to Hosted SQL database applications

Apple ios 8 Security

10 steps to better secure your Mac laptop from physical data theft

Transcription:

BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE by Richard A. Rodney As the use of ios devices continues to proliferate in the business space, they present some unique challenges when data must be collected from them. Bring Your Own Device (or BYOD) policies in many organizations have further altered the landscape that computer forensic professionals must navigate. What you will learn: The procedure to follow for performing a forensic collection of an apple ios device such as ipod, iphone or ipad. What you should know prior to performing a collection of an ios device. Some important items you can collect from an ios device. Methods of blocking mobile wireless signals. What you should know: Familiarity with mobile operating systems. Familiarity with Apple devices and ios versions. Familiarity with the concept of encryption. Of the many new challenges facing computer forensic and ediscovery professionals, the proliferation of mobile devices, specifically Apple ios devices, presents professionals with new questions as to how they should manage collections for these devices. The explosion of permissive Bring-Your-Own-Device ( BYOD ) policies in businesses, coupled with the rapid acceptance of non-windows based (i.e. Apple) products in the business space, has in short order changed the landscape for digital evidence detection, collection and use forever. Businesses must adapt to new technologies while mastering (and regulating) their own use of them. Lawyers, computer/mobile forensic technicians and ediscovery practitioners must also adapt to new technologies, particularly to the increasingly accepted mobile/cloud/byod based business environment, and develop new strategies and methods for ensuring that digital evidence is thoroughly, efficiently and defensibly collected and preserved. Apple/iOS devices are now present in the network architecture (at least through BYOD) of most every major business in the country, and this article focuses on considerations and best practices for collecting data from these devices once they ve been identified and access to them has been secured. APPLE/iOS Apple ios devices in the form of the ipod, iphone and ipad present some unique challenges for the early stages of managing, preserving and collecting 18

BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE electronic files. There are two primary questions to answer when collecting data from any of these devices: One, what is the precise model version of the device? Two, what is the precise operating system ( OS ) running on the device, including the update history of the OS running on the device? There are sometimes subtle and, often times, not so subtle differences between generations of ios devices and the year they are released. Apple has had a semi-annual release schedule for many of its devices for a few years now. This means for example, that iphone 3 and 3GS devices produced in the same year are different and may require different processes and software to reliably collect from them. Just as with the different model versions, different OS versions present their own different challenges and solutions. Each version of ios was designed to update and improve the user experience, but not all users perform all updates. There are various reasons for this but regardless, you have to be aware of the current version of ios on the device you are about to collect from. Apple/IOS devices feature various Pass code/pass lock encryption elements that must be disabled to ensure an uninterrupted and successful collection. If devices are encrypted and users have not provided security access, there are a variety of processes that can be used to gain root user access (also known as jailbreaking) to achieve and maintain access to data on the device. Figure 1. iphone 5 Figure 2. ipad3 As mobile forensics and ediscovery are becoming more common place, it is a good idea to recognize the roots of the discipline. As with most computer forensics tactics, mobile forensics was born of law enforcement and the intelligence communities varied needs to access content on mobile devices. From there these disciplines have been adopted in the corporate and legal worlds for a variety of needs from human resources matters to theft of intellectual property. One of the tried and true methods is screen capture. Plug the mobile device into a projector, and do a print of the contents of each screen. This is an effective if somewhat painstaking and methodical process. This method was more useful for early semi smartphones and other cellular phones that had no access to the cloud and could store very little active data. With most smartphones such as the iphone and tablets such as the ipad, being as or more powerful than computers from 5 to 10 years ago, it is not an understatement to refer to most mobile devices as mobile desktops. The project-a-phone method is not practical for most smartphones and absolutely not for any tablets. To that end there have been several tools to come on the market to address collecting and analyzing mobile devices. Without any implied preference, examples are: Cellebrite s UFED device, Accessdata s Mobile Phone Examiner plus (MPE +), BlackBag Technologies Blacklight and Paraben s Device Seizure. There are many other tools but these are the ones I know through my own vetting process. They all can be utilized effectively for collection and analysis of ios devices. Before we get into a step by step of what to do, as any mobile forensic professional will acknowledge, seizure of a device is only as good as your ability to keep its contents unchanged. Mobile devices can www.eforensicsmag.com 19

be updated wirelessly via mobile data service or WiFi, so turn the antenna off. In fact, disable all wireless services as soon as reasonable before collecting. Airplane mode is a good choice to stop all communications to the mobile device. Another method I have learned is wrapping the mobile device in aluminum foil. This method is one I like to refer to as a poor man s faraday box. A faraday box, or faraday bag or room, utilizes material that effectively blocks all incoming and outgoing wireless signals for a device. Why would you want to do so? Simply put if the mobile carrier sends out an update to the operating system or an Information Technology technician pushes a firmware or software update to the device mid collection, this can effectively change the files on the mobile device up to and including wiping existing files. This would render the purpose of your collection fruitless. COLLECTING FROM AN ios DEVICE Now we ve wrapped our brains around a few procedures and tools, let s discuss a standard workflow for collecting from an ios device. First step, put the device airplane mode or find other means to block mobile data and WiFi signals from reaching the device. I also recommend disabling the pass code device locking feature as soon as you can. Second step, you will want to ensure the mobile device is charged. Collect the power cables, if you can or have one handy, then Charge it up! Third step, while the device is being acquired, perform some social engineering. Find out what the passwords are for the device, version of ios, model of device (iphone 4 or 4s, ipad 2 or 3, etc), year it was released for sale, did the user create an encrypted ITunes backup? Fourth step, choose the appropriate tool for the collection. Consider what will be done with the files after they are collected. Will analysis be performed for the purposes of establishing when and where the phone was used? Will ediscovery and data normalization be performed along in order to add specific user create content for a legal review with documents from other sources? The reality is that all the tools mentioned will work well. There may arise a scenario where more postcollection work is required to fit one scenario versus another. Always go in to the process with as much information as can be known or acquired. While there are a few different approaches and variations to the process of collecting, what has been presented is basic, repeatable and adaptable. With any computer forensic collection remain agile. Since we are focusing on ios here, let s hone in on some core concepts mentioned earlier to make an effective collection. The simplest question that can hamper a collection by going unanswered is: What is the passcode to unlock the device? There are few devices that can confound access more so than an ios device that is locked. Even to Jailbreak an ios device, it must be unlocked first. One of the many exploits to collect from an ios device is to jailbreak the device. If the device cannot be accessed, jailbreaking will not be impossible but certainly difficult. Next, consider the device itself and remember that different versions of ios devices in specific generations and within years of production have different make-ups. Each can use different processors, have different ios versions and the user may or may not have upgraded. Another thing to consider: Is physical or logical access to the device needed? Physical access is everything that has ever been stored or deleted on the device. Logical access is only to those items currently considered live on the device. For example, ipad 3 currently can only be acquired via logical access by the leading tools (including Blackbag s Blacklight which is an apple centric collection and analysis tool). But all developers are working to solve this problem, which will allow them to get ready to start all over for ipad 4. Regardless, consider what is needed and what may need to be considered acceptable for access. 20

BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE Figure 3. Encryption KEY COLLECTION CONSIDERATIONS Another consideration that was mentioned earlier is whether or not the device is encrypted or has an encrypted itunes backup. I can tell you from personal experience, this situation can drive you mad. I once performed a forensic collection of several mobile devices of which one subject had an iphone and another device. The person from whom I needed to collect the esi on their iphone was cooperative but had forget they had set an encrypted itunes backup for their iphone. A fact that they did not inform me of because they did not recall they had done it. After several failed attempts to collect the device it occurred to me ask if they had an encrypted itunes back up. The user recalled that they did but could not remember their password and was reasonably certain they had set it up on their home computer which was a mac. The user agreed to try to access their device and unlock the encryption on their office computer which they had synched to. After several attempts he recalled the password and we were able to access the iphone. The tool I used was able to collect the esi from has phone, where previously it sat in a state of collection for roughly 8 to 10 hours on four different attempts to collect. I can only imagine what these situations must be like for law enforcement or collections from less cooperative subjects; thankfully, so far I only have to imagine! Something else to consider is the amount of storage the particular ios device is capable of. Remember earlier, I referred to some mobile devices as mobile desktops? Well most people given the chance will save everything they can locally. So a 64GB ios device is great for the end user, not so much for the collector. Apple ios devices are considered dense storage devices, or another way to view them is as a portable hard disk drive with a user interface. At their core, they are storage devices and as such many things can be saved to them like thousands of pictures, music files, movie files and documents. The storage capacity of the device will determine how long the collection will take. Under the best of circumstances the time to collect or harvest is nebulous. But having some idea up front if you are dealing with a large storage capable device or not is extremely useful in planning the collection. So, you have collected: What s next? This goes back to the question: What is your end-game? Basic and standard information will be available depending on the mobile carrier such as where the phone or tablet was last used. numbers called. WiFi networks connected to. www.eforensicsmag.com 21

With this information known, you can get granular and look at important electronic evidence artifacts. Many are standard but some are apple/ios only items like sqlite tables. Do you need to know what emails / text messages were sent and when? Do you need to know the location and time stamp of a stored picture or picture taken with camera? Is it important to know what applications were downloaded and used? All that you need to know is there and available to varying degrees. If the user only set their email to store the last 100 emails then that is all that is available. The point is once you have harvested the files from the phone, you can lay out a very accurate map of the travels and activities of the phone user or disprove actions that they are assumed to have taken. Choose the right tool for your analysis and subsequent ediscovery processing and review. Keep in mind that while ios is very organized, there are a lot of files that may be considered responsive to your analysis via standard keyword or live search. As most ediscovery and review platforms are Microsoft based, you want to consider this as well for your overall strategy. One thing I would advise, when practical, is to analyze and export your responsive esi using a Mac computer. This is not always necessary and, in fact, it is a good idea to have multiple analysis tools, but there are some files that are just better viewed and more accessible in a Mac environment. IN SUMMARY Collecting from an ios device is difficult but not impossible. There are specific facts you need to know about the device and its manufacture, and variations in the methods that must be used depending on those facts. The keys for successful collection of data from Apple/IOS devices is the same as it is for any collection: Know the device; know the user, know the purpose of the collection, know the data that is being targeted and know how to use (and have access to) the right tools to defensibly collect it. ABOUT THE AUTHOR Richard Rodney serves as the Chief Technology Officer for SiteLogic Technologies with its headquarters in New York City. Richard has over 20 years in Litigation Support, ESI technologies and Computer Forensics. Richard manages the Electronic Services and Project Management group for SiteLogic and serves as the chief architect of technology related services with a concentration on consulting, forensic collections and analysis, and processing. Richard is a certified forensic and mobile forensic examiner having achieved both the ACE and AME certifications from Accessdata s training group. Richard received his initial computer forensics training from instructors with the International Society of Forensic Computer Examiners CCE bootcamp program. Richard has also been trained by instructors at Blackbag Technologies to perform collections and analysis of Apple devices using their tools. Richard is a devoted father of a daughter, who also enjoys reading, fitness activities, and movies. Richard also enjoys learning about and using new technology. Richard is long time supporter of the New York Football Giants team in the NFL, the New York Yankees in MLB and the New York Knicks in the NBA. Richard is a graduate of Lincoln University and Brooklyn Technical High School. 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information