Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Nowadays logical acquisition is the most common type of data extraction from iOS devices during digital forensic investigations. There are a great number of commercial forensic tools capable of doing it. But we would like to show you how to use open source tool for such extraction. There is a cross-platform protocol library called libmobiledevice which can help a digital forensic examiner to communicate with an iOS device and extract data from it via the backup procedure. What is more, the library can unpack the backup to allow the examiner to browse its contents with his or her favorite file manager.
Let’s see how to use libmobiledevice for iOS forensics.
Of course, the first step is downloading the tool. If you use Mac or Linux workstation you can use GitHub. If you prefer Windows – here are the pre-compiled binaries.
Also, you can use Santoku Linux with libmobiledevice pre-installed.
For this example we’ll use the Windows version.
So, unpack the downloaded archive, open cmd.exe and change directory (use cd) to the one you got after unpacking, in our case it’s imobiledevice-1.2.0-r3.
Let’s start from idevice_id.exe and get the Unique Device Identifier (UDID) of the iOS device (don’t forget to plug it to your forensic workstation):
idevice_id.exe -l
We use -l flag to get all the iOS devices connected to our workstation, but in our case it’s just one device, so the output is: a1151e2a3e3a3919d115da3a61fbb8c995a18963.
Now we can use the device UDID and ideviceinfo.exe to extract a lot of important information about the device:
ideviceinfo.exe -u a1151e2a3e3a3919d115da3a61fbb8c995a18963
Here are the most important parts of the output from the digital forensic point of view:
…
BluetoothAddress: 8c:00:6d:88:66:93
DeviceName: Oleg’s iPhone
EthernetAddress: 8c:00:6d:88:66:95 FirmwareVersion: iBoot-1940.10.58
InternationalMobileEquipmentIdentity: 013664008370650 InternationalMobileSubscriberIdentity: 250994202332589 MLBSerialNumber: DQ534252G73F294A ModelNumber: MD128
PhoneNumber: +7 (9**) ***-**-** ProductType: iPhone3,2 ProductVersion: 7.1.2
SerialNumber: DX3LLQWWDP0N
TimeZone: Europe/Moscow
WiFiAddress: 8c:00:6d:88:66:94
We got a lot of valuable information about the iOS-device, and it’s high time to perform the acquisition. From ideviceinfo.exe output we know that our iPhone is running iOS 7.1.2, so to acquire it we should use idevicebackup2.exe (idevicebackup.exe is used for devices running up to and including iOS 3):
idevicebackup2.exe backup C:\Users\Olly\Desktop\iPhone_logical
After the backup operation is completed we get a directory named after te device UDID, in our case a1151e2a3e3a3919d115da3a61fbb8c995a18963, with the backup files:
These files can be examined with your favorite digital forensic suite – we usually use Belkasoft Evidence Center for it.
If you prefer manual examinations, idevicebackup2.exe can help you to unpack the extracted backup:
idevicebackup2.exe unback C:\Users\Olly\Desktop\iPhone_logical
Now we have another directory – _unback_ – with directory structure browsable with any file manager:
As you can see, libmobiledevice library is quite powerful tool for iOS forensics, especially if you prefer using Linux forensic workstation. Its ability to unpack iOS devices backups is also a very important feature for the examiners who prefer performing brief manual analysis of extracted data.
About the authors:
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Oleg Skulkin
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Speak to a Specialist Now
Get Help Now