Data Collection Methods Explained
iOS devices
When it comes to modern forensics, no device is as data rich as the smartphone. The gold standard for smartphones is the iPhone, which as of 2022 has over 50% of US market share.
iPhones run the iOS operating system. Other Apple devices run operating systems based on iOS (iPadOS, watchOS, tvOS, visionOS). While the resulting collected data le the resulting collected data will be for these devices is similar, imaging approaches vary and will not be covered in this article.
Before we dive in, please note that all the following approaches are consent-based acquisitions, wherein you have the device owner’s permission to access the device. We will not be covering the use of tools that will brute force or bypass locked devices.
Logical Acquisition
This is better known as an iTunes Backup. It results in a logical export of data from iOS which ONLY contains data that Apple and app developers allow you to see.
Logical acquisitions typically include:
Messaging apps (iMessage, SMS, WhatsApp, Facebook Messenger, WeChat, Viber, Skype, etc.)
Call logs
Apple Notes
Photos
Apple Wallet
Wireless connections
Apple Health data
Passwords
Apple Maps search history
Calendars
Application data
Think of this as user driven data, to which the user (generally) has direct access. This data tends to be very communications focused and covers much of the day-to-day activity of an iPhone.
Encrypted vs Non-encrypted Backups
Some of the above data can only be accessed from an encrypted backup. This is done by setting a backup password on the iOS device. When collecting an iOS device that is not backup encrypted, technicians will often set a temporary backup password, then remove it when they are done.
Imaging without a backup password will result in missing data such as: health data, call logs, website history, and passwords.
Important safety tip! Once a backup password has been set on a device, ALL subsequent backups will be encrypted. Don’t lose that password!
Full File System
A full file system image captures deeper operating system information from an iOS device. To acquire a full file system image of an iOS device, the device will need to be jailbroken.
Full file system images typically include:
Apple Mail
Safari browsing history
Device Lock Status
Battery Usage
Bluetooth Connections
Audio Status
Application Usage Statistics
and MANY more operating system artifacts
Think of this as operating system data (excepting mail and web browsing data), of which the user isn’t generally aware. This data tends to be far more granular, including device behavior and location information.
Jailbreaking
To jailbreak an iPhone, you will need to identify:
your iPhone model: https://support.apple.com/en-us/108044
which version of iOS you are running: https://support.apple.com/en-us/109065
compatible jailbreaks: https://canijailbreak.com/
Jailbreaks tend to lag a full version behind the current release of iOS. As of today, the current version of iOS is 18.0; the most recently jailbroken version of iOS is 16.6.
Important safety tip! Jailbreaking an iOS device will void its warranty, and potentially make permanent changes to the operating system. We have the ability to jailbreak these iPhones – but only after your client fully understands the ramifications of this action.
iCloud
It’s also VERY important to touch upon iCloud, Apple’s cloud storage service. iCloud support is built into iOS, and allows for the storage of files, keychain information, and even full backups in the cloud.
If a user has been backing up to iCloud, it is possible to get an advanced logical image without physical access to the phone (iCloud credentials and 2-factor authentication permission, if enabled, required). This is particularly useful for lost or broken devices!
Important safety tip! Photos viewed on a device may not be physically on the device – they may be in iCloud. Only collecting the physical device will miss these images.
Have a Question or Would Like to Arrange a Collection?
Give us a call or drop us an email and we would be happy to discuss your project and how Digital Strata can be of help.
Get started, today!
How can we help you?
“Digital Strata went above and beyond to address my client’s concerns. They were responsive and timely in their communication. I appreciated them breaking down and guiding us through the process of obtaining the information we were searching for. I will certainly be using them in the future and highly recommend them to anyone going through the litigation process." - Samantha Sader - Krigel & Krigel
"Our firm has been working with Digital Strata for the last two years. I cannot compliment Dan and his team enough on their communication, delivery on deadlines, and exceeding our expectations. We will be happily working with Digital Strata for the foreseeable future." - Brian Barjenbruch - KC Property Law
"Our firm retained Digital Strata to organize and evaluate a massive amount of data maintained by our client’s vehicle management system. The project required our consultant, Nick Harris, to obtain and learn the bespoke software program which ran the system. Nick went over and aboard with fast turnaround of ever more detailed analyses to aid our preparation for depositions and, ultimately, for a successful outcome on summary judgment." - Tracy Moran, McCormack Suny LLC
"We've had the pleasure of working with Dan Fischler and Nick Harris from Digital Strata for multiple years now. They are part of the team at Datamine Discovery and we communicate daily with them regarding forensic investigation and data collection matters. What I like best about them is their combination of technical and communication skills. Each time I work with them, I know the project is in good hands." - Scott King, Managing Partner, Datamine Discovery