To stay on top of the rapidly evolving app landscape (and ensure IEF users continue to find as much digital evidence as possible in their investigations), the Magnet Forensics team has started to release more frequent artifact updates, adding to the list of hundreds of artifacts that IEF supports on computers, smartphones and tablets.
New this month, we’ve released support for a number of native iOS applications including Owner Information, Saved Wi-Fi Profiles, Saved Bluetooth Devices, Spotlight Searches, Word Dictionary, Installed Applications, Calendar Events, Deleted Notes, and Contacts. This new update is available now to customers who have added the mobile artifacts module to their license. If your IEF license is installed on a computer connected to the Internet, you should receive a notification indicating that a new version is available for download. Alternatively, customers can access artifact updates via our Customer Portal.
Now, let’s take a look at the artifacts that were added to IEF in this update:
Owner Information
IEF will now pull the owner details from a user’s iPhone, including device name and phone number. This can be valuable when you have several devices to analyze and can assist investigators in determining which device is associated with which phone number in their cases.
Saved Wi-Fi Profiles
iOS devices store all the saved Wi-Fi profiles in the plist format. Investigators are able to recover the SSID, security settings, last joined timestamp, and last auto joined timestamp, among other things. This can help determine where a suspect might have been since this data is stored indefinitely until the profile is deleted or the phone is wiped.
Saved Bluetooth Devices
Bluetooth profiles are also saved in a plist file and provide investigators with a list of any saved Bluetooth device that were connected to a mobile phone. IEF will recover the MAC address, device name, classes, and a timestamp for when it was last seen. These profiles can be useful if an investigator was looking for evidence found on other connected devices, such as another computer or car.
Spotlight Searches
iOS Spotlight is an indexed search of a user’s mobile device. iOS stores this index in a SQLite database which can be valuable in analyzing a user searches and other potential evidence stored on the device. Part of Spotlight’s process is to index a user’s SMS messages, so investigators trying to recover deleted SMS might find valuable evidence in this index. IEF will recover the message, summary, and partner which may include a contact or phone number associated with the message.
Word Dictionary
Apple stores two dictionaries for iOS users. The first one is the shortcut dictionary which stores a list of shortcuts frequently used words in a plist. The shortcut dictionary stores any custom shortcuts that the user has created on the device.
Similarly, the word dictionary will list any custom words that the user has added to the default dictionary in iOS. While there are no timestamps associated to this list, they are created in chronological order and can often reveal message contents that might not have been recovered otherwise.
Both these artifacts can provide excellent insight into terms a suspect my frequently use, including any slang or non-common words.
Installed Apps
IEF will also list the installed apps on any iOS device, providing investigators with a good overview of what is installed on the user’s device. IEF will report the package name, display name, platform, category, as well as both the internal and display versions of the application. While often the same, the versions can differ if the app developers choose to version their apps differently for public release.
Calendar Events
iOS calendar events can contain a lot of valuable data for investigators. IEF will recover all the necessary calendar details, which is stored in a SQLite database, from an iPhone. Relevant fields include event summary, description, location, which calendar category, start and end times, and time zone.
Deleted Notes
We have now added support for iOS Notes that have been deleted from the SQLite database. IEF will now carve Notes from iOS devices including the title, summary, and body.
Contacts
Finally we have added support for iOS contacts. IEF will recover address book contacts for iOS users including any details that might be included in their contact profile such as names, phone numbers, email, address, organization, department, title, DOB, creation and modified timestamps, and more. This will help investigators correlate call logs and other details with other potential suspects or victims.
The Magnet Forensics team looks forward to continuing to provide our customers with timely updates to artifacts, so they can continue to maximize the evidence recovered in their investigations.
Please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
Here are some other things you might be interested in:
- If you are an IEF user who is doing mobile investigations, and haven’t tried our mobile module, you can get a free trial here. If you are completely new to IEF, you can request your free trial here.
- Download our free whitepaper on recovering critical mobile evidence from WhatsApp, Kik Messenger and BBM.
- Attend a live, online demo of IEF’s mobile module: Register Now
Jamie McQuaid
Forensics Consultant, Magnet Forensics
