Forensics on IOS device

S W
S W used Ask the Experts™
on
Is there a way to do proactive forensics on an iOS device to look for malware?  Specifically, I want to look into the phone's o.s. for settings that enable the antennas to be on when I have airplane mode enabled or that call out to the Internet to share info that should be kept private.

Are there tools (hardware and/or software) to look under the covers on iOS like this?  (And before you mention it, I am already discussing using the hardware hack from MIT that shows when the antennas are activated live.  I'm waiting on the dev that captures the data as it is sent.)

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
Probably for a few area to check on further
the call out is to look into the /preferences/SystemConfiguration/com.apple.network.identification.plist.
This property list contains the IP addresses used and assigned to the iOS device when communicating on both the cellular WAN and Wi-Fi.
iOS devices also cache location information in the form of cellular and Wi-Fi usage to assist it’s many users with better performance. However, many automated tools do not parse or analyze this file along with many other location and settings files. An investigator armed with the ability to manually harvest these types of artifacts
Safari cookies can be an important piece of evidence when identifying web browsing from the device.
iOS applications store their persistent cookies in the cookies.binarycookies file. To read this file, the examiner would need to use a tool like iPhone Extractor or open the file in a HEX editor. The file is composed of a header followed by one or more pages. Each page is comprised of one or more cookies
The call history of an iOS device that can place cellular calls is contained in call_history.db. This SQLite database has 4 tables. The call table in this database contains the phone number, date, duration and reference ID of the contact.
https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

One useful tool is Elcomsoft iOS Forensic Toolkit - https://www.elcomsoft.com/eift.html
See one use case to extract from iCloud of the traces
Apple can optionally sync many types of data across devices sharing the same Apple ID. Our tools can pull synced data such as phone calls, contacts, Safari tabs, browsing history and favorites from Apple iCloud. Extracting synced data is indispensable for mobile forensics as it can give access to up to date information that only arrived seconds ago – unlike cloud backups that are daily at best.


Our latest discovery concerns synced Safari history. While researching this sync, we discovered that deleting a browsing history record makes that record disappear from synced devices; however, the record still remains available (but invisible) in iCloud. We kept researching, and discovered that such deleted records can be kept in iCloud for more than a year. We updated Elcomsoft Phone Breaker to give it the ability to extract such deleted records from the cloud.
https://blog.elcomsoft.com/2017/02/elcomsoft-extracts-deleted-safari-browsing-history-from-icloud/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial