Forensics on IOS device

Is there a way to do proactive forensics on an iOS device to look for malware? Specifically, I want to look into the phone's o.s. for settings that enable the antennas to be on when I have airplane mode enabled or that call out to the Internet to share info that should be kept private.

Are there tools (hardware and/or software) to look under the covers on iOS like this? (And before you mention it, I am already discussing using the hardware hack from MIT that shows when the antennas are activated live. I'm waiting on the dev that captures the data as it is sent.)

Thanks.

Probably for a few area to check on further

the call out is to look into the /preferences/SystemConfiguration/com.apple.network.identification.plist.
This property list contains the IP addresses used and assigned to the iOS device when communicating on both the cellular WAN and Wi-Fi.

iOS devices also cache location information in the form of cellular and Wi-Fi usage to assist it’s many users with better performance. However, many automated tools do not parse or analyze this file along with many other location and settings files. An investigator armed with the ability to manually harvest these types of artifacts

Safari cookies can be an important piece of evidence when identifying web browsing from the device.

iOS applications store their persistent cookies in the cookies.binarycookies file. To read this file, the examiner would need to use a tool like iPhone Extractor or open the file in a HEX editor. The file is composed of a header followed by one or more pages. Each page is comprised of one or more cookies

The call history of an iOS device that can place cellular calls is contained in call_history.db. This SQLite database has 4 tables. The call table in this database contains the phone number, date, duration and reference ID of the contact.

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

One useful tool is Elcomsoft iOS Forensic Toolkit - https://www.elcomsoft.com/eift.html
See one use case to extract from iCloud of the traces

Apple can optionally sync many types of data across devices sharing the same Apple ID. Our tools can pull synced data such as phone calls, contacts, Safari tabs, browsing history and favorites from Apple iCloud. Extracting synced data is indispensable for mobile forensics as it can give access to up to date information that only arrived seconds ago – unlike cloud backups that are daily at best.

Our latest discovery concerns synced Safari history. While researching this sync, we discovered that deleting a browsing history record makes that record disappear from synced devices; however, the record still remains available (but invisible) in iCloud. We kept researching, and discovered that such deleted records can be kept in iCloud for more than a year. We updated Elcomsoft Phone Breaker to give it the ability to extract such deleted records from the cloud.

https://blog.elcomsoft.com/2017/02/elcomsoft-extracts-deleted-safari-browsing-history-from-icloud/

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LVL 69

btanExec ConsultantCommented: 2017-03-23

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Forensics on IOS device

Who is Participating?