Forensics on IOS device

Is there a way to do proactive forensics on an iOS device to look for malware?  Specifically, I want to look into the phone's o.s. for settings that enable the antennas to be on when I have airplane mode enabled or that call out to the Internet to share info that should be kept private.

Are there tools (hardware and/or software) to look under the covers on iOS like this?  (And before you mention it, I am already discussing using the hardware hack from MIT that shows when the antennas are activated live.  I'm waiting on the dev that captures the data as it is sent.)

Thanks.
S WAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Probably for a few area to check on further
the call out is to look into the /preferences/SystemConfiguration/com.apple.network.identification.plist.
This property list contains the IP addresses used and assigned to the iOS device when communicating on both the cellular WAN and Wi-Fi.
iOS devices also cache location information in the form of cellular and Wi-Fi usage to assist it’s many users with better performance. However, many automated tools do not parse or analyze this file along with many other location and settings files. An investigator armed with the ability to manually harvest these types of artifacts
Safari cookies can be an important piece of evidence when identifying web browsing from the device.
iOS applications store their persistent cookies in the cookies.binarycookies file. To read this file, the examiner would need to use a tool like iPhone Extractor or open the file in a HEX editor. The file is composed of a header followed by one or more pages. Each page is comprised of one or more cookies
The call history of an iOS device that can place cellular calls is contained in call_history.db. This SQLite database has 4 tables. The call table in this database contains the phone number, date, duration and reference ID of the contact.
https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

One useful tool is Elcomsoft iOS Forensic Toolkit - https://www.elcomsoft.com/eift.html
See one use case to extract from iCloud of the traces
Apple can optionally sync many types of data across devices sharing the same Apple ID. Our tools can pull synced data such as phone calls, contacts, Safari tabs, browsing history and favorites from Apple iCloud. Extracting synced data is indispensable for mobile forensics as it can give access to up to date information that only arrived seconds ago – unlike cloud backups that are daily at best.


Our latest discovery concerns synced Safari history. While researching this sync, we discovered that deleting a browsing history record makes that record disappear from synced devices; however, the record still remains available (but invisible) in iCloud. We kept researching, and discovered that such deleted records can be kept in iCloud for more than a year. We updated Elcomsoft Phone Breaker to give it the ability to extract such deleted records from the cloud.
https://blog.elcomsoft.com/2017/02/elcomsoft-extracts-deleted-safari-browsing-history-from-icloud/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
iOS

From novice to tech pro — start learning today.