Design and Implementation of Forensic System through Cloud
Computing - take iPhone for example
Keng Jung Hsu
Graduate Institute of Information and Computer Education National Kaohsiung Normal University, Taiwan
[email protected] Chung Huang Yang
Graduate Institute of Information and Computer Education National Kaohsiung Normal University, Taiwan
Abstract
Apple iPhone, cause of its unique hardware systems and storage structures, has attracted a lot of forensic science to forensics experts on the iPhone. However, the current evidence software specifically for the iPhone software, price step for expensive and complex, and the analysis process often use logic acquisition method and analysis of mobile phone backup file restore, consumed long time and only can collect limited information.
This study proposes a clouding-based analysis of the forensic system, with cloud server powerful computing capability, accelerate the time of the forensic analysis and output forensic report, In this study, we use physical acquisition method to collect digital evidences, and through the cloud forensics platform for data analysis and data recovery for deleted data, so the cloud forensic software implementation achieved.
1. Introduction
The convenience that comes with smart phones has brought an enormous change to human lives. Among them, iPhone which was launched by Apple in 2007, has cutting-age significance. And the unique iOS operating system, which possesses the interface which is easy to operate and diverse applications, causes a shopping rush and continues to dominate the market share [10].
ComScore conducted a research toward the American market in February 2013 and found that the market share of iPhone is 38.9%, which is higher than the 21.3% of Samsung and 9.3% HTC [5].The statistics of Gartner in April 2013 show that the shipment of mobile phones in the United States is five times more than that of PC and predicts that the shipment will grow to nearly 8 times [7]. The technological evolvement has brought humans great convenience, but it has caused some problems as well. Nowadays, criminals also use the communication functions to contact each other to make arrangements and carry out their plans. Therefore, the information stored in mobile phones, like phone log, text, social media and GPS positioning information has testifying effects on cases. However, the storage of iPhone is getting bigger [1], from 4GB of iPhone to 64GB of iPhone5 and it has become a challenge for preservation, acquisition, and examination and analysis of digital evidence in the forensics process.
Despite the fact that the processing speed has vastly increased, average computers still need large amount of time to process in the face of growing number of digital evidence. Therefore, to solve the problems listed above, the research proposes forensics platform of cloud processing based on the procedures of mobile phone forensics and the definition of cloud processing in the hope that the efficiency and integrity of the preservation, extraction and the process of forensics analysis of digital evidence on iPhone through the powerful processing ability and the fast dick system of cloud servers and allows iPhones to run physical extraction without jailbreaking through cloud forensics platform to recover the erased data and the revelation of internal information inside mobile phone.
2. Related Work
The research will conduct physical extraction on iPhones, run data analysis on cloud and produce forensics reports and do literatures review on the relevant terms and definition. 2.1. Cloud Computing
According to National Institute of Standards and Technology, cloud computing consists three service models [11].
1. Software as a service (SaaS):
Users can connect to the program ports of cloud servers through medium programs, like web browsers, and have direct access to the services cloud provides.
2. Platform as a service (PaaS):
3. Infrastructure as a service (IaaS):
Users have direct access to infrastructure, like processors, storage, internet and server. The cloud forensics platform of the research is based on SaaS and PaaS. 2.2. Mobile Phone Forensic
According to the standards of NIST, the forensics procedure of mobile phones includes 4 procedures [17]:
1. Preservation: maintaining all sorts of original states in suspects' digital devices is very crucial, because the devices contain all kinds of details pertaining to cases. if we can't keep the original states of digital evidence, their ability to testify will be compromised.
2. Acquisition: Acquire the digital data stored from the digital devices as evidence by extracting image or other means from the case-related digital equipment or media. The research is undertaken by employing physical extraction of image.
3. Examination and analysis: The collected digital evidence may contain a great number of concealed and erased data. Examination means to process the data, Analysis means to digitalize or integrate the highly relevant evidence from the collected evidence to clear the cases.
4. Reporting: Integrate and summarize the results of preservation, acquisition, and examination and analysis and present the results as highly readable forensic reports with texts, graphics and photos.
2.3. Data Acquisition
iPhone has five levels of data extraction [12].
Fig. 1. 5 Level of iPhone Data Acquisition
1. Manual extraction: Extract the data in the devices manually, like using the applications built in iOS system to directly extract data.
2. Logical analysis: Use the built-in application in non-iOS Default App or other third-party tools to extract data from iPhones.
3. Hex Dump (Physical Extraction): Conduct bit to bit extraction in binary and build a completely identical copy image.
4. Chip-off: When the devices can't be activated normally, chip the memory stick off the device and run data extraction in virtual environments.
5. Micro read: It’s similar to Chip-off. It's used when the device is compromised. Then we extract data through physical gates in Open, closed, Open, Open, Closed, Open, Open, Open, Open and transfer it to 010010000.
This research runs digital evidence acquisition in physical extraction.
Micro Read Chip-Off
Hex Dump
Logical Analysis
2.4. iOS
iOS is the operating system on iPhone, iPod touch, and iPad. iOS system manages the hardware resources of the devices and provided the needed technology to run the applications. iOS is a layered structure and can be divided into four: the Core OS layer, the Core Services layer, the Media layer, the Cocoa Touch layer [8].
Fig. 2. iOS framework 2.5. iOS File System
The file format of iOS is HFS+ [13], there are two partitions in iPhones, one is system partition and the other is user partition [9]. The storage format of iOS consists of two types: one is binary plist files, which are mostly used to store setups and the other is SQLite format, which is used to store personal information [4]. After the launch of iPhone4, under the default setting, HFS+ add encryption system of Data Protection to secure iPhone [3].
2.6. iOS boot chain and DFU mode
The flow chart of the normal boot chain of iPhone is on the left of Fig.3. When iPhone is turned on, iOS will be running on boot rom immediately. Boot rom contains CA public key to run authorization of LLB. It will authorize and run iBoot and carry out iOS kernel. The sequences of iOS signature of authorized activation procedures can prevent iPhone from being tempered with and can only run kernel authorized by Apple [2].
When we upgrade iOS or have problems, we can use DFU mode to upgrade or downgrade the version [16]. When DFU Mode is in progress, it will load iBSS, activate iBEC and enter recovery mode [6]. At this stage, we can use patch to dodge official certification and we can use that to run the custom-made kernel. DFU activation process is on the Right of Fig.3. The research through the undertaking of DFU mode to upload it to iPhones to conduct forensics.
iPhone Power on Load BootROM (read-only memory) Load LLB (Low-Level Bootloader) iBoot Execute iOS kernel Apple Root CA public key LLB verify Pass DFU Mode (Device Firmware Upgrade) Not Pass iBSS patched out of signature checks iBEC Execute Customer RamDisk
Fig. 3. The Boot Chain of iOS Normal boot mode and DFU mode
Cocoa Touch
Media
Core Services
2.7. Autopsy Forensic Browser
Autopsy Forensic Brower is a digital forensics analysis tool which is HTML-based graphic interface [14]. Its bottom layer is The Sleuth Kit. Through the instinctive interface offered by Autopsy Forensic Browser, like Windows file manager, which offers users direct access to file contents through web browsers and analyze the current major file systems, like Windows NTFS, FAT, UF1/2 of Linux, Ext2/3, HFS of Mac OS and HFS+ of iOS. The latest version on Unix-like is 2.24 and 3.04 on Windows. The research uses version 2.24 to run the examination and analysis of forensics data and reports.
3. System Architecture
In digital Forensics, the extraction of data includes preservation, extraction, examination and analysis, and report [17].
The current forensics software is installed on PC and the analysis efficiency and time of examination and analysis commonly needs to take huge costs. Cloud computing, with its powerful hardware structure, has better processing ability than PC and most disk system of cloud are high availability. It can make several copies of digital evidence quickly to avoid the acquired single digital evidence being compromised and fulfill the need of high integrity of digital evidence.
The research devises a prototype of cloud forensics platform to solve the problems listed above. The research divide the system into two parts: the first part is extraction, which exploits the familiar Windows 7 as the platform to run physical acquisition on iPhone; the other is cloud forensics platform server, which conducts integration through Autopsy Forensic Browser and self-developed cloud forensics platform to run examination and analysis and reporting. The flow chart of cloud forensics platform procedures in shown in Fig.4.
Fig. 4. The workflow of Cloud Forensic Platform
4. System development and implementation
4.1. Cloud Forensic Client
Tab.1. The embryonic form of Cloud Forensic Platform Developer Environment Cloud Forensic Client Cloud Forensic Platform
OS Windows 7 64 bit Windows 2008 Server R2 64 bit
Hardware
CPU: Intel G860 RAM: 4GB DDR3 DISK:SATAIII 7200rpm
CPU: Intel Xeon X5650 2.67GHz * 2 RAM:16GB DDR3 EEC
DISK: SAS 10000 rpm * 4 , RAID 5 Develop Tools Visual Studio .Net 2012,
Python SDK, iOS SDK
Visual Studio .Net 2012, Python SDK, iOS SDK Develop
Language
C#.NET, Python C#.NET, ASP.NET, Python Tested Target iPhone 4 16GB
iOS5.1.1
Autopsy, cloud forensic platform developed by Self
Cloud Forensic Client:
The image of the Cloud Forensic Client developed by the research on Windows 7 is as Fig.5.When forensics program is in progress, the program will automatically activate usbmux protocol and use the usbmux protocol to speed up the extraction of physical acquisition image. The major functions of the forensics program are described as follows:
Fig. 5. Cloud Forensic Client
Execute ram disk:
At this stage, upload the forensics ram disk to the system partition of iPhone and run physical extraction of image. iPhones will go into DFU mode. After forensics ram disk is loaded, the word ok will appear as Fig. 6.
At this stage, we will unlock the passcode of iPhone, output the UDID of mobile phones and unlock passcode, as shown in left of Fig.7.
Fig. 7. Unlock Passcode, physical dump and upload to cloud Physical extraction of image (Physical Dump):
At this stage, we use forensics ram disk to run physical extraction in the user disk partition on iPhone. When the extraction is finished, the image like center of Fig.7. Uploading digital evidence to cloud forensic platform:
At this stage, we enter our account and password to connect to the cloud forensic platform and upload the physically extracted image. the image like right of Fig.7.
4.2. Cloud Forensic Platform
Running the decipher of digital evidence:
Data protection is through the hardware encryption accelerator of iPhone, it keeps data and App under authorization and safety monitoring [15]. The research decipher the physical extraction image through the decipher procedure on cloud, as shown in Fig.10.
Fig. 10. Decryption Digital Evidence Process
Fig. 11. The Photo Readability before None Decryption and Decryption Conducting the examination and analysis of digital evidence:
Conduct automatic examination and analysis on the deciphered digital evidence, and Extract the needed data from iPhone and reveal the concealed or erased files and digitalize them to figure out the data which are highly relevant to the case as shown in Fig.12.
Fig. 12. Examination and Analysis through Cloud Forensic Platform The production of digital evidence report:
The report which is produced by the forensics platform is shown in Tab.2. Tab.2. Related files and Path of Forensic report
Data contact File name and path Data contact File name and path Contact AddressBook.sqlitedb Email /private/var/mobile/Library/Mail Call History call_history.db Photo /private/var/mobile/Media/DCIM
SMS sms.db Recording
Media
/private/var/mobile/Media/Recordings
Note Note.db LINE
History
talk.sqlite Calendar Calendar.sqlitedb WhatsApp
Hsitory
ChatStorage.sqlite Safari Bookmarks.db
Under the default setting, iPhones will record users’ GPS location and the recording is not relevant to whether the users installed GPS-related App or not.It is the compulsory function of the system. At the research, we can reveal the GPS traces which are hidden in iPhones to check the movement of the suspects. We can also reveal erased SMS message on cloud forensics platform as well.
5. Conclusion
The research use the powerful processing ability of cloud to conduct the preservation, extraction, examination and analysis, and report of digital evidence to save time of examination and analysis by using the self-developed cloud forensics platform prototype. The file system of cloud server employs high speed disk system and possesses the backup mechanism of high usability. The copying speed of digital evidence is faster than normal PCs. The research compares the speed of copying and the test subject is the digital evidence image of the 15 GB iPhone. The test results are shown in Tab.3.
Tab.3. Compare Clone Evidence File Speed between PC and Cloud Forensic Platform Elapsed time PC Cloud Forensic Platform
Test 1 6 (min) 11 (sec)
Test 2 7 (min) 12 (sec)
Test 3 6 (min) 11 (sec)
Result slow very Fast
We can’t view the actual contents of the extracted digital evidence files without deciphering them. The research compares PCs to cloud server on the time needed for deciphering. The test results are in left of Tab.4. The deciphered files need going through examination and analysis to extract useful information, so we also compare the speed of examination and analysis. We compare the time needed for examination and analysis. The results are shown in right of Tab.4. Both of the test subject is 15 GB iPhone which physically extracts image.
Tab. 4. Compare Decryption and Analysis Speed between PC and Cloud Forensic Platform
Decryption Speed Evidence Analysis Speed
Test target Test times PC Cloud Forensic Platform Test target Test times PC Cloud Forensic Platform
Test 1 30 min 20 min Test 1 31 min 10 min
Test 2 32 min 21 min Test 2 30 min 8 min
Test 3 31 min 20 min Test 3 33 min 11 min
Result slower fast Result slower fast
6. References
[1] Apple, Apple Press Info, 2013 (available online at
http://www.apple.com/pr/products/iphone/iphone.html).
[2] Apple, “iOS Security,” Oct 2012 (available online at
http://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf).
[3] Hoog & K. Strzempka, iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices, Syngress, Waltham, 2011. [4] B. Iqbal, A. Iqbal & H. A. Obaidli, “A novel method of iDevice (iPhone, iPad, iPod)
forensics without jailbreaking,” In Innovations in Information Technology (IIT), 2012 International Conference on . IEEE, 2012, pp. 238-243.
[5] ComScore Reports “U.S. Smartphone Subscriber Market Share2013,” February
2013(available online at
http://www.comscore.com/Insights/Press_Releases/2013/4/comScore_Reports_Febr uary_2013_U.S._Smartphone_Subscriber_Market_Share).
[6] C. Halbronn & J. Sigwald, iPhone Security Model & Vulnerabilities, HITB KL,
2010 (available online at
http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbkl-iphone.pdf).
[7] Gartner, Gartner Says Worldwide PC, Tablet and Mobile Phone Combined Shipments to Reach 2.4 Billion Units in 2013, April 2013 (available online at http://www.gartner.com/newsroom/id/2408515).
[8] iOS Developer Library, iOS Technologies, 2012 (available online at
http://developer.apple.com/library/ios/#documentation/miscellaneous/conceptual/iph oneostechoverview/Introduction/Introduction.html).
[9] M. Bader, I. Baggili, “iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup Utility,” Small Scale Digital Device Forensics Journal, 4 (1), September 2010.
[10] M. Rogers, ” It's for you! : an iPhone development primer for the busy college professor. “ Journal of Computing Sciences in Colleges, 25 (1), pp. 94-101, October 2009.
[11] P. Mell & T. Grance, The NIST Definition of Cloud Computing, NIST, 2011.
[12] S. Brothers, “iPhone Tool Classification,” 2007 (available online at
http://www.appleexaminer.com/iPhoneiPad/ToolClassification/ToolClassification.ht ml).
[13] S. Morrissey, iOS Forensic Analysis: for iPhone, iPad, and iPod touch, Apress, New York, 2010.
[14] The Sleuth Kit, Autopsy, 2010. (available online at
http://www.sleuthkit.org/autopsy/desc3.php).
[15] J. Zdziarski, Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It., O'Reilly Media, California, 2012.
[16] J. Zdziarski, iPhone Forensics: Recovering Evidence, Personal Data, and Corporate Assets., O'Reilly Media, California, 2008.
