Identifying the correct hardware model

Before examining an iPhone, it is necessary to identify the correct hardware model and the firmware version installed on the device. Knowing the iPhone's details helps you to understand the criticalities and possibilities of obtaining evidence from the iPhone. For example, in many cases, the device passcode is required in order to obtain the filesystem or logical image. Even if the device is supported physically, the passcode is needed to decrypt artifacts such as emails and passwords. Depending on the iOS version, device model, and passcode complexity, it may be possible to obtain the device passcode using a brute-force attack.

There are various ways to identify the hardware of a device. The easiest way to identify the hardware of a device is by observing the model number displayed on the back of the device. Apple's knowledge base articles can be helpful for this purpose. Details on identifying iPhone models can be found at https://support.apple.com/en-in/HT201296.

The firmware version of an iPhone can be found by accessing the Settings option and then navigating to General | About | Version, as shown in the following screenshot. The purpose of the firmware is to enable certain features and assist with the general functioning of the device:

The iPhone About screen, displaying firmware version 11.0.2 (15A421)

Alternatively, the ideviceinfo command-line tool available in the libimobiledevice software library (http://www.libimobiledevice.org/) can be used to identify the iPhone model and its iOS version. The library allows you to communicate with an iPhone even if the device is locked by a passcode. The easiest way to get it is to use Homebrew, a free and open source software package management system for Apple's macOS operating system.

To obtain the iPhone model and its iOS version information on macOS 10.12.6, follow these steps:

  1. Open the Terminal application.
  2. From the command line, run the following command to download and install Homebrew
$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" < /dev/null 2> /dev/null
  1. Once it's installed, you are ready to install the libimobiledevice library:
$ brew install libimobiledevice
  1. Connect the iPhone to your Mac workstation using a USB cable and run the ideviceinfo command with the -s option:
$ ideviceinfo -s 

The output of the ideviceinfo command displays the iPhone identifier, internal name, and the iOS version, as shown here:

Output from libimobiledevice displaying firmware version 11.0.2 (15A421)

Free tools, such as iExplorer and others, will provide access to similar iOS device information on a Windows PC, as shown in the following screenshot. Both Mac and Windows methods for recovering iPhone device information will work on iPad devices as well. Here, iExplorer is being used to obtain device information from the iPhone:

iExplorer displaying iPhone identifiers

Every release of the iPhone comes with improved or newly-added features. As previously stated in this chapter, knowing the iPhone's details helps you understand the criticalities and possibilities of obtaining evidence from the iPhone. The examiner must know the model of the device to ensure that their tools and methodologies support that iPhone. They must determine the internal storage size of the iPhone to ensure that the evidence container is large enough for the entire forensic image. Most tools will not alert the examiner that there is not enough disk space on the evidence drive until space has run out. This will waste time and force the examiner to acquire the device a second time. Finally, the network capabilities of the device must be noted, so the examiner can properly isolate the device to prevent remote access or wiping during examination. This will be discussed further in Chapter 3, Data Acquisition from iOS Devices.

The following table shows the specifications and features of legacy iPhone models:

Specifications of legacy iPhone models

The later iPhone releases and features are shown in the following table:

 

One of the major changes in the iPhone 5, iPhone 5C, and iPhone 5S is the Lightning connector, which is used to charge and synchronize the device with the computer. Devices prior to the iPhone 5 use a 30-pin USB dock connector, whereas the newer iPhones use an 8-pin Lightning connector.

The most recent iPhone releases and features are shown in the following tables:

 

The iPhone models released after the second edition of the book are shown in the following table:

Again, some familiarity with iPhone device hardware will aid the examiner in determining how to handle the device during a forensic investigation. Certain models enforce full disk encryption, while older models do not. Encrypted devices require additional steps during acquisition if access is even possible. The examiner must be prepared for all hurdles they may be required to clear during the acquisition and analytical stages of the investigation. In addition, knowing the capabilities that the iPhone has, and the initial and current OS version, makes a difference in the data you will be able to recover from the device. Apple is not consistent with data storage locations across iOS versions. Thus, the examiner must know the original version installed when the phone was first in use to ensure that the forensic tools do not overlook data that could aid in the investigation. Topics such as iOS upgrades will be discussed in Chapter 5, iOS Data Analysis and Recovery.