Research On Digital Forensic With IOS Devices

The iOS device forensics is widely used in the field of administrationof justice with rising needs. Evidences discovered on smart phones mayhave a direct impact on the final verdict of the case. This paper focuseson iOS device forensics. The study covers the raw data image extractiondirectly from the low level iOS devices’ N ND flash memory chips. Datarecovery using the raw data image, and the extraction, parsing andauthenticity identification of key documents is also covered in this paper.Futhermore, it is the experiments under medium-low/heavy loadscarried out on iOS device that indicates some useful results on some keyfactors that are affecting the data recovery results.The content of this paper main covered:First, by analysis and comparison of hardware and software dataimaging techniques, we select the better way which is software dataimaging to extract the the underlying NAND raw data. The difficultiesencountered while implementing this module are listed as below: First,kernel patch is required in order that the system will be compatible withall existing iOS3.x,4.x, and5.x operating system. Second, a customizedramdisk is required while booting the device aiming at bypassing thepermission control, so that the system is able to be compatible with bothjailbroken and non-jailbroken devices at the same time.Then, with the help of the extracted NAND raw data image, wewrote a iOS data recovery module to undelete the potential evidencesthat are deleted. Considerating the important fact that NAND/NORflash drive is required to read and write data through the File TranslationLayer, also known as FTL, a handful of deleted data can be found. Bydigging in the low level image, we noticed that a significant amount ofdata that is considered thoroughly deleted by the operating system layer,however, still exists in the physical layer. The expired physical pagesprovide us with a valuable data source for data recovery. With reference第III页 of some similarities of the data undeleted on Solid State Drives, alsoknown as SSD, an algorism implementing data recovery on iOS devices isdesigned. As a result, it turns out that the final outcome of the datarecovery using low level NAND images appears to have significantimprovement compared with the traditional way which uses file systemlayer images.Finally, through the analysis of the research data on data recoveryrate with iOS devices, we come to certain useful conclusions. Repeatedmedium-low load and heavy load data recovery experiments confirmthat the iOS devices’ FTL adopts a slightly lazier garbage collectionstrategy compared with the average SSDs. For the first time, it is provedthat our currently available experimental results clearly indicates thefact that iOS devices do not adopt any of the proactive garbagecollection strategies such as TRIM or ITGC which is widely adopted innew models of SSDs. The result of heavy load experiments actuallymeasures that iOS devices only kick in the garbage collection mechanismto erase out-dated blocks when overall available blank pages runs lowerthan6%of the total capacity (which equals to1GB with iPhone416GBGSM). This conclusion has significant impact for forensic work.