Monday, March 25, 2013

iPhone Forensics: iPhone and iPad Forensics in a BYOD Enterprise Environment / Mac, iPad, and iPhone Forensics and eDiscovery Experts | BlackBag Technologies

Posted on February 23, 2012 by BlackBag Training Team There have been 1 comment(s)

The personal use of iPhone and iPad devices among consumers has become quite widespread. But, until now, deployment of these devices in the enterprise environment has generally occurred less frequently. However, according to a ZDNet report (King 2011) published in October of last year, due to the popularity of Apple’s iPad 2 and iPhone 4 devices, this is rapidly changing, especially among entities within the Financial Services sector. Some public and private sector organizations are purchasing mobile devices for use within the organization; however, others are adopting “Bring Your Own Device” (BYOD) policies and practices.


While BYOD strategies are both convenient for individual workers and potentially more cost effective than corporate-sponsored widespread mobile device deployment, BYOD practices present concerns and challenges to management, IT and human resources professionals, and individuals themselves. Because BYOD iPhones and iPads contain both personal and corporate data, several security issues such as WiFi security, device authentication, malware protection, and data access control, as well as digital forensics, eDiscovery, privacy, and regulation compliance issues must be addressed.


To mitigate some of these risks and concerns, business entities are implementing various “Mobile Device Management” techniques, policies, and controls. In October 2011, Apple introduced the iOS5 platform, which includes features such as over-the-air configuration and control. Apple developed these features to specifically address and support Mobile Device Management in the enterprise environment. (Apple Computer, Inc. 2011)


Mac and iOS forensic examiners need to be aware of the differences they may encounter when examining a device used in a BYOD enterprise environment versus a device that is configured for personal use only. The settings and configurations an IT administrator applies to an iPhone or iPad device when integrating the device into an enterprise environment may change the way a user interacts with the device, and may drastically alter the way the iOS device appears upon examination.


Below are several key areas that a Mac and iOS forensic examiner must consider when seizing and analyzing a BYOD iPhone or iPad device.


Application Installations

Apple factory-installed applications on an iOS device used for personal purposes may or may not be visible on a BYOD device.  This does not necessarily mean that that an application has been removed or that the tasks these applications normally execute are not executing on the iPhone or iPad. Rather, the application may be hidden, disabled, or substituted with a proprietary enterprise application and/or configuration that is undertaking, limiting, or hiding an iOS factory installed application, service, or task. A Mac and iOS forensic examiner must also understand that IT administrators can install and provision custom enterprise applications without accessing the iTunes App Store.


WiFi Data Syncing and Backups

iPhone and iPad devices in a BYOD environment may not be set to sync exclusively to a particular computer or iTunes account as they might on a personal device. IT administrators can provision and activate an iOS device via a WiFi connection. Therefore, a Mac and iOS forensic examiner must determine whether backups are residing on a corporate server and/or one of Apple’s iCloud servers, and determine which data is corporate and which is personal. Information contained in device configuration files may help a forensic examiner make this determination.


User Data and Artifacts

A forensic examiner may fail to find history data for applications such as YouTube, Maps, App Store, and even Safari on a device used in a BYOD environment. This may suggest the presence of an enterprise configuration profile deployment that limits the use of these applications. The iMessage application is another iOS5 application that a Mac and iOS examiner must carefully understand. Using iMessage, a user may initiate a secure chat session on one device, and seamlessly transition a text-based conversation, or transfer audio, video and pictures to another device, even if the second device does not have standard SMS capabilities. An examiner must be aware that data from a single communication session may be found on more than one device, and communications may have taken place on or with devices that one would not expect to find SMS communications.


Data Authentication

iOS5 devices support wireless Windows Exchange Tasks syncing and Active Sync. Notifications, applications, updates, events, emails, etc. may be pushed to the iOS device. A forensic examiner must carefully determine and thoroughly understand the device’s settings, especially when illegal, illicit, and/or misappropriated material is discover in order to accurately report and defend examination findings. iPhone and iPad devices support S/Mime email encryption and SecureID two-factor authentication. An examiner must be familiar with both the strengths and vulnerabilities of these technologies in order to address evidence authenticity inquiries.


Data Preservation

A user or IT administrator may remotely wipe data from an iPhone or iPad device using more than one method in a BYOD environment that has deployed these iOS devices. A user can wipe the device using the ‘Find My iPhone’ feature on the device and the iCloud or MobileMe web application.  Alternatively, the user or an IT administrator can wipe the device using Microsoft Exchange Server.  Therefore, if the ‘Find My iPhone’ feature is inactive, removed, or hidden, it does not mean that the device cannot be remotely wiped.


More on Remote Data Wiping

A Mac and iOS forensic examiner should also be familiar with the remote data wipe procedure and process differences on a BYOD versus personal-use device.  The methods used to wipe the device may impact the time it takes to remotely wipe a device.  To enable the remote wiping feature on an iPhone or iPad device, a user must first set the Find My iPhone setting to the On position in the iCloud or MobileMe account device settings via Settings > Mail, Contacts, Calendars > MobileMe account settings.



To send a remote wipe signal to an iOS device, the user must sign into their or MobileMe account, or use Apple’s FindMyiPhone application from another iOS device. The target device must be also be on and connected to either a cell phone tower or a WiFi network.


To initiate an iOS device remote wipe from a Microsoft Exchange Server 2003 machine, a user or IT administrator uses the Exchange ActiveSync Mobile Administration Web Tool. A user or IT administrator may use the Exchange Management Console, Outlook Web Access application, or the Exchange ActiveSync Mobile Administration Web Tool to initiate a remote wipe from an Exchange Server 2007 machine. Again, the target device must be turned on and connected to either a cell phone tower or a WiFi network for the remote wipe to execute successfully.


A Mac or iOS forensic examiner must consider remote wipe execution times so they can properly protect data on these devices from destruction. When a user executes a data wipe on an original iPhone or iPhone 3G device, the data on the device is overwritten. Conversely and most importantly, when a user or IT administrator executes a data wipe on a BYOD-configured iPhone 4, iPhone 4S, or iPad, the “wipe” executes immediately via a data encryption key removal.  In both cases, when a remote wipe is instigated, Apple sends a confirmation email to the user’s primary Apple ID email address.



iPhone Configuration Utility

Extensive information about iOS Enterprise Deployment can be found on Apple’s website. (Apple Computer, Inc. 2011)  An examiner can also look to Apple’s iPhone Configuration Utility to further understand important custom iPhone and iPad BYOD configuration settings. The iPhone Configuration Utility for Mac OS X  and for Windows is available free of charge on Apple’s website.


Using the iPhone Configuration Utility, enterprise IT administrators can set policy and control iOS behavior via configuration profiles.  These configuration profiles are certificates that administrators download and install on the BYOD iPhone or iPad device. IT administrators can install configuration profiles in a way that makes it nearly impossible for a user to remove the profile from the iOS device.


Customizable settings and controls include:

• Passcode policy enforcement such as passcode strength, length, expiry, complexity (pin code vs. passcode), and history

•  Remote data wiping settings.

•  Acceptable YouTube, Safari, Mail, the App Store app, and iTunes application use.  As previously mentioned, IT administrators can limit these applications and even hide them from the user’s view. Again, just because an application is not visible, does not mean that it is not present on the device.

•  VPN configuration and network access controls.

•  Calendar subscriptions and access.

•  Custom enterprise application installation and provisioning profiles.

•  Push notification settings and controls.



Configuration Profile Location

iPhone Configuration Utility configuration profiles are contained in the Configuration Profiles folder here:


/mobile/Library/Configuration Profiles


iPhone Configuration Utility profile files have a *.stub extension.  An examiner can openthese binary .xml files from within the BlackLight forensic software or with any .plist viewing tool. The Configuration Profiles folder may contain a few or many configuration profile files depending on how extensively a user or IT administrator customized the iOS device settings.  Configuration profiles may include Trust Certificates that correspond to encryption-based tasks such as email encryption.  A forensic examiner  can open and examine these certificates in the same manner as they would the configuration profiles themselves.


If an enterprise has designed and installed a proprietary application, a Provisioning Profile file is present. A Provisioning Profile file contains an Apple Developer ID, which may be registered to the enterprise that created the custom enterprise application.



As enterprises increasingly deploy BYOD configured iPhone and iPad devices within their organizations, Mac and iOS forensic examiners are likely to encounter these devices more frequently. Additionally, as iPhone, iPad, and proprietary App Store application capabilities become more sophisticated, the level of customization and control that an enterprise can apply to these devices will evolve.  A Mac and iOS forensic examiner’s best ally is continued awareness of what enterprises can control on iPhone and iPad BYOD devices, and how these controls affect the iOS device usage.



Apple, Inc. Enterprise. 2012. (accessed February 21, 2012).

—. Mobile Device Management in iOS. October 2011. (accessed February 21, 2012).

King, Rachael. Between the Lines - ZDNet. October 20, 2011. (accessed February 21, 2012).

This post was posted in Forensic Software, Macintosh Forensics Tips and Tricks, iOS Forensics, iPhone Forensics, iPad Forensics, Computer Forensics Blog | BlackBag Technologies, iPhone and iPad Forensics eDiscovery Enterprise, Mac Forensics and was tagged with Free Forensic Software Tools, iOS Forensics, Macintosh Forensics Tips and Tricks, iPhone Forensics, iPhone Forensic Software, iPhone Forensics Tools, Forensic Software, iPad Forensics, Native iPhone Analysis, iPhone iPad Forensics BYOD, iPhone iPad eDiscovery BYOD

No comments:

Post a Comment