Proposal / Submission Type
Peer Reviewed Paper
Location
Richmond, Virginia
Start Date
28-5-2014 11:20 AM
Abstract
In this paper, we present LiFE (Logical iOS Forensics Examiner), an open source iOS backup forensics examination tool. This tool helps both researchers and practitioners alike in both understanding the backup structures of iOS devices and forensically examining iOS backups. The tool is currently capable of parsing device information, call history, voice messages, GPS locations, conversations, notes, images, address books, calendar entries, SMS messages, Aux locations, facebook data and e-mails. The tool consists of both a manual interface (where the user is able to manually examine the backup structures) and an automated examination interface (where the tool pulls out evidence from known files). Additionally, LiFE is designed so that the evidence located in files would retain its integrity. It is important to note that most of the evidence examined by LiFE is parsed from SQLite databases that are backed up by iTunes. LiFE also offers an extensibility option to the user, where an examiner can add new evidence SQLite files to the application that can be automatically parsed, and these known files are then automatically populated in the automated GUI’s toolbar with an icon added to the investigator’s liking.
Keywords: iOS forensics, Small Scale Digital Devices, iPhone forensics, iPad forensics, SQLite, Open source tools, iTunes backup, Extensible forensics software, File identification, LiFE
Scholarly Commons Citation
Baggili, Ibrahim; Awawdeh, Shadi Al; and Moore, Jason, "LiFE (Logical iOSForensics Examiner): An Open Source iOSBackup Forensics Examination Tool" (2014). Annual ADFSL Conference on Digital Forensics, Security and Law. 9.
https://commons.erau.edu/adfsl/2014/wednesday/9
Included in
Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, Social Control, Law, Crime, and Deviance Commons
LiFE (Logical iOSForensics Examiner): An Open Source iOSBackup Forensics Examination Tool
Richmond, Virginia
In this paper, we present LiFE (Logical iOS Forensics Examiner), an open source iOS backup forensics examination tool. This tool helps both researchers and practitioners alike in both understanding the backup structures of iOS devices and forensically examining iOS backups. The tool is currently capable of parsing device information, call history, voice messages, GPS locations, conversations, notes, images, address books, calendar entries, SMS messages, Aux locations, facebook data and e-mails. The tool consists of both a manual interface (where the user is able to manually examine the backup structures) and an automated examination interface (where the tool pulls out evidence from known files). Additionally, LiFE is designed so that the evidence located in files would retain its integrity. It is important to note that most of the evidence examined by LiFE is parsed from SQLite databases that are backed up by iTunes. LiFE also offers an extensibility option to the user, where an examiner can add new evidence SQLite files to the application that can be automatically parsed, and these known files are then automatically populated in the automated GUI’s toolbar with an icon added to the investigator’s liking.
Keywords: iOS forensics, Small Scale Digital Devices, iPhone forensics, iPad forensics, SQLite, Open source tools, iTunes backup, Extensible forensics software, File identification, LiFE
