HomeInsightsCollecting Forensic Data from Apple Devices

Collecting Forensic Data from Apple Devices

cyber forensics June 10, 2018

Kivu’s digital forensic professionals are seeing an ever-increasing number of Apple devices being used within organizations. Our forensic professionals have extensive Apple experience and have provided expert testimony on a number of legal cases involving Apple devices.

The Challenges of Collecting Data

Mac computers are known for having a secure delete function built into the system. This allows a user to overwrite the computer’s free space 1 time, 7 times, or 35 times, making it impossible for forensic examiners to recover deleted data.

Mac computers also come with a built-in encryption feature called “File Vault.” If the user enables File Vault, examiners cannot image or access the contents of the computer until the encryption is bypassed, either with the user’s password or by extensive workarounds involving memory analysis to extract possible passwords. Some vendors claim to decrypt File Vault passwords, but the cost of this method is very high and may not provide the needed results.

iOS devices, such as iPhones and iPads, also present imaging challenges. Physical images are bit for bit copies of a device, which includes deleted data. Physical acquisition of certain iPhone models is not possible, due to Apple’s encryption. To bypass the encryption, an examiner would need to “jailbreak the device.” This is a risky approach since jailbreaking a device could lead to destroying current evidence and making the device unusable and inaccessible.

If the physical acquisition of a certain iOS model is not possible and jailbreaking is not feasible, a logical acquisition may suffice. The primary issue with logical data acquisition is that certain data cannot be extracted for analysis, including deleted data, emails, cache files, and geo-locations. This, of course, causes a major issue for forensic examiners.

Apple Forensic Tools

The digital forensic professionals at Kivu Consulting are experts in forensic imaging and preserving Apple device data. Our forensic analysts are trained and certified in the industry-leading tools used to image and analyze Apple devices, such as MacQuisition, Encase, Cellebrite, FTK Imager, and Black Light.

For Mac computers, MacQuisition allows for live data acquisitions, targeted data collections, and forensic imaging. This tool can acquire over 185 different Macintosh computer models and provides a built-in write-blocker to maintain data preservation.

Kivu uses tools such as Encase, FTK Imager and Black Light to analyze Macintosh forensic images, as well as image and analyze iOS mobile devices. Our forensic experts hold the Encase Certified Examiner and Certified Black Light Examiner certifications, offered by Encase and Black Bag Technologies.

Selected Kivu Engagements and Expert Testimony

  • Kivu Consulting has worked on and testified in various nationwide cases involving Macintosh computers and iOS mobile devices:
    A construction company was investigating a sexual harassment claim. The client was using an iPhone and iPad. These devices were collected, imaged, and analyzed for evidence of communication between the user making the claim and the client, as well as any inappropriate photos that may have been taken using the devices.
  • Kivu assisted multiple law firms with cases involving theft of Intellectual Property. These law firms reached out to Kivu to assist with iPhone acquisition and forensic analysis to determine device activity, such as applications used, browsing, text messages and calls within a specific timeframe.
  • Kivu investigated and analyzed multiple MacBook Pro devices for an accounting firm, to determine if unauthorized users gained access to the devices and exfiltrated data.
  • Kivu has testified in a federal class action suit involving Apple. Multiple people claimed that Apple billed them twice for the same iTunes songs. They said that the songs they originally downloaded were not accessible in iTunes, so they downloaded the songs again and were billed a second time. Kivu conducted forensic analysis on all Apple devices provided in the case to determine if multiple instances of the same songs were present on the computers and if the originally downloaded songs were, in fact, inaccessible to the users.
  • Kivu investigated multiple Mac devices for educational institutions to determine if students hacked the schools’ computer systems to acquire better grades.