5 iOS forensics evidence sources to capture before they expire
Time is always critical when dealing with criminal investigations, but did you know that some iOS forensics evidence will be lost entirely if it isn’t extracted within a certain window of opportunity?
To help avoid any lost data during mobile forensic data extraction, we have outlined the best iOS evidence sources to capture before expiration, their impact on your case, and some steps to ensure timely data retrieval.
Why some mobile data expires
To help manage the storage capacity of devices, Apple’s iOS has built-in timelines to purge data that is no longer in use. While this is handy for the average iPhone user, it can have a considerable impact on iOS forensics investigations. Without timely mobile forensic data extraction, key evidence can be lost, potentially impacting investigations. Losing valuable iOS evidence sources could hamper your ability to identify actionable intelligence that leads to more physical evidence.
What you will be missing if you don’t extract as soon as you can
Below are some of the best iOS evidence sources to capture before expiration in approximately one month or less and how those insights can make a difference in your investigations.
1. Cached Locations – 7-day expiration
Knowing where a crime was committed—and the activities leading up to or following the incident—can unlock additional physical evidence. Cached locations can be used to identify where the device was around the time of the crime. Extracting this data promptly during mobile forensic data extraction allows investigators to see if there were CCTV cameras that could be acquired before they also expire.
2. KnowledgeC and BIOME data – 28-to-30-day expiration
KnowledgeC and Biome artifacts provide important insight into a user’s actions in mobile applications. This data is essential in iOS forensics and can provide insight into how a user interacted with their digital device within any given timeframe. Uncovering what applications have been used during specific times of the day—even if the application has been deleted—can help support pattern-of-life analysis that can be correlated to other evidence sources.
3. Deleted Photos – 30-day expiration
Incriminating images that have been captured on a phone will often be moved to the deleted folder but may not be fully removed from the mobile device. These files can be a great source of evidence showing the suspect, victim or other evidence related to a crime with valuable time and location metadata.
4. Deleted iMessages – 30-day expiration
When clearing communications from a device, suspects can be hasty and may not remove the messages and media completely, providing detailed accounts of conversations related to a crime or connecting or expanding the suspects for a crime with conversation trails related to planning, executing or covering up a crime.
* Regular deleted messages will persist for 30 days, however there are also auto-expiration settings that can be set by the user which could change the timeline for automatically delete messages to 30 or 365 days.
5. Safari History – 30-day expiration
Internet activity is a key component of iOS forensics and often provides indications of an individual’s actions around: planning a crime, checking on the authority’s awareness of a crime, or steps taken to obfuscate actions which can lead to additional evidence sources or further reinforce timelines and planning of an offense.
Best practices for processing mobile devices
Chad Gish recently joined Magnet Forensics as a Forensic Consultant after spending 26-year with the Metro Nashville Police Department, where he oversaw designing, building, and managing MNPD’s state-of-the-art digital forensic lab. He shares:
“To ensure we captured the most data possible we aimed to process devices immediately when we could, and when that wasn’t possible within 3-5 days of those devices coming into the lab. As the size of these devices have continued to grow over the years reaching 100s of gigabytes, this has become increasingly challenging. To help the MNPD team keep on top of extracting the mobile devices coming into the lab we added Graykey Fastrak to accelerate the rate of our extractions with faster, simultaneous extractions that we can run on our existing computers/ workstations”
There are many times when it isn’t possible to process mobile images within these windows, either due to support availability for the operating system for the device or even when the device was acquired relative to the date that the crime was committed. If it isn’t possible to process the device right away some steps that can be taken to to preserve the data on the phone include:
- Place the phone in airplane mode and secure it in a Faraday bag (especially when an eSim is used)
- Turn off all radios on the phone including Bluetooth and Wi-Fi.
- To maximize data retrieval, keep the device connected to a steady power source.
Building your mobile data extraction capabilities
Staying on top of the influx of mobile devices and the constantly growing storage capacity of these devices can be extremely challenging. IOS forensics solutions like Magnet Graykey and Axiom provide a streamlined workflow that ensures efficient mobile forensic data extraction and analysis. When you need to scale up your mobile processing Graykey Fastrak provides a simple, fast, and efficient solution for extracting data from multiple mobile devices simultaneously, scaling up the capabilities of your existing Graykey.
To learn more about the mobile solutions available from Magnet Forensics, reach out to your sales representative at sales@magnetforensics.com.