As already mentioned, Physical Analyzer can be used not only for parsing different types of forensic artifacts from acquired images, but can also be used, for iOS devices, for performing both logical and physical types of extraction. Due to the fact that physical acquisition is actually only for older devices, the best option is an advanced logical acquisition.
We are going to acquire and analyze data from an iPhone running iOS 11.2.1:
- Connect the device through the appropriate cable to your workstation, make sure it's trusted with it, and launch Physical Analyzer.
- Go to Extract | iOS Device Extraction, and the iOS Device Data Extraction Wizard window will pop up:
- As we are dealing with a modern iOS device, let's choose Advanced Logical extraction. If the device is recognized, you'll see the device's name, its UDID, and also its iOS version:
- In our case, the iPhone's iTunes backup is protected with a known password, so the best method is Method 1:
- It's time to choose where the data will be saved; in our case, it's the root of the D: drive:
- Now the acquisition process will be started. Make sure the device is connected until the end of the process:
Once the extraction process is finished, the extracted data will be parsed with powerful Physical Analyzer plugins. As a result, you will get a set of artifacts divided into a number of categories:
The same can be said about the data files:
As you may have already noticed, there are red numbers in brackets—these are deleted records recovered by Physical Analyzer plugins. And it's not a miracle, as you already know, that deleted data can be recovered from SQLite databases, which are widely used in iOS.
Talking about SQLite databases again, there is another amazing feature of Physical Analyzer, which might be useful for adding custom artifacts to your mobile forensics reports and parsing unknown apps data—the SQLite wizard. You can find it under Tools | SQLite wizard.
Let's start by choosing a database. Of course, it's good to choose an app that isn't parsed by Physical Analyzer automatically; in our example, it's an app called Scan:
Make sure you have selected the Include deleted rows option; this will help to recover data automatically but, of course, it will increase the number of false positive records:
So, our app is used for scanning QR codes and contains four columns of interest—the scan date and time, latitude, longitude, and scan result. All of the rows are part of ZSCSCANEVENT:
You've already learned quite a bit about iOS timestamps and should recognize the format in ZTIMELESSCREATIONDATE, but even if you don't, SQLite wizard does it for you:
The generic model will suit any database, but also there are some existing Physical Analyzer models that can be used for typical content, for example, Chats or Contacts. In our case, we are using the generic model:
Once you've chosen the model and field types for the column, you can run the query and add the new parsed artifacts to your extraction and, afterward, to your report.