iPhone 6 post wipe ...
 
Notifications
Clear all

iPhone 6 post wipe data

7 Posts
4 Users
0 Likes
1,678 Views
(@hsteward)
Posts: 7
Active Member
Topic starter
 

I am processing a iphone 6 with ios 8.0.2 that I am told contained pretty crucial information to a criminal investigation. Homicide Detectives obtained legal authority to look into the accomplice phone and did so, documenting what they "saw," and seized the phone. Detectives failed to take the phone off the network (airplane mode, etc) and when they went back to look at the phone, noticed that it was at the start/ set up screen. The owner of the phone was not in the position to remote wipe the phone, but it is believed that the suspect did, along with suspect's iPhone 5s.

What is done is done at this point and understand the pictures and text messages are gone. I am processing the phone in Cellebrite Physical Analyzer and I am trying to determine when the remote wipe command was sent. I looked at the system files creation dates and i am obtaining a pretty clear picture of an approximate date/time. I noticed a couple .plist files that i thought were interesting and didn't know if they had substantial meaning;

library/preferences/com.apple.icloud.findmydeviced.plist (mac times all the same, poss wipe time)

library/preferences/com.apple.icloud.findmydeviced.postwipe.plist The creation and modified dates are the same (Dec 2014), but the last accessed time is really close to the system creation dates of when i believe the wipe command was sent (January 2015).

I have tried googling the plist above with nothing find. A coworker viewed them in a plist editer, still nothing other than mac dates/times.

Cellebrite cant get a physical of this phone, but i was wondering if anyone out there knew of any file locations on the phone that can give a more definitive answer as to when, where, how command was sent. Now looking at an evidence tampering but Im not sure how far that will fly. Thanks for your input in advance.

 
Posted : 30/01/2015 7:11 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I suspect that a warrant to Apple would give this information, possibly with info recording what device/or IP did it.

Also when the phone was wiped the find my iphone service has to be disabled - this will result in an email to the user informing them that this has happened - so check the usrers email account if you can.

 
Posted : 30/01/2015 7:17 pm
(@hsteward)
Posts: 7
Active Member
Topic starter
 

I will forward the info along. Thanks for the quick response.

Harry

 
Posted : 30/01/2015 7:25 pm
(@vootz)
Posts: 27
Eminent Member
 

Harry,
There is a writeup on the Blackbag Technologies blog (google ""iphone forensics wiped iphone"). They mention some indicators and files to look for, such as the .obliterated file.
-Mike

 
Posted : 30/01/2015 7:33 pm
(@hsteward)
Posts: 7
Active Member
Topic starter
 

Thanks Mike

I did read this article, which is how i am basing my approximate wipe date/times.

Unfortunately this is an iphone 6 with ios 8xx, and my only tool available at this point is Physical Analyzer which does not get a physical only Logical, such an oxymoron, ha.

Therefore the more definite answer that I m looking for, such as the ".obliterated "file may not be possible in my case. I was just wondering if anyone else had experienced something similar.

from black bag

At the time of this writing, the only devices that examiners can consistently and successfully image using commercial imaging tools are the iPhone 4 (and older), iPad 1, and iPod Touch 4th generation (and older) devices running iOS 6.1.2 or earlier.

I like all the help here, these criminals are getting pretty savvy. I have been doing cell phone exams for over 5 years and this is the first data loss we have had, but had the case Detective followed proper protocols, could have been avoided. During the search warrant, occupants in the house semi barricaded themselves for about 10 minutes and then came out. It turns out they were smashing their phones and submerging them in water, etc. I was till able to get data off of a submerged Android.

 
Posted : 30/01/2015 7:56 pm
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

Hsteward,
The sad part in this is that many do not actually know the protocols in isolating a device. Additionally there is some "it won't happen in my case" mentality.

My department just experienced this with an iOS that also contained some critical info. The user of the device provided his pass code on arrest. After the fact an investigator wanted to write a warrant and thought he would obtain the serial number of the device from inside the phone rather than just listing the complaint number and property item number.

They cranked up the phone from the , "compliant person willing to provide the passcode" and "POOF."

Just thought I would throw in a question here as well. If someone were to activate a wipe code through their Find My iPhone app how long does that code attempt to communicate with the device? 30 days? , 1 year? , or is there no time limit?

 
Posted : 31/01/2015 1:06 am
(@hsteward)
Posts: 7
Active Member
Topic starter
 

That was the case Detective's response, "I heard that it was possible, but never actually has happened." Live an learn.

In response to the time frame, I would guess once the owner reports lost/stolen, it would stay that way until owner changes the status, but I would purely be speculating. Because if there isnt cellular service and phone connects through wifi, i could see the potential there. We are given "lost/found" apple devices that are not evidence, all the time from our property custodians and i will turn them on, to find the device is locked and to contact so and so at phone number.

 
Posted : 31/01/2015 1:29 am
Share: