With the widespread adoption of ubi

With the widespread adoption of ubiquitous smart
mobile devices (e.g. iOS and Android devices) and
their capacity to act as a general purpose computing
platform, they are increasingly seen as a potential
attack vector for cyber criminal activities.
Given the increase in mobile devices in everyday
life, digital forensics is increasingly being used in the
courts. The concept central to mobile (and generally,
digital) forensics is digital evidence [17].
Mobile forensics is the process of gathering
evidence of some type of an incident or crime that
has involved mobile devices. In such circumstances,
the expectation is that there has been some
accumulation or retention of data on the mobile
devices which will need to be identified, preserved
and analysed [13][14]. This process can be
documented and defined, and be used to uncover
evidence of a crime. There has also been an increased
interest in anti-mobile forensic techniques by
government agencies, the private sector and criminals
to securely conceal or destroy data. For example,
government agencies (especially those working in
national security and intelligence) and the private
sector would not want data stored on misplaced or
stolen mobile devices to be (forensically) recovered
by foreign government agencies, competing
businesses, and other actors with malicious intents;
and criminals would not want incriminating data to
be forensically recovered by law enforcement
agencies. Commonly used anti-forensics (also known
as counter forensics) techniques and methodologies
include secure data deletion, overwriting metadata,
avoiding detection, and trail obfuscation [1],[10][11].
While there is a wide range of smart mobile
devices, three main operating systems dominate the
market, namely Apple iOS, Google Android and RIM
Blackberry [12]. iOS devices will be the focus in this
paper. Using a 4-digit passcode or alphanumeric
password in iOS devices does little to protect a user’s
data on such devices during forensic examinations.
Native iOS applications do not encrypt files such as
photos, videos, SMS messages, and other documents
using passcode derivation. These files are associated
with the non-protection class key (the Class D key
commonly cited as Dkey), and, therefore, can be
decrypted without the knowledge of the passcode or
password of a locked device. When using native iOS
applications, file data protection is not a viable option
to effectively maintain data confidentiality as the data
partition and Class D keys are stored in the
Effaceable Storage. These keys are just designed to
be rapidly erased on demand and render the entire
volume cryptographically inaccessible at once.
There are also known problems in using standard
file deletion techniques. For example, the content of
the journal file can be indexed to search for the
metadata associated with the deleted files [4]. On iOS
devices, the metadata may contain per-files keys. The
technique described by Burghardt and Feldman [4]
requires a certain level of technical expertise and is
complicated by the fact that transactions in the
journal file are rapidly overwritten, which reduces the
chances of data discovery. However, data stored on
the iOS devices may still be recoverable if such
1
This is the authors’ pre-print version of the paper, and citation should be:
• D’Orazio C, Ariffin A and Choo K-K R 2014. iOS anti-forensics: How can we securely conceal, delete and insert data?. In 47th Annual
Hawaii International Conference on System Sciences (HICSS 2014), 6–9 January 2014, IEEE Computer Society Press [In Press] Electronic copy available at: http://ssrn.com/abstract=2339819
recovery or forensic activities were undertaken soon
after the data has been deleted. To provide a higher
level of data protection assurance, one could develop
customised applications that associate stored content
with data protection classes A, B, or C (see Table 1)
via the relevant API calls provided by Apple iOS
software development kits (SDKs)