EnCase Forensic 7.09: iOS Investigations Out of the Box

Ken Mizota

Most investigators are familiar with the capabilities of EnCase® Forensic as a tool for investigation of desktops, servers, and hard drives, but did you know that ever since EnCase Forensic v7 was introduced, it has provided support for smartphone operating systems out-of-the-box? In Version 7.09, the latest release, EnCase improves smartphone acquisition, analysis and reporting capabilities by adding support for iOS 7 devices.

As you likely know, the mobile device market is dominated by iOS and Android devices. Over 90 percent of the world's smartphone users have an Apple- or Google-powered device. However, even within the majority, there are multiple factors that investigators like you must consider and ultimately deal with, including:

  • Smartphone operating system versions vary greatly as new technology is adopted at different rates by mobile device consumers.
  • New devices and hardware capabilities are updated constantly
  • Data may be presented to you in a number of ways, requiring you to ask:
    • Should a physical image be obtained or will a logical image suffice?
    • Is it even possible to acquire a physical image without rooting and affecting the contents of the phone dramatically?
    • What apps are on the device?
    • How can data be accessed from a backup?
    • What if the backup is password-protected?
All of this makes the task of investigating mobile devices very complex. To complicate matters even further, it’s now commonplace for a case to involve tablets, smartphones, desktops, laptops, and network servers. EnCase Forensic v7 gives you a wide array of tools and techniques to reduce complexity and help you find the most evidence possible.

iOS Investigations Within Reach

Today's investigators can use EnCase Forensic 7.09 to acquire logical data from iOS devices in the same way that specialty mobile device investigation tools handle the task. For iOS devices in particular, logical acquisition is the only way to perform acquisition without materially altering the device (i.e. jailbreaking).

You can connect an iOS 7 device to EnCase Forensic v7.09 via USB cable to obtain deleted SMS messages, chats, browser history, contacts, call logs, and even app data from Apple Maps and Google Plus. This may sound like a simple concept, but consider the following: Most digital investigators do NOT have a dedicated mobile device examination tool on-hand at all times. When we consider that many investigators have ready access to EnCase, the value of of having built-in smartphone analysis capabilities, always at the ready, wherever EnCase Forensic is installed becomes immediately apparent.

Simply add evidence to your case…




…connect the device, set your acquisition options…



Once the smartphone is analyzed, you can view comprehensive reports and perform keyword searches across all evidence, including mobile devices or desktops or laptops. You can view location information like map locations, phone locations, and geo-tagged images directly in tools like Google Earth.



Password-protected iTunes Backups

Investigators don't always have physical access to the iOS device. Maybe the only evidence available to you is an iTunes backup, and iTunes users are able to password-protect their backup files. With EnCase Forensic 7.09, you can now acquire protected or unprotected iTunes backups with appropriate credentials. This capability is typically seen in purpose-built mobile device investigation or password-recovery tools, but on a day-in-day-out basis, having this capability in every EnCase Forensic install can be handy in a pinch. In fact, it can mean the difference between having data to examine or not.

Efficient Multi-device Investigations

Today’s investigations may include a diverse set of technology including: smartphones, USB drives, RAID’ed network-attached storage, as well as traditional hard drives in desktops and laptops. All of the data collected in the investigation may be in different containers, but it‘s all related to the subject being investigated. Performing common investigative tasks like keyword searches or even review of internet history takes time to complete across multiple tools. When the results are generated, you still have to take time to aggregate and create a final report. Could it be simpler and more efficient to perform a single keyword search across ALL evidence?

The integrated smartphone analysis and reporting capabilities in EnCase Forensic v7 expand the power of common investigative tasks, such as keyword searching across an entire case and including all devices and all data. You can now perform searches across more types of data than ever before: registry hives on desktops, plists on iOS devices, and deleted files on reconstructed RAIDs are just a few examples. All of these results can be reviewed together, in context, then bookmarked and reported.

In the 15-year history of Guidance Software, EnCase Forensic has been consistently focused on giving you what you need to find the most potential evidence in the most efficient manner. With Version 7.09, all of us at Guidance Software hope investigators like you will begin to see the benefits of integrated mobile device investigation.

Please feel free to share feedback, questions, comments or concerns with me. I can be reached via email ken.mizota (at) guidancesoftware (dot) com or on Twitter @kenm_encase.

No comments :

Post a Comment