Professional Documents
Culture Documents
Forensic Analysis Using iLEAPP+iLEAPP Background Threads and Backend Processes
Forensic Analysis Using iLEAPP+iLEAPP Background Threads and Backend Processes
iLEAPP(IOS)
Mobile devices, particularly iOS devices such as iPhones and iPads, have become integral to
modern digital investigations due to the wealth of personal and sensitive information they store.
Forensic analysis of these devices is crucial in legal proceedings, corporate investigations, and
cybersecurity incidents. This report presents the findings from a forensic analysis conducted using
iLEAPP (iOS Logs, Events, And Properties Parser), an open-source tool designed specifically for
extracting and analyzing digital evidence from iOS devices.
The analysis was performed on a logical image of an iOS device using Kali Linux, focusing on
uncovering critical information such as email accounts, app usage patterns, Bluetooth
connections, downloaded software, search histories, login data, and chat information. These
artifacts provide invaluable insights into user activities, behaviors, and interactions, aiding
forensic examiners in reconstructing timelines, identifying digital footprints, and establishing
facts crucial to investigations.
The methodology employed ensured the preservation and integrity of digital evidence throughout
the process, adhering to established forensic practices. By leveraging iLEAPP’s capabilities, the
analysis aimed to extract actionable intelligence from complex data structures inherent in iOS
devices, demonstrating the tool’s efficacy in modern mobile forensics.
This abstract summarizes the significance of mobile forensics in extracting vital evidence from
iOS devices using iLEAPP, highlighting its role in enhancing investigative outcomes through
thorough data extraction and meticulous analysis.
4 Internals of iLEAPP 9
6 Extracted Information 12
9 References 19
Mobile forensics is a specialized field dedicated to recovering digital evidence from mobile
devices such as smartphones, Androids, and tablets using established methodologies.
Unlike traditional digital forensics, which may focus on computers and servers, mobile
forensics deals exclusively with portable devices that store diverse information, including
text messages, web history, and location data. This wealth of data makes mobile devices
invaluable in law enforcement investigations.
Mobile devices play a crucial role in today's interconnected world, with billions of active
devices globally storing vast amounts of personal and sensitive information. Understanding
the scope of digital attacks often requires examining multiple devices to trace the origins
and spread of threats across networks. Mobile forensics provides essential insights into
these interconnected systems, enabling investigators to reconstruct events accurately and
comprehensively.
For instance, in a cybersecurity investigation, forensic analysts may track the activities of
a hacker who exploited a vulnerable mobile device to gain unauthorized access to a
network. Understanding how devices interact within the network ecosystem is essential for
piecing together the sequence of events and identifying vulnerabilities that may have been
exploited.
The mobile forensics process follows rigorous steps to ensure that evidence is properly
handled, analyzed, and presented in legal contexts:
1. Seizure: The process begins with the careful seizure of mobile devices as evidence.
Proper handling is crucial to preserve digital evidence and prevent tampering.
3. Analysis: Analysts then meticulously analyze the acquired data, extracting relevant
information while maintaining forensic integrity. This phase involves decoding and
interpreting data such as call logs, messages, application usage, and GPS
coordinates.
Features of iLEAPP
1. Cross-Platform Compatibility: Supports operation on diverse operating systems
that accommodate Python, ensuring flexibility in forensic workflows.
2. Comprehensive Parsing: Capable of parsing iOS full file system directories from
.tar files or decompressed contents, facilitating in-depth analysis of critical artifacts.
1. Preparation:
➢ Extract the contents of the "iOS Logical Image" folder, preparing the
logical image of the iOS device for analysis.
➢ Create a new folder named "iPhone" on the desktop to serve as the output
directory for parsed files and reports.
➢ Open the Kali Linux terminal and navigate to the directory where iLEAPP
is installed. COMMAND :-( CD /PATH/TO/ILEAPP )
2. Using iLEAPP:
➢ Click "OK" to open the generated forensic analysis report in your default
web browser for detailed examination.
1. ileapp.py: Dictates
the parsing functions and search patterns used to extract data
from the iOS device image.
2. search_files.py: Traverses through the .tar file or logical file system to locate and
extract relevant files for analysis.
3. ilapfuncs.py: Performs detailed analysis on extracted data, generating
comprehensive reports on user activities, application usage, notifications, and
system configurations.
The workflow involves extracting data from the iOS device image, parsing it using
predefined functions, and presenting findings in a structured report format.
Key Findings
The forensic analysis using iLEAPP yielded crucial insights into the activities and
interactions recorded on the iOS device. Key findings include:
3. Bluetooth Information:
➢ MAC Address of Bluetooth Adapter: 00:11:22:33:44:55
➢ Connected Bluetooth Devices: [Apple Pencil, AirPOD ]
4. Downloaded Software:
➢ Data: WhatsApp, Instagram, Facebook
5. Search Queries:
➢ Search for "fun flag games": 2023-05-15_08:30:45 UTC
6. Login Data:
➢ Password Details: [No password details found]
7. Downloaded Files:
➢ Source of boot.img: [Downloaded from X website]
9. WiFi Information:
➢ SSID for MAC Address 00:00:5e:00:--:03: MyHomeWiFi
➢ Source: Mobile Installation logs were parsed to identify installed applications and
their respective details.
➢ Key Findings: Identified applications include WhatsApp, Instagram, and
Facebook, installed on various dates.
Notifications Content
➢ Source: Notifications data from iOS versions 11, 12, and 13.
➢ Key Findings: Notifications received include messages from social media
platforms and email notifications, timestamped and categorized.
Application State
Bluetooth Information
When iLEAPP is launched, the first process involves initializing the environment and
setting up the necessary directories and configurations. This setup process includes:
One of the core functions of iLEAPP is to traverse the iOS file system to locate specific
files and directories that contain forensic artifacts. This process is managed by a
background thread that:
3. Artifact Extraction
Once the relevant files are located, another set of background threads are responsible for
extracting the artifacts. Each thread handles different types of files, such as:
After the artifacts are extracted, the next step involves parsing and analyzing the data.
This is where the main analytical logic of iLEAPP comes into play. Background threads
perform specific tasks such as:
The parsed data is then compiled into comprehensive reports. A dedicated background
process handles report generation, ensuring that:
If iLEAPP is run with a graphical user interface (GUI), background threads are also
responsible for updating the UI with progress information. This includes:
Bluetooth Connectivity:
Discovering the MAC address of the Bluetooth adapter and connected devices has provided
crucial information about device interactions with peripheral equipment, potentially
linking devices or activities.
Downloaded Applications:
Records of installed applications such as WhatsApp, Instagram, and Facebook have
delineated the user's digital footprint, revealing interests and frequently used services.
Search History:
Specific queries, such as searches for "fun flag games" and articles related to legalities of
office romance, have offered insights into user interests and intentions, providing context
for investigative inquiries.
Forensic Significance
The findings underscore the critical role of iLEAPP in modern mobile forensics. By
decoding complex data structures and presenting actionable insights, iLEAPP enhances the
efficiency and reliability of digital forensic investigations. Its ability to extract and interpret
diverse data sources from iOS devices ensures thorough analysis, facilitating informed
decision-making in legal proceedings and corporate investigations.