Forensic Analysis Using

iLEAPP(IOS)

Under
Guide & Mentors
Research Report on iLEAAP
Shubam Pareek
Aniket Bachhas
Chinmay Maitre

Fellowship Program Under

DeepCytes
18/06/2024
 Abstract

Mobile devices, particularly iOS devices such as iPhones and iPads, have become integral to
modern digital investigations due to the wealth of personal and sensitive information they store.
Forensic analysis of these devices is crucial in legal proceedings, corporate investigations, and
cybersecurity incidents. This report presents the findings from a forensic analysis conducted
using iLEAPP (iOS Logs, Events, And Properties Parser), an open-source tool designed
specifically for extracting and analyzing digital evidence from iOS devices.

The analysis was performed on a logical image of an iOS device using Kali Linux, focusing on
uncovering critical information such as email accounts, app usage patterns, Bluetooth
connections, downloaded software, search histories, login data, and chat information. These
artifacts provide invaluable insights into user activities, behaviors, and interactions, aiding
forensic examiners in reconstructing timelines, identifying digital footprints, and establishing
facts crucial to investigations.

The methodology employed ensured the preservation and integrity of digital evidence
throughout the process, adhering to established forensic practices. By leveraging iLEAPP’s
capabilities, the analysis aimed to extract actionable intelligence from complex data structures
inherent in iOS devices, demonstrating the tool’s efficacy in modern mobile forensics.

This abstract summarizes the significance of mobile forensics in extracting vital evidence from
iOS devices using iLEAPP, highlighting its role in enhancing investigative outcomes through
thorough data extraction and meticulous analysis.

Research Report on iLEAAP PAGE 2

 SR.NO Tabe of Content Page
NO

1 Introduction to Mobile Forensics 4

1.1 Importance of Mobile Forensics
1.2 Example of Mobile Forensics
1.3 Steps in the Mobile Forensics Process
2 Introduction to iLEAPP 6
2.1 Features of iLEAPP
3 Setting up iLEAPP 7
3.1 Installation and Setup
3.2 Launching iLEAPP
3.3 Using iLEAPP
3.4 Report Generation

4 Internals of iLEAPP 9

5 Analysis Using iLEAPP 10

5.1 Key Findings
5.2 Detailed Analysis

6 iLEAPP Background Threads and Backend

Processes
7 Conclusion 12

8 References 13

Research Report on iLEAAP PAGE 3

 Introduction to Mobile Forensics

Introduction to Mobile Forensics

Mobile forensics is a specialized field dedicated to recovering digital evidence from

mobile devices such as smartphones, Androids, and tablets using established
methodologies. Unlike traditional digital forensics, which may focus on computers and
servers, mobile forensics deals exclusively with portable devices that store diverse
information, including text messages, web history, and location data. This wealth of data
makes mobile devices invaluable in law enforcement investigations.

Importance of Mobile Forensics

Mobile devices play a crucial role in today's interconnected world, with billions of active
devices globally storing vast amounts of personal and sensitive information.
Understanding the scope of digital attacks often requires examining multiple devices to
trace the origins and spread of threats across networks. Mobile forensics provides
essential insights into these interconnected systems, enabling investigators to reconstruct
events accurately and comprehensively.

Example of Mobile Forensics

For instance, in a cybersecurity investigation, forensic analysts may track the activities of
a hacker who exploited a vulnerable mobile device to gain unauthorized access to a
network. Understanding how devices interact within the network ecosystem is essential
for piecing together the sequence of events and identifying vulnerabilities that may have
been exploited.

Research Report on iLEAAP PAGE 4

Steps in the Mobile Forensics Process

The mobile forensics process follows rigorous steps to ensure that evidence is properly
handled, analyzed, and presented in legal contexts:

1. Seizure: The process begins with the careful seizure of mobile devices as
evidence. Proper handling is crucial to preserve digital evidence and prevent
tampering.

2. Acquisition: Once seized, devices undergo forensic acquisition using specialized

software tools. This step involves creating a forensically sound duplicate (image)
of the device's storage to preserve the integrity of original data.

3. Analysis: Analysts then meticulously analyze the acquired data, extracting

relevant information while maintaining forensic integrity. This phase involves
decoding and interpreting data such as call logs, messages, application usage, and
GPS coordinates.

4. Examination: Finally, the analyzed evidence is presented to forensic examiners,

legal professionals, or courts. The findings play a pivotal role in legal
proceedings, aiding in decision-making and establishing facts based on digital
evidence.

Research Report on iLEAAP PAGE 5

Introduction to iLEAPP
iLEAPP (iOS Logs, Events, And Properties Parser) is a Python 3 script developed by
Alexis Brignoni. It consolidates various iOS forensic scripts into a unified tool, designed
to parse and analyze digital artifacts from iOS devices. As an open-source solution,
iLEAPP provides forensic examiners with a cost-effective alternative to commercial
tools, enhancing transparency and accessibility in digital investigations.

Features of iLEAPP
1. Cross-Platform Compatibility: Supports operation on diverse operating systems
that accommodate Python, ensuring flexibility in forensic workflows.

2. Comprehensive Parsing: Capable of parsing iOS full file system directories

from .tar files or decompressed contents, facilitating in-depth analysis of critical
artifacts.

3. Artifact Coverage: Includes parsing capabilities for Mobile Installation Logs,

nested bplists, notifications content, and application state databases, among
others.

Research Report on iLEAAP PAGE 6

 Setting up iLEAPP

Installation and Setup Instructions

To initiate a forensic analysis using iLEAPP on Kali Linux, follow these steps:

1. Preparation:

 Copy the "Mobile Forensics" folder to the virtual machine desktop.

 Extract the contents of the "iOS Logical Image" folder, preparing the
logical image of the iOS device for analysis.

 Create a new folder named "iPhone" on the desktop to serve as the output
directory for parsed files and reports.

Research Report on iLEAAP PAGE 7

 1. Launching iLEAPP

 Open the Kali Linux terminal and navigate to the directory where iLEAPP
is installed. COMMAND :-( CD /PATH/TO/ILEAPP )

 Execute the iLEAPP graphical user interface (GUI) by running:

COMMAND :-( python3 ileappGUI.py)

2. Using iLEAPP:

 Within the GUI interface:

 Select the "Browse Folder" tab and navigate to the "iOS Logical Image" folder.
 Click "OK" to confirm the selection.
 Choose the "iPhone" folder created earlier as the output directory.
 Click "OK" to finalize the output directory selection.
 Initiate the parsing process by clicking the "Process" button to commence data
analysis.

Research Report on iLEAAP PAGE 8

 3. Report Generation:

 Upon completion, iLEAPP will notify you of the finished analysis.

 Click "OK" to open the generated forensic analysis report in your default
web browser for detailed examination.

Internals and Workflow of iLEAPP

Research Report on iLEAAP PAGE 9
iLEAPP operates through three core components

1. ileapp.py:
Dictates the parsing functions and search patterns used to extract data
from the iOS device image.
2. search_files.py: Traverses through the .tar file or logical file system to locate and
extract relevant files for analysis.
3. ilapfuncs.py: Performs detailed analysis on extracted data, generating
comprehensive reports on user activities, application usage, notifications, and
system configurations.

The workflow involves extracting data from the iOS device image, parsing it using
predefined functions, and presenting findings in a structured report format.

Analysis Using iLEAPP

Key Findings
The forensic analysis using iLEAPP yielded crucial insights into the activities and
interactions recorded on the iOS device. Key findings include:

1. Email Address Associated with the Device:

 Data: Adnan.khan22@gmail.com

2. App Launch Information:

 File Path: /private/var/mobile/Library/SpringBoard/applicationState.plist
 Number of Apps Launched via Home Screen: 15

3. Bluetooth Information:
 MAC Address of Bluetooth Adapter: 00:11:22:33:44:55
 Connected Bluetooth Devices: [Apple Pencil, AirPOD ]

4. Downloaded Software:
 Data: WhatsApp, Instagram, Facebook

5. Search Queries:
 Search for "fun flag games": 2023-05-15_08:30:45 UTC

6. Login Data:

Research Report on iLEAAP PAGE 10

  Password Details: [No password details found]

7. Downloaded Files:
 Source of boot.img: [Downloaded from X website]

8. Google Chat Information:

 Chat Contacts: Salman was chatting with Adnan khan

9. WiFi Information:
 SSID for MAC Address 00:00:5e:00:--:03: MyHomeWiFi

10. Search for Office Romance Article:

 Article Title: "Is Office Romance Legal? Exploring Workplace
Relationships"

Detailed Analysis

Mobile Installation Logs

 Source: Mobile Installation logs were parsed to identify installed applications

and their respective details.
 Key Findings: Identified applications include WhatsApp, Instagram, and
Facebook, installed on various dates.

Notifications Content

 Source: Notifications data from iOS versions 11, 12, and 13.
 Key Findings: Notifications received include messages from social media
platforms and email notifications, timestamped and categorized.

Application State

 Source: applicationState.db to match app GUIDs with bundle IDs.

 Key Findings: Matched app GUIDs with bundle IDs, revealing active and
inactive application states.

Research Report on iLEAAP PAGE 11

Bluetooth Information

 Source: Cellular Wireless Information Plists.

 Key Findings: Discovered MAC address of the Bluetooth adapter and connected
Bluetooth devices during the device's operational period.

Conclusion
The forensic analysis conducted using iLEAPP has provided profound insights into the
digital activities and interactions on the iOS device under investigation. Through
meticulous parsing and analysis of various data sources, including email accounts, app
usage patterns, Bluetooth connections, and search histories, the tool has uncovered
valuable evidence crucial for investigative purposes.

Key Findings Recap

Email Account Usage:

Identification of email addresses associated with the device has shed light on
communication patterns and potentially critical contacts, offering insights into the user's
network.

App Launch Patterns:

Detailed logs of application launches have provided a comprehensive timeline of user
activities, highlighting preferences and frequent interactions with specific applications.

Bluetooth Connectivity:
Discovering the MAC address of the Bluetooth adapter and connected devices has
provided crucial information about device interactions with peripheral equipment,
potentially linking devices or activities.

Downloaded Applications:
Records of installed applications such as WhatsApp, Instagram, and Facebook have

Research Report on iLEAAP PAGE 12

delineated the user's digital footprint, revealing interests and frequently used services.

Search History:
Specific queries, such as searches for "fun flag games" and articles related to legalities
of office romance, have offered insights into user interests and intentions, providing
context for investigative inquiries.

Forensic Significance
The findings underscore the critical role of iLEAPP in modern mobile forensics. By
decoding complex data structures and presenting actionable insights, iLEAPP enhances
the efficiency and reliability of digital forensic investigations. Its ability to extract and
interpret diverse data sources from iOS devices ensures thorough analysis, facilitating
informed decision-making in legal proceedings and corporate investigations.

In conclusion, the use of iLEAPP has demonstrated its effectiveness in extracting,

analyzing, and interpreting digital evidence from iOS devices. The tool's capability to
uncover crucial information from diverse data sources contributes significantly to
investigative efforts in legal, corporate, and security contexts. As mobile forensics
evolves, iLEAPP remains a vital tool for forensic examiners, providing them with the
means to navigate complex digital landscapes with precision and confidence.

iLEAPP Background Threads and Backend Processes

Background Threads and Processes
1. Initialization and Setup

When iLEAPP is launched, the first process involves initializing the environment and
setting up the necessary directories and configurations. This setup process includes:

 Checking for the existence of required directories.

 Verifying the integrity of input files (e.g., .tar files or file system directories).
 Setting up logging mechanisms to capture and record the process.

2. File System Traversal

One of the core functions of iLEAPP is to traverse the iOS file system to locate specific
files and directories that contain forensic artifacts. This process is managed by a
background thread that:

 Iterates through the provided file system or .tar file.

 Matches files against predefined patterns stored in a Python dictionary.
 Extracts files and stores them in temporary directories for further processing.

3. Artifact Extraction

Research Report on iLEAAP PAGE 13

Once the relevant files are located, another set of background threads are responsible for
extracting the artifacts. Each thread handles different types of files, such as:

 Mobile Installation Logs: Extracting and parsing logs related to app

installations.
 Bplist Parsing: Parsing binary property lists (bplists) found within databases like
KnowledgeC.db.
 Plist Files: Extracting data from various plist files such as LastBuildInfo.plist and
IconState.plist.

4. Data Parsing and Analysis

After the artifacts are extracted, the next step involves parsing and analyzing the data.
This is where the main analytical logic of iLEAPP comes into play. Background threads
perform specific tasks such as:

 Parsing notifications to extract content and metadata.

 Correlating app GUIDs with bundle IDs using the ApplicationState.db file.
 Extracting and interpreting cellular and wireless information from related plists.

5. Report Generation

The parsed data is then compiled into comprehensive reports. A dedicated background
process handles report generation, ensuring that:

 The extracted information is formatted correctly.

 All relevant data is included in the final output.
 Temporary files and directories are cleaned up after report generation.

6. User Interface Updates

If iLEAPP is run with a graphical user interface (GUI), background threads are also
responsible for updating the UI with progress information. This includes:

 Displaying progress bars or indicators.

 Providing real-time feedback to the user about the status of the analysis.
 Handling user inputs and interactions smoothly.

7. Error Handling and Logging

Throughout the entire process, background threads are dedicated to monitoring for errors
and exceptions. These threads:

Research Report on iLEAAP PAGE 14

  Capture and log errors in real-time.
 Ensure that the tool can handle unexpected situations gracefully.
 Provide detailed error reports to help users troubleshoot issues.

Reference
 iLEAPP GitHub Repository
 Mobile Installation Logs
 iOS KnowledgeC.db Parsing
 Python 3 Documentation

Research Report on iLEAAP PAGE 15