Professional Documents
Culture Documents
Forensic Analysis Using iLEAPP
Forensic Analysis Using iLEAPP
Forensic Analysis Using iLEAPP
iLEAPP(IOS)
Under
Guide & Mentors
Research Report on iLEAAP
Shubam Pareek
Aniket Bachhas
Chinmay Maitre
Mobile devices, particularly iOS devices such as iPhones and iPads, have become integral to
modern digital investigations due to the wealth of personal and sensitive information they store.
Forensic analysis of these devices is crucial in legal proceedings, corporate investigations, and
cybersecurity incidents. This report presents the findings from a forensic analysis conducted
using iLEAPP (iOS Logs, Events, And Properties Parser), an open-source tool designed
specifically for extracting and analyzing digital evidence from iOS devices.
The analysis was performed on a logical image of an iOS device using Kali Linux, focusing on
uncovering critical information such as email accounts, app usage patterns, Bluetooth
connections, downloaded software, search histories, login data, and chat information. These
artifacts provide invaluable insights into user activities, behaviors, and interactions, aiding
forensic examiners in reconstructing timelines, identifying digital footprints, and establishing
facts crucial to investigations.
The methodology employed ensured the preservation and integrity of digital evidence
throughout the process, adhering to established forensic practices. By leveraging iLEAPP’s
capabilities, the analysis aimed to extract actionable intelligence from complex data structures
inherent in iOS devices, demonstrating the tool’s efficacy in modern mobile forensics.
This abstract summarizes the significance of mobile forensics in extracting vital evidence from
iOS devices using iLEAPP, highlighting its role in enhancing investigative outcomes through
thorough data extraction and meticulous analysis.
4 Internals of iLEAPP 9
8 References 13
Mobile devices play a crucial role in today's interconnected world, with billions of active
devices globally storing vast amounts of personal and sensitive information.
Understanding the scope of digital attacks often requires examining multiple devices to
trace the origins and spread of threats across networks. Mobile forensics provides
essential insights into these interconnected systems, enabling investigators to reconstruct
events accurately and comprehensively.
For instance, in a cybersecurity investigation, forensic analysts may track the activities of
a hacker who exploited a vulnerable mobile device to gain unauthorized access to a
network. Understanding how devices interact within the network ecosystem is essential
for piecing together the sequence of events and identifying vulnerabilities that may have
been exploited.
The mobile forensics process follows rigorous steps to ensure that evidence is properly
handled, analyzed, and presented in legal contexts:
1. Seizure: The process begins with the careful seizure of mobile devices as
evidence. Proper handling is crucial to preserve digital evidence and prevent
tampering.
Features of iLEAPP
1. Cross-Platform Compatibility: Supports operation on diverse operating systems
that accommodate Python, ensuring flexibility in forensic workflows.
1. Preparation:
Extract the contents of the "iOS Logical Image" folder, preparing the
logical image of the iOS device for analysis.
Create a new folder named "iPhone" on the desktop to serve as the output
directory for parsed files and reports.
Open the Kali Linux terminal and navigate to the directory where iLEAPP
is installed. COMMAND :-( CD /PATH/TO/ILEAPP )
2. Using iLEAPP:
Click "OK" to open the generated forensic analysis report in your default
web browser for detailed examination.
1. ileapp.py:
Dictates the parsing functions and search patterns used to extract data
from the iOS device image.
2. search_files.py: Traverses through the .tar file or logical file system to locate and
extract relevant files for analysis.
3. ilapfuncs.py: Performs detailed analysis on extracted data, generating
comprehensive reports on user activities, application usage, notifications, and
system configurations.
The workflow involves extracting data from the iOS device image, parsing it using
predefined functions, and presenting findings in a structured report format.
Key Findings
The forensic analysis using iLEAPP yielded crucial insights into the activities and
interactions recorded on the iOS device. Key findings include:
3. Bluetooth Information:
MAC Address of Bluetooth Adapter: 00:11:22:33:44:55
Connected Bluetooth Devices: [Apple Pencil, AirPOD ]
4. Downloaded Software:
Data: WhatsApp, Instagram, Facebook
5. Search Queries:
Search for "fun flag games": 2023-05-15_08:30:45 UTC
6. Login Data:
7. Downloaded Files:
Source of boot.img: [Downloaded from X website]
9. WiFi Information:
SSID for MAC Address 00:00:5e:00:--:03: MyHomeWiFi
Detailed Analysis
Notifications Content
Source: Notifications data from iOS versions 11, 12, and 13.
Key Findings: Notifications received include messages from social media
platforms and email notifications, timestamped and categorized.
Application State
Conclusion
The forensic analysis conducted using iLEAPP has provided profound insights into the
digital activities and interactions on the iOS device under investigation. Through
meticulous parsing and analysis of various data sources, including email accounts, app
usage patterns, Bluetooth connections, and search histories, the tool has uncovered
valuable evidence crucial for investigative purposes.
Bluetooth Connectivity:
Discovering the MAC address of the Bluetooth adapter and connected devices has
provided crucial information about device interactions with peripheral equipment,
potentially linking devices or activities.
Downloaded Applications:
Records of installed applications such as WhatsApp, Instagram, and Facebook have
Search History:
Specific queries, such as searches for "fun flag games" and articles related to legalities
of office romance, have offered insights into user interests and intentions, providing
context for investigative inquiries.
Forensic Significance
The findings underscore the critical role of iLEAPP in modern mobile forensics. By
decoding complex data structures and presenting actionable insights, iLEAPP enhances
the efficiency and reliability of digital forensic investigations. Its ability to extract and
interpret diverse data sources from iOS devices ensures thorough analysis, facilitating
informed decision-making in legal proceedings and corporate investigations.
When iLEAPP is launched, the first process involves initializing the environment and
setting up the necessary directories and configurations. This setup process includes:
One of the core functions of iLEAPP is to traverse the iOS file system to locate specific
files and directories that contain forensic artifacts. This process is managed by a
background thread that:
3. Artifact Extraction
After the artifacts are extracted, the next step involves parsing and analyzing the data.
This is where the main analytical logic of iLEAPP comes into play. Background threads
perform specific tasks such as:
5. Report Generation
The parsed data is then compiled into comprehensive reports. A dedicated background
process handles report generation, ensuring that:
If iLEAPP is run with a graphical user interface (GUI), background threads are also
responsible for updating the UI with progress information. This includes:
Throughout the entire process, background threads are dedicated to monitoring for errors
and exceptions. These threads:
Reference
iLEAPP GitHub Repository
Mobile Installation Logs
iOS KnowledgeC.db Parsing
Python 3 Documentation