When dealing with mobile phone evidence, it is common to encounter an iPhone and, occasionally, an iPhone can be examined that contains less information or communication on it than you were expecting.
The phone may be an older model that contains either limited or only recent call records and messages.
On these occasions it is important to attempt to establish whether the phone had been factory reset and, if so, when.
To do this, various artefacts can be investigated and examined if a file system extraction can be taken from the device.
The file named com.apple.purplebuddy.plist at the file path /var/mobile/Library/Preferences/ includes an entry named GuessedCountry that relates to the Region identified by the phone during the initialisation process.
This entry contains a date next to it that may be the point of configuration of the device during setup after a reset.
The file named MobileContainerManager within the file path /private/var/root/Library/Logs/ contains log entries named containermanagerd with a number given after the file extension. The newer the file, the lower the number.
Identify the file with the highest number assigned to the end of the name and review it for the text MCMMigrationStatus. This provides information of the nature of the reset/update.
If the entry contains the text ‘Did Not Find Last Build Info’ then the file was created after a system reset.
If the entry contains the text “Detected upgrade” then this was as a result of a update to the operating system. The original and updated version is also provided.
Each of these entries also contains a time/date stamp that can be used to identify when the phone was first booted after the update/reset.
The file named AddressBook.sqlitedb is a system file that is contained within the directory path private/var/mobile/Library/AddressBook/ contains the stored contacts.
The creation date/time of this file relates to the point that the device was started after the reset.
The system file named CallHistory.storedata contained within the directory path private/var/mobile/Library/CallHistoryDB/ includes a created date/time stamp that relates to the point that the device was first used after being reset.
The system file named sms.db is located witihn the directory path /private/var/mobile/Library/SMS/ includes a created date/time stamp that relates to the point that the device was first used after being reset.
The system file named .obliterated is located within the directory path /private/var/root and the time/date of creation of the file relates to the point at which the device was booted after the reset.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensic investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.