iPhone Forensics: Locating a Unique Identifier on a Pin/Passcode Protected iPhone - Part 1 of 2

There are times when a Forensic Examiner must locate a unique identifier on an iPhone. If the device is protected with an unknown pin or a passcode, and the forensic examiner does not have the computer containing the iPhone’s lockdown file, this task is problematic. Currently, both iTunes and BlackLight do not read information from an attached iPhone device under these circumstances.

 

This blog addresses ways an examiner can safely locate a unique identifier on a pin/passcode-protected iOS device using only analyst machine operating system resources. Part one of this blog illustrates how to locate an iOS device unique identifier using a Macintosh analysis system, and part two illustrates how to how to locate an iOS device unique identifier using a Windows analysis system.

 

iPhone Unique Identifiers

An iPhone device is uniquely identified by any of the following:

 

• Serial Number
• International Mobile Equipment Identity (IMEI)
• Unique Device Identifier (UDID)

 

A pin or passcode protected iPhone device’s serial number and IMEI do not display on a Mac OS X system. However, the UDID can be located using the Mac OS X System Profiler.

 

Important Preliminary Steps

It is very important to prevent iTunes from launching when an iPhone is attached to an analysis machine. The methods for doing so differ, depending on whether the iTunes application has been previously launched from the current user account on the analysis machine or not.

 

If iTunes has  been previously launched from the current user account on the analysis machine, before attaching an iPhone to the analysis machine  an examiner must disable the iTunesHelper application. This application launches iTunes automatically when an iOS device is attached to the machine. Disabling this application prevents iTunes from launching.

 

To disable the iTunesHelper application on the analysis machine, launch the Activity Monitor application located here:

 

/Applications/Utilities/Activity Monitor

 

The ‘Activity Monitor’ application window appears. In the upper right corner of the ‘Activity Monitor’ window, select the Show drop-down menu and select  My Processes (if it is not already selected). In the Filter text field, type ‘iTunes Helper.’  The iTunes Helper process is isolated. Select the iTunes Helper process so it is highlighted. In the top left corner of the ‘Activity Monitor’ window, select the Quit Process button (the red stop sign). The iTunesHelper application is disabled.

 

 

Note: If iTunes has never been launched from the current user account on the analysis machine, the iTunes Helper application process is not active and does not appear in the Activity Monitor application. Follow the instructions below to prevent iTunes from launching when the iPhone is attached to the analysis machine.

 

Attaching the iPhone to the Analysis Machine

Connect the iPhone to the analysis machine using an iPhone USB cable.  If possible, use the original Apple cable or the same Apple cable type that shipped with the device.

 

 

If iTunes has never been launched under the current user, the iTunes application launches and the ‘iTunes Software License Agreement’ (EULA) window appears. Immediately select the Decline button to prevent iTunes from launching.

 

 

Press the Home button at the bottom of the iPhone screen, and slide the arrow icon to the right to attempt to unlock the phone. If the ‘Enter Passcode’ screen appears, the device is in fact locked.

 

 

 

Locating and Recording the Device UDID Using System Profiler on a Machine Running OS 10.7 (Lion):

At the top of the screen on the Menu Bar, select the [Apple] menu and select the [About this Mac] submenu.

 

 

The ‘About This Mac’ window appears. Select the More Info button. A second, more detailed  ‘About This Mac’ window appears.

Select the System Report button. A window listing the analysis machine’s system profile displays. In the left window column, select USB. In the upper right window section (USB Device Tree), select iPhone.

 

Note: If the iPhone device does not appear, at the top of the screen on the Menu Bar, select the [View] menu and select the [Refresh] submenu (or type the shortcut Command-R).

 

 

In the lower right window section, next to “Serial Number,’ the iPhone UDID displays. Be aware that the System Profiler calls the UDID the “Serial Number”; however, this number is in fact the UDID.

 

 

 

Select the iPhone UDID to highlight it. To document the iPhone UDID by copying and pasting it into a text document, type Command-C to copy the UDID, open a text document, and type Command-V to paste it into the text document. To document the iPhone UDID by taking a screen shot of the ‘System Profiler’ window, type Command-Shift-4. A ‘cross-hair’ appears. Press the Space Bar and a camera icon appears. Click the mouse or trackpad and a .png picture file named ‘Screen Shot <Timestamp>’ is created on the desktop.

 

 

 

Alternatively, an examiner can export save or export System Profiler information as a plain or rich text file, or System Profiler .spx (.xml) file. At the top of the screen on the Menu Bar, select the [File] menu and select the [Export As Text...] submenu. A ‘Save’ window appears. From the File Format drop-down menu, chose a save/export file format option. Select the Save button.

 

 

 

To save the information as a System Profiler .spx file (an .xml file format), at the top of the screen on the Menu Bar, select the [File] menu and select the [Save...] submenu.

 

 

Note that saving or exporting System Profiler information in this manner saves all information contained in the System Profiler and not just the selected iPhone information.

 

Locating and Recording the Device UDID Using System Profiler on a Machine Running OS 10.6 (Snow Leopard):

At the top of the screen on the Menu Bar, select the [Apple] menu and select the [About this Mac] submenu. The ‘About This Mac’ window appears. Select the More Info button. A window listing the analysis machine’s system profile displays. In the left window column, select USB. In the upper right window section (USB Device Tree), select iPhone (or iPad).

 

 

 

Note:  If the iPhone device does not appear, at the top of the screen on the Menu Bar select the [View] menu and select the [Refresh] submenu (or type the shortcut Command-R).

 

In the lower right window section, next to ‘Serial Number’, the iPhone UDID displays. Be aware that the System Profiler calls the UDID the ‘Serial Number’; however, this number is in fact the UDID.

 

Select the iPhone UDID to highlight it. To document the iPhone UDID by copying and pasting it into a text document, type Command-C to copy the UDID, open a text document, and type Command-V to paste it into the text document. To document the iPhone UDID by taking a screen shot of the ‘System Profiler’ window, type Command-Shift-4. A ‘cross-hair’ appears. Press the Space Bar and a camera icon appears. Click the mouse or trackpad and a .png picture file named ‘Screen Shot <Timestamp>’ is created on the desktop (see illustrations above).

 

Alternatively, an examiner can export save or export System Profiler information as a plain or rich text file, or System Profiler .xml file. At the top of the screen on the Menu Bar, select the [File] menu and select the [Save] or [Save As...] submenu. A ‘Save’ window appears. From the File Format drop-down menu, chose a save/export file format option. Select the Save button. Note that saving or exporting System Profiler information in this manner saves all information contained in the System Profiler and not just the selected iPhone information.

 

 

 

This concludes part one of our two part ‘Locating  a Unique Identifier on a Pin/Passcode Protected iPhone’ blog series. Stay tuned! In part two of this series, we cover finding the serial number on a pin/passcode-protected iPhone using the Windows operating system.

 

To learn more about our BlackLight forensic analysis software, please visit our BlackLight product page or BlackBag TV. Please feel free to contact support with any additional questions or comments.

Leave a Reply

Sorry, you must be logged in to post a comment.