For some time now, examiners have been searching for ways to efficiently and easily capture the screens of iOS devices. Much time and effort has been spent struggling with cameras on stands, dealing with glare from overhead lighting, and out-of-focus still shots. Over time, several apps have been created to make the screen capture process easier. However, these apps tend to present drawbacks for forensic examiners. For example, some apps require the iOS device and computer to be on the same Wi-Fi network in order to work, and some apps support only specific iOS devices.
QuickTime and Mac OS X Yosemite (10.10)
The venerable QuickTime application, that has been part of all Apple operating systems since System Software 6 (1991), received a quietly released update for Yosemite. QuickTime now supports video screen captures of an attached iOS device. Here’s how to do it.
Note: Prior to carrying out these steps, it is recommended that the examiner follow the typical precautionary measures of any forensic examination, remembering that the evidence being examined is live evidence. In short, make certain the iOS device remains powered on and charged at all times, and that it is placed in Airplane Mode. Additionally, it is important to prevent iTunes from launching when the device is connected to the examiner's computer. While the full details of setting up an analyst workstation are outside the scope of this blog entry, it bears mentioning that the examiner should at least ensure the iTunesHelper application is disabled prior to attaching the iOS device.
Steps to Create a Screen Capture of an iOS Device Using QuickTime
1. Attach an iOS device to a Mac running Yosemite. If the examiner has been using Mobilyze or BlackLight to image the iOS device, then it may already be attached to the computer and ready to go. When the connection has been established, the device, if running iOS 6 or earlier, will pair with the computer. However, an iOS 7 or later device will present the examiner with a dialogue box that reads, "Trust the currently connected computer?" The examiner must select the Trust option in order to allow for data communication to and from the device.
2. Once trust has been established with the computer, launch QuickTime. The QuickTime application may be located in the Applications folder, but Spotlight can be used to locate QuickTime if necessary.
An OS X Yosemite Spotlight search for QuickTime
3. Once QuickTime is open, go to the [File] menu and select [New Movie Recording].
Creating a New Movie Recording in QuickTime with OS X Yosemite
4. A 'Movie Recording' window appears. Next to the red Record button, select the drop-down arrow. The drop-down menu is divided into categories (i.e., 'Camera,' Microphone' and 'Quality.') In the 'Camera' section, the attached iOS device is listed. Select the device.
Select the iOS device in the 'Camera' section of the drop-down menu
Note: The examiner should also turn off any microphone attached to the computer (by either deselecting it in QuickTime's drop-down menu, or muting the microphone on the computer's audio controls). Otherwise, QuickTime will record external sounds from the analysis system.
5. To navigate through various views on the iOS device screen, use the device as normal. When ready to begin a video screen capture, select the red Record button on the computer. If the examiner would rather capture images than videos, screenshot images can be taken using the standard Mac keyboard shortcuts (e.g., Command-Shift-4).
Screenshots of an iPhone 5 using QuickTime and the standard OS X key combination of Command-Shift-4
In the above right screenshot, one email is marked unread with the presence of a blue dot. Examiners should be mindful that selecting an unread email (or other unread files contained on a piece of evidence) effectively changes the evidence data. It is always best practice to capture items that appear to have been read (by the absence of any flag indicating status) separately, if at all, from the remainder of the items on the device. Examiners should be aware of what the courts in their respective jurisdiction(s) have said/ruled regarding the examination of unread items contained on a device prior to capturing any unread data.
Creating a video screen capture of the device can be a powerful representation of the contents. For instance, a video screen capture could be useful for showing numerous emails, and/or particular applications that could not be parsed out with ease.
Video screen capture from an iPhone 5
Perhaps the best part about using QuickTime for iOS screen captures is the fact that this capability comes free of charge with Yosemite. For examiners, having one more free and easy tool to implement when the need arises is always a welcome thing.
The BlackBag Training Team