iPhones are little, pocket-sized supercomputers. With power and capabilities unimaginable just a few years ago, they can be seen everywhere and with every kind of person’s face buried in one. They hold music and videos, photographs and games, communications and the Internet. As a result, they hold evidence of many kinds of activity, and people may seek the evidence contained within to bolster a case, or to find out if a case is in need of being filed.
What kind of evidence do people seek?
Among the many cases we have had, there are spouses seeking evidence of philandering, and parents seeking evidence of illicit contact with adults. There are clients looking to support or exonerate charges of murder. There are employers looking for stolen data and employees looking to prove their innocence. There is evidence of communications of all kind.
What if someone deletes their data, or keeps you out with a password?
Deleting a file or an image, or other data does not make it go away. It more or less just de-indexes the information so the iPhone does not know how to find it. The deleted data is still sitting there, waiting to be discovered with forensic tools, until another process writes over it. As for passwords, on most models they are easy to defeat. Even when it’s a model that’s difficult, most actual passwords are easy. Many don’t use a password at all, but when they do, the most common ones are 1234, 0000, 2580 (straight down the middle of the keypad), 1111, and 5555. Complicated passwords are uncommon, though wise.
What kind of data is left behind?
Deleted photos are often recoverable, and they hold data within them that tells the geographic location of the photo, what camera took it or what app it came from, when it was taken, and more.
Games and other Apps can leave behind a broad cache of data, and may include the faces & avatars of people’s FaceBook pages and Candy Crush accounts.
A history of where the phone has been on the Internet is often present,
The names of WiFi routers and accounts that have been accessed are kept.
The iPhone has a kind of hidden, built-in keylogger that records hundreds of words the user types in, but is kept invisibly.
Apps that have been stored in the Cloud to be downloaded later often come with a history that might include, for instance, who you’ve been communicating with through those apps.
Skype chats can be recorded and saved – and certainly a record of what calls were made, when and to whom.
Contacts, calls, calendar data, notes, voice mail, texts, iMessages, Mail, Maps, Documents, and miscellaneous other data (“Breadcrumbs”) – the iPhone keeps a record of all of this, even when these items have been deleted.
Items purchased from the App store and iTunes are recorded as well as some data from Apps like Instagram and Snapchat.
Some of the more obscure cached data we’ve had to recover include that from “Live Porn Chat,” “Lesbian Social Network – The L,” “Hot Pics,” “Secret Browser,” “Adult Chat” – why, the possibilities for social networking with the iPhone just seem endless.
But what if the data actually gets overwritten?
It happens sometimes. That’s when we hope we can retrieve the invisible backup files on the computer to which the iPhone gets attached from time to time. If the files are there, they can be extracted and often hold much or all of the data described above.
Can you actually get the data every time?
No, not every time. We’ve gotten data from iPhones that were in pieces, but there have been a couple where the password couldn’t be defeated, and a couple that were too broken to extract. Still, in the great majority of cases we find a large amount of unexpected data. And we’ve yet to see a case which, when the phone could be accessed, that we couldn’t find some of the keylogger-like info referenced previously.
iPhones are a boon to most of us, with a great number of great functions and tremendous storage capabilities. I love mine. I’d waited years for a single device that could take pictures, browse the Internet, let me play music and let me talk to others. And that’s barely scratching the surface of its capabilities. But the fact that it holds all this data means that it can tell on you, too. It can tell where you’ve been, who you’ve been with, who you’ve talked to, and in some cases, what you’ve done. If it’s on your iPhone, it might just get revealed to others.
Subscribe to our free and informative weekly forensics newsletter!