Autopsy and iPhone

Hi folks!

Anyone used Autopsy to perform forensics on an iPhone (any modeil)?

Or Android?

If so, how you get on?


Autopsy, at it’s core, is not about processing any one particular device (though the plugin’s are most useful for analyzing Windows operating systems). Autopsy, and digital forensics for that matter, is about processing data.

So, to answer the question, we need to ask questions about the data types, not the device types:

  • Can Autopsy process iTunes backups of iOS devices (iPhone, iPad, etc.)?
  • Can Autopsy process full file system dumps of iOS devices (e.g., extracted with checkra1n)
  • Can Autopsy process Android backups?
  • Can Autopsy process Android partitions and full disk extractions?

The answers to these questions are simply this:

  • Autopsy can ingest and analyze logical files. That is, you can point Autopsy at a folder, and it will find the files in that folder recursively (find all files in that folder and sub-folders) and add them to the case. The main drawback to logical file ingestion: Autopsy doesn’t add file system date stamps from logical files.

    This means Autopsy can process the files in an iTunes backup, but it won’t read the backup database and display the original file names, paths, or date stamps of the backup files.

  • Autopsy can open and extract the files in archives.

    This means that Autopsy can process full or partial file system extractions from iOS or Android devices if they are stored in a supported archive. Autopsy doesn’t directly support Android backups, but they are modified TAR archives, which Autopsy does support. Convert the Android backup to a standard TAR, and Autopsy can process the data.

  • Autopsy can process full disk images and partitions (volumes). The partition tables it understands are DOS, MAC, BSD, SUN, and GPT. The file systems it supports include NTFS, FAT, EXT, HFS, UFS, ISO9660, and early support for APFS.

    This means that Autopsy can process an Android unencrypted full disk image because they almost always have GPT partition tables. It will be able to process the files and unallocated space of any supported file system in the Android image. This will NOT be every partition, but usually the most critical partitions (system, userdata, cache).

    One notable exception found on some newer Android devices is F2FS. Autopsy doesn’t directly support this file system which is used in some userdata partitions. This file system can be mounted in Linux, and Autopsy can be pointed to the mount point (by running Autopsy on Linux or through a network share).

So, in sum, I like to say that forensics is about data, not devices. Devices are just the data containers. Devices certainly can be obstacles to the data, but that is an entirely different discussion altogether.