SITUATION
A Denver law firm retained our services to assist in a child custody matter. Our client was seeking to identify communication between ex-husband and ex-wife regarding alleged child abuse and/or neglect. According to our client, the conversations were conducted via SMS/iMessage and phone calls between two Apple iPhones. The scope of our analysis was limited to a laptop computer. This laptop was believed to have one or more Apple iTunes backups of the iPhones in question.
OBJECTIVE
Identify if Apple iTunes backup data sets are present on the laptop computer. Identify and analyze digital communication stored in Apple iTunes backups between ex-husband and ex-wife. Establish a timeline based on communication history found within the Apple iTunes backups. Recover, if possible, content of digital communication.
ANALYSIS
With access to the laptop computer, we prepared a forensically sound copy (bit-stream copy) of the laptop’s hard drive. Equipped with the knowledge that the communication was performed on Apple iPhones, we focused our analysis on Apple iTunes backups. We were able to identify a total of three Apple iTunes backups – 2 iPhones and 1 iPad. After conferring with our client, we identified one Apple iTunes backup that was within the scope of our investigation. Under normal circumstances the analysis of an Apple iTunes backup is straight forward. However, in this particular instance the Apple iTunes backup of interest was corrupt.Meaning, available forensic tools would not recognize and load the Apple iTunes backup data. We needed to pivot from a standard forensic analysis into a research and development (R&D) mindset to help our client gain access to the data contained within the corrupt Apple iTunes backup.
RESULT
After reviewing various data within the corrupt Apple iTunes backup, we were able to manually extract data representing SMS/iMessage conversations, the address book, and voicemail recordings. We then reconnected the various data points to provide a readable representation of the recovered data. Upon completion of our efforts, we presented our client with a fact-based report that showed a detailed and complete timeline of SMS/iMessage communication (incl. message content) and audio recordings of voicemails with associated phone numbers, caller names, date/time and duration information.
In the end, we were able to provide essential and new communication information to our client. This was possible because we embraced the challenges of a corrupt Apple iTunes backup and delivered a solution to our client.