Forensic Examination of iOS Platform Artifacts: A Comparative Multi-Tool Study Using Publicly Available Data

Document Type

Conference Proceeding

Source of Publication

2025 12th IFIP International Conference on New Technologies Mobility and Security Ntms 2025

Publication Date

7-18-2025

Abstract

This paper presents a forensic analysis of iOS 17.3 on an iPhone contextualized within mobile and IoT forensics. We systematically evaluate the effectiveness of leading forensic tools—Cellebrite UFED, MOBILedit Forensic Express, FTK Imager, and DB Browser for SQLite—in extracting critical artifacts such as call logs, application usage, browser history, location data, and deleted content. Our methodology rigorously aligns with the NISTIR 7617 mobile device forensic acquisition framework and leverages a publicly available forensic image from DigitalCorpora.org. We address the forensic challenges introduced by advanced encryption, cloud-based storage, and iOS sandboxing, emphasizing the necessity of tool validation, cross-tool comparison, and reproducibility. Our findings demonstrate that a hybrid approach—combining automated extraction with manual database inspection—substantially enhances artifact recovery, particularly in privacy-focused and encrypted environments. This work provides a reproducible, standards-driven workflow and offers actionable insights for practitioners facing the evolving landscape of iOS and IoT forensics.

ISBN

[9798331552763]

Publisher

IEEE

First Page

17

Last Page

25

Disciplines

Computer Sciences

Keywords

Cellebrite UFED, encrypted data, FTK Imager, iOS forensics, IoT forensics, mobile devices, MOBILedit, NISTIR 7617, SQLite

Scopus ID

105012573921

Indexed in Scopus

yes

Open Access

no

Link to Full Text

Share

COinS