Abstract

One of the steps in a forensic investigation is to build a timeline. A timeline is required to discover activities that occurred in a forensic image. A forensic image is an acquisition result of an iOS device, such as the iPhone and iPad. One of the de facto tools for creating forensic timelines is the log2time1ine plaso. However, the plaso cannot extract all the time data on iOS device artifacts. In this study, a method is proposed to complete log2time1ine in order to extract all-Time data on iOS devices. We create a parser plugin for the log2time1ine plaso for missing artifacts, such as a plist or an SQLite database. The proposed method is briefly described as follows. First, the procedure constructs a forensic timeline using the plaso tool from an iOS image which has been acquired beforehand. We then examine missing artifacts from the timeline. After that, we create a plaso plugin to parse missing artifacts. Finally, we rerun the plaso with new plugins to build a more comprehensive timeline. Thus, a complete forensic timeline is obtained from the forensic image of an iOS device. Experiments show that additional plugins can provide a more comprehensive forensic timeline extracted from an iOS device.

Original languageEnglish
Title of host publication8th International Conference on Engineering and Emerging Technologies, ICEET 2022
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781665491068
DOIs
Publication statusPublished - 2022
Event8th International Conference on Engineering and Emerging Technologies, ICEET 2022 - Kuala Lumpur, Malaysia
Duration: 27 Oct 202228 Oct 2022

Publication series

Name8th International Conference on Engineering and Emerging Technologies, ICEET 2022

Conference

Conference8th International Conference on Engineering and Emerging Technologies, ICEET 2022
Country/TerritoryMalaysia
CityKuala Lumpur
Period27/10/2228/10/22

Keywords

  • forensic timeline
  • iOS forensics
  • log2timeline
  • plaso

Fingerprint

Dive into the research topics of 'Forensic Timeline Analysis of iOS Devices'. Together they form a unique fingerprint.

Cite this