iphone forensics report [redacted]

Case 1:12-mj-00304-JGS Doc #4 Filed 10/09/12 of 5 Page IDiffllED- GR October 9, 2012 3:46PM .

AO 93 (Rev. 12109) Search and Seizure Warrant

UNITED STATES DISTRICT COURT

In the Maner of the Search of (8riefl.v describe the property to be searched or identify the person by name and address)

an Apple 1-Phone model A 1332 with IC #

for the

Western District of Michigan

Case No. 1: 12-mj-304

SEARCH AND SEIZURE WARRANT

To: Any authorized law enforcement officer

TRACEY CORDES, CLERK U.S. DISTRICT COURT

WESTERN DISTRICT OF MICHIGAN BY: dmh / ________ _

An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Western District of Michigan (identify thl! person or describe the property to be searched and giw its location):

One black-colored Apple 1-Phone telephone bearing model# A 1332 and IC # ••••. recovered from····· bedroom localed at·····

The person or property to be searched, described above, is believed to conceal (id('ntif:v til(' pason ur dt•saib~t the

property to be sei=ed): historical information regarding call activity, "phone book" directory information. stored voice-mails and text messages. and electronic files, photographs, and video images

I find that the affidavit(s). or any recorded testimony, establish probable cause to search and seize the person or property.

YOU ARE COMMANDED to execute this warrant on or before ·---··- ... Sep~ l9. ~1.2.. ··--· ·--..... (not to I!.T,'el!d I-I days)

gf in the daytime 6:00 .a.m. to I 0 p.m. 0 at any time in the day or night as I find reasonable cause has been established.

Unless delayed notice is authorized below. you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken . .

The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to United States Magistrate Judge

Joseph G. Scoville (name)

0 I find that immediate notification may have an adverse result listed in I 8 U.S.C. § 2705 (except for delay of trial). and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (clreck thl! appropriate bo.TJ Ofor days (notro exceed 30) .

Date and time issued: ~ ~, J-t:Jt z_

I :3~

City and state: Grand Rapids, Michigan

• .,...,...,. ... · ying, the later specific date of _ ____ __ _ _ .

Printed name and tit/!!

Case 1:12-mj-00304-JGS Doc #4 Filed 10/09/12 of 5 Page ID#9

AO 93 {Rev 12/09) Scarth and Seizure Warranl {Page 21

Return

Case No.: Date and tim/warr~nt executed: Copy .~fJ/ant and inventory left with:

1:12-mj-304 9'/JJ //,l. ~ <2c_, v ~u..-7 ~ ,;,0 .F " -· L-::>~,--,c ~ Inventory made in the presence of:

/Cr +.-:-0.--c.<J.f J Lo-r / Inventory ofthe property taken and name of any person{s) seized: /

,,.. r c -r-' -<· J (. I -

Certification

I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge.

Date:

/ / /'

£Tecuting officer ·s signature /

~ --· ;;He ( /-/ s r Printed name and title

Summary

Connection Type

Extraction start date/time

Extraction end data/Ume

UFED Physical Analyzer version

Case number

Case name

Notes

Examiner name

Department

LocaUon

Device Information

II Name

2 Activation Stale

3 Application Entries

4 Application Siza (bytos)

5 Board

G Book Entries

7 , Book Size (bytes)

8 Capacity

9 Cloud BaCkup Enabled

10 CPID

11 Data Entries

12 Data Size (bytes)

13 ECID

14 Free Memory (bytes)

15 iBoot (firmware) version

16 ICCID

17 Last Backup Computer Name

18 Last Backup Computer Type

19 Last Sync

20 last Used ICCID

21 Locale Language

22 Memory Size (bytes)

23 Owner Name

24 Passcode

25 Phone Number

26 Proofing Entries

27 Proofing Size (bytes)

28 Ringtone Entries

29 Ringtone Size (bytes)

30 Serial number

31 Sync Host Name

32 Synced with

33 Synced with

34 USB( Ethernet) MAC

-l / y 5,!

Cable No. 110

9/13/20 12 12:00:01 PM

9/1312012 4:28:21 PM

3.0.1.7

GP13CR12GP0008

Aguilera el. al.

I

·····1-Phone I FPFII20122271400011701 f Physical Examination

Special Agent Cory Howe

Homeland Security Investigations

Grand Rapids, Ml

Value

I User _System_Data

1 WildcardActivated

,o ,o n90ap

0

0

14GB

False

8930

1

4366336

t4231298048

iBoot-1219.62.16

Adriana Mac8ook Pro

Mac

6125/2012 6:45:37 AM(UTC-4)

on_ US

14758297600

monica

0

0

0

0

Adriana Mac8ook Pro

Computer: Adriana MacBook Pro\User: Cachetes

Computer: Useras Power Mac GS (3)\User: User

- __ -_ _[_~?

l -~-~ I I

·'

-·. -- ·~- .. 35

36

37

voiceMemo€!-a~ 1:12-mj-00304-JGS. Doc #4 Filed 10/09/12 of 5 Page JD.#l~L .. -~ .. ; Vo_lceMemo Size. (by1es)

WI-FiMAC

Image Hash Details ' 1 )

• Name

Image

Plugins

t Name

2

3

• IPhonePhyslcallnputiD

. DMGOpener

MBRGenel1c

Path

Size (Bytue)

• • ' ' I . ' ' .!o: • , . ' ' · ' ' " t ' ' ; o•l' o• l .'•' J •' t , '•< •I •

4

5

8

7

8

9

10

11

12

ApplePaltltlonMap

GUIDPII/UtlonTabla

TARArdtlveOpener

HFS

IPhoneCaUlog

IF'tlone databases

QulcldlmeMelada1a : • : lo : • ' • I ,:,, 11 > t ·' · ·~ 'o ' • il t ;< ' ' .1 t"' ·

!Phone deYtce Info

• •. · !• :1

0

: CC:08:EO:B2:4F:83

iPhone4GSM_5.1. IJ>hysicai_Physlcel_13-09-12_ 12-00-01.1mg

15955189780

. -: . . . ... .: ( ..

, , ' 11! , • . .• : . . ... .

CeUebrllo

CeUebrile

CeUebrlto

CeUebrite

Cellebrite

CeUebrite

CeUebrlte

Cellebrile

Cellebrite

CeUebrite

Cello brito

Cellebrite

.:_·v~----~~-· · ·. ·· ·· . . · ·-.. " ., .. ,.~ .. __ ....., ___ _

2.0

2.0

2.0

2.0

2.0

2.0

2.0

2 .0

2.0

2.0

2.0

2.0 .. :. . , , · . • • · . • , , · . ' · · • , •! · ··" ' .,· ·•·I· · 1! 1· !

• • .11 . • \. ·u 1 ~!: : • • ·· • . • .. ,, ! · • • r •• · (,i ~t ~ : ,, ... .. · ·.t • • • • • • . .. .. •• , • • •• • .

13

Contents

Type

· CaDLog

" Incoming

w Missed

"' iMessage: ••••• Ueontacts

' Installed Appllcelions

·2 IP Connectlons

~Locations

"' CeUtowers

e Harvested Wlfl Locations

e Media Locations

. e Win networks

104

23

48

33

2

2

18

37

13

659

227

28

. 1

403

Cellebrite

(-IOcletml)

(1 Deleted)

(3 Deleted)

(t Deleted)

(1 Deleted)

(28 Deletec11

(28 Deleted)

104

23

48

33

2

2

18

37

13

659

227

28

403

2.0

····-··---- -- i .. ···- ·· --. -.-.-~--- _ ]

(4 Deleted)

(1 Oeloted)

(3 Deleted)

(1 Deleted)

(1 Deleled)

(28 Deleted)

(28 Deleted)

·_1 Notes Cas~l: 12-mj-00304-JGS Doc #4 Fi led 10/09/12 ~ge 5 of 5 . Page _lp~~~--- ---~:~--

.i Passwords

··> SMS Messages

~ Drafts

o lnbox

e Sent

_ User Accounts

'·. User Dictionary

iD. Web Bookmarks

ORoot

U Web History

: i" Wireless Nebovorl<s

{ij: Data Files

o Audio

o Configuration

o Database

• Images

o Text

•VIdeos

'cy Carved Files

Call Log 1 1i}1 J

·a

422

228

193

577

151

6

. 10149

292

3185

. 135

6340

198

. 1

0

. .L • These detaJls are cross-rafenlncecl from this device's contacts

Incoming r:):; , ·~-- ~ -- - · ·- - · i · ~ -·- ·· ~ - ~ - . ·: 'l1me · -r~ • : = .i = ! Party .. i. ! · t ... • ...... l ....... __;,_j .. _, -· ...

310 410 Pedro' 712912012 7:30:13 00:01:04 ~ .. .AM(UTC+O)

2 ' 310 410 Pedro· 7/30/2012 1:36:51 00:01 :12

; ; ... -· : AM(UTC.+O)

3 310 410 Dad' 7/3012012 2:34:08 00:00:32 _AM(UTC+O)

4 310 410 Dad' 7130/2012 5:38:54 00:00:37 _PM(UTC+O)

5 310 . 410 Cesar' 7/3012012 5:44:59 00:00:59

' PM(UTC+O)

" -6 310 410 Bmo· 7/3012012 5:49:11 00:02:17

_PM(UTC+O)

7 310 410 Beto' 7/30/2012 5:58:55 00:02:21 _PM(UTC+O)

8 310 410 Cesar· 7/3012012 6:43:12 00:01:47 _PM(YTC+O)

9 310 410 BP.tO' 713012012 8:04:57 00:00:22

I •• I " • PM(UTC+O)

10 310 410 Bow· 7130/2012 9:28:43 00:01:58 .PM(UTC+O)

11 310 410 Pedro· 7/3012012 10:41:18 00:01:21 _PM(UTC+O).

12 310 410 Bcto' 7/3112012 12:18:02 00:03:27

!·- .AM(UTC+O)

' 13 310 410 Esmeralda' 7/3112012 1:02:47 00:00:15 .. ... .. . ··~ . PM(UTC+O).

14 :310 410 7/3112012 1:17:51 00:05:28

i · ... ... ·:- " .P~(UTC+O)

15 !310 410 Beto' 7131/2012 1:23:18 00:02: 11 I

_PM(UTC+O) ' ... .., ... · --~ .. '

16 310 410 ~

713112012 2:48:39 00:00:43 Felix" PM(UTC+O)

8

(63 Deleted) 422 (63 Deleted)

(34 Deleted) 228 ( 34 Deleted)

(29 D~<letcdl 193 (29 Deleted)

577

151

6

i t89 Dcletl~) 10149 (189 Deleted)

292

( 1 ?0 Dt!letMl 3185 (170 Deleted)

135

(1 1! !:>e:ll!led) 6340 ( 19 Deleted)

198

0

·r··- ---:-·--:·--+·---· -~ ; VIde : Souro& . -· .. '~· :~ .. ·:;· ,· -~ j 1 ocan . I

1ves

···--- -- -···--1··--·4 I

------r. ·'

--- -----· -- ·

I .. ·--·- -+· !

i -···-·- - ------- -!-- -- ~---:

... ····-------- ,-·- .

i .. ... - .. -----· ... "t-- _ ..

' ' ' .. ___ ,. ..... ~·- · -· '' I .. ---·--t-· ... !

--··----.-·--- -4> i I

--·---1-.. . I

... - -·- ·-J--..... I I

t· -. _____ l ____

! '·----···--t- ---

I ·-- ----- -L ..........

I ________ L.

iphone forensics report [redacted]

Documents