dfm covers
 
 

iPhorensics – No Pain, No Gain

Written by Brian cusack & Ben Knight

iPhorensics – No Pain, No Gain!

by Brian cusack & Ben Knight


The Apple iPhone has introduced a suite of complex challenges for the digital forensic investigator. This article lifts the lid on the challenges and communicates elements of best practice from the laboratory. The focus is on the iPhone hardware and software environment with recognition of the other set of complex problems posed for network forensic investigators. How might a forensic investigator extract evidence in a robust way, so that the findings are acceptable in court? What are the issues and problems that must be confronted? The rapidity of change and variation in the environment, and the volatility of the evidence are acknowledged. By Brian Cusack & Ben Knight


Pop the top on an Apple iPhone and immediately everything looks small. The device is designed for mobility and connectivity in the smallest hands. No room has been left for amateur mechanics or spot the leak “guessabees” who want to remove or reattach components. There is no hard drive to neatly unplug and mount – it is a solid state and soldered in along with the flash chips. Only limited portions of active files are accessible and there is a kill command to zero the storage either internally or by remote access. The Apple iPhone is simply not made for taking things out or putting them in, and requires more than the standard set of digital forensic tricks. It’s a jungle of interwoven trade-offs, which often have unsatisfactory paybacks for the unwary.


The first advice to an investigator is to identify the iPhone release number. Each of the four releases had different firmware, hardware and storage capabilities. To find the number, simply plug into iTunes but make sure the sync function is turned off (there is no write blocker here!). Now make some hard decisions. Most of the software tools available will only extract the logical files. So what if the user deleted relevant material before the acquisition? What about the kill function? In releases 1 and 2 the memory is zeroed over a couple of hours but for releases 3 & 4 the encryption keys are deleted in a few seconds. Is a Faraday bag blocking network connectivity? And the chain of custody documentation filled? Has the risk of all external modification of the data been mitigated?


For the answers to these questions, see issue 4, out on 1 August. Subscribe now!


The full article appears in Issue 4 of Digital Forensics Magazine, published 1st Aug 2010. You must log in with a valid subscription to read on...


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Scott C. Zimmerman

Scott C. Zimmerman is a CISSP qualified Information Security consultant and presenter

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 31 on sale from May 2017:


DDOS Attacks on Mobile Devices

Denial of service attacks (DoS), distributed denial of service attacks (DDoS) and reflector attacks (DRDoS) are well known and documented. More recently however we have seen that these attacks have been directed at mobile communication devices.  Read More »

Advancements in Windows Hibernation File Forensics

Brian Gerdon looks at how the windows hibernation files can be a valuable source of information for digital forensic investigators. Read More »

Subscribe today


Testing Damage Sustainability on SD Cards

A growing number of companies and agencies are now specializing in repair and recovery of data and not on the forensic examination of the data. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue