dfm covers
 
 

iPhorensics – No Pain, No Gain

Written by Brian cusack & Ben Knight

iPhorensics – No Pain, No Gain!

by Brian cusack & Ben Knight


The Apple iPhone has introduced a suite of complex challenges for the digital forensic investigator. This article lifts the lid on the challenges and communicates elements of best practice from the laboratory. The focus is on the iPhone hardware and software environment with recognition of the other set of complex problems posed for network forensic investigators. How might a forensic investigator extract evidence in a robust way, so that the findings are acceptable in court? What are the issues and problems that must be confronted? The rapidity of change and variation in the environment, and the volatility of the evidence are acknowledged. By Brian Cusack & Ben Knight


Pop the top on an Apple iPhone and immediately everything looks small. The device is designed for mobility and connectivity in the smallest hands. No room has been left for amateur mechanics or spot the leak “guessabees” who want to remove or reattach components. There is no hard drive to neatly unplug and mount – it is a solid state and soldered in along with the flash chips. Only limited portions of active files are accessible and there is a kill command to zero the storage either internally or by remote access. The Apple iPhone is simply not made for taking things out or putting them in, and requires more than the standard set of digital forensic tricks. It’s a jungle of interwoven trade-offs, which often have unsatisfactory paybacks for the unwary.


The first advice to an investigator is to identify the iPhone release number. Each of the four releases had different firmware, hardware and storage capabilities. To find the number, simply plug into iTunes but make sure the sync function is turned off (there is no write blocker here!). Now make some hard decisions. Most of the software tools available will only extract the logical files. So what if the user deleted relevant material before the acquisition? What about the kill function? In releases 1 and 2 the memory is zeroed over a couple of hours but for releases 3 & 4 the encryption keys are deleted in a few seconds. Is a Faraday bag blocking network connectivity? And the chain of custody documentation filled? Has the risk of all external modification of the data been mitigated?


For the answers to these questions, see issue 4, out on 1 August. Subscribe now!


The full article appears in Issue 4 of Digital Forensics Magazine, published 1st Aug 2010. You must log in with a valid subscription to read on...


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Dr Tim Watson

Dr Tim Watson is the head of the Department of Computer Technology at De Montfort University

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 32 on sale from August 2017:


Triage Solution for Sex Offender Managers

This article considers a proof of concept triage solution for sex offender managers for a local police force which if successful could simplify and modify the way that sex offenders are managed. Read More »

Advancements in Windows Hibernation File Forensics

Brian Gerdon looks at how the windows hibernation files can be a valuable source of information for digital forensic investigators. Read More »

Subscribe today


Why Are Cybercriminals Attracted To Commit Crimes

Individuals who engage in cybercrime have a psychological mindset that is attuned to it. This paper discusses the motives behind cybercrime and what makes cybercrime attractive to cybercriminals. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue