dfm covers
 
 

iPhorensics – No Pain, No Gain

iPhorensics – No Pain, No Gain!

by Brian cusack & Ben Knight


The Apple iPhone has introduced a suite of complex challenges for the digital forensic investigator. This article lifts the lid on the challenges and communicates elements of best practice from the laboratory. The focus is on the iPhone hardware and software environment with recognition of the other set of complex problems posed for network forensic investigators. How might a forensic investigator extract evidence in a robust way, so that the findings are acceptable in court? What are the issues and problems that must be confronted? The rapidity of change and variation in the environment, and the volatility of the evidence are acknowledged. By Brian Cusack & Ben Knight


Pop the top on an Apple iPhone and immediately everything looks small. The device is designed for mobility and connectivity in the smallest hands. No room has been left for amateur mechanics or spot the leak “guessabees” who want to remove or reattach components. There is no hard drive to neatly unplug and mount – it is a solid state and soldered in along with the flash chips. Only limited portions of active files are accessible and there is a kill command to zero the storage either internally or by remote access. The Apple iPhone is simply not made for taking things out or putting them in, and requires more than the standard set of digital forensic tricks. It’s a jungle of interwoven trade-offs, which often have unsatisfactory paybacks for the unwary.


The first advice to an investigator is to identify the iPhone release number. Each of the four releases had different firmware, hardware and storage capabilities. To find the number, simply plug into iTunes but make sure the sync function is turned off (there is no write blocker here!). Now make some hard decisions. Most of the software tools available will only extract the logical files. So what if the user deleted relevant material before the acquisition? What about the kill function? In releases 1 and 2 the memory is zeroed over a couple of hours but for releases 3 & 4 the encryption keys are deleted in a few seconds. Is a Faraday bag blocking network connectivity? And the chain of custody documentation filled? Has the risk of all external modification of the data been mitigated?


For the answers to these questions, see issue 4, out on 1 August. Subscribe now!


The full article appears in Issue 4 of Digital Forensics Magazine, published 1st Aug 2010. You must log in with a valid subscription to read on...


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Scott C. Zimmerman

Scott C. Zimmerman is a CISSP qualified Information Security consultant and presenter

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 38 on sale from February 2019:


Crowd Sourcing Digital Evidence The Risk v The Reward

All digital devices used today can be considered as a potential source for digital evidence. Andrew Ryan investigates the current state in the art of crowd sourced digital evidence. Read More »

Recovery of Forensic Artifacts from Deleted Jump-List in Windows 10

Jump-Lists are widely discussed in forensics community since the release of Windows 7 and are having more capabilities to reveal forensics artifacts in Windows 10. Read More »

Subscribe today


Operacion Bitcoin

The article is an actual case study of an Interpol investigation carried out in association with CertUY that has been ongoing for some months. It is written by the first hacker sent to prison in Uruguay who is currently out on bail pending sentencing. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue