dfm covers
 
 

iPhorensics – No Pain, No Gain

iPhorensics – No Pain, No Gain!

by Brian cusack & Ben Knight


The Apple iPhone has introduced a suite of complex challenges for the digital forensic investigator. This article lifts the lid on the challenges and communicates elements of best practice from the laboratory. The focus is on the iPhone hardware and software environment with recognition of the other set of complex problems posed for network forensic investigators. How might a forensic investigator extract evidence in a robust way, so that the findings are acceptable in court? What are the issues and problems that must be confronted? The rapidity of change and variation in the environment, and the volatility of the evidence are acknowledged. By Brian Cusack & Ben Knight


Pop the top on an Apple iPhone and immediately everything looks small. The device is designed for mobility and connectivity in the smallest hands. No room has been left for amateur mechanics or spot the leak “guessabees” who want to remove or reattach components. There is no hard drive to neatly unplug and mount – it is a solid state and soldered in along with the flash chips. Only limited portions of active files are accessible and there is a kill command to zero the storage either internally or by remote access. The Apple iPhone is simply not made for taking things out or putting them in, and requires more than the standard set of digital forensic tricks. It’s a jungle of interwoven trade-offs, which often have unsatisfactory paybacks for the unwary.


The first advice to an investigator is to identify the iPhone release number. Each of the four releases had different firmware, hardware and storage capabilities. To find the number, simply plug into iTunes but make sure the sync function is turned off (there is no write blocker here!). Now make some hard decisions. Most of the software tools available will only extract the logical files. So what if the user deleted relevant material before the acquisition? What about the kill function? In releases 1 and 2 the memory is zeroed over a couple of hours but for releases 3 & 4 the encryption keys are deleted in a few seconds. Is a Faraday bag blocking network connectivity? And the chain of custody documentation filled? Has the risk of all external modification of the data been mitigated?


For the answers to these questions, see issue 4, out on 1 August. Subscribe now!


The full article appears in Issue 4 of Digital Forensics Magazine, published 1st Aug 2010. You must log in with a valid subscription to read on...


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Andrew Harbison

Andrew Harbison is a Director and IT Forensics Lead at Grant Thornton

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 34 on sale from February 2018:


Device Forensics in the Internet of Things

As more businesses and consumers adopt IoT devices, privacy violations and cyber-attacks by malicious actors will become commonplace due to the insecure IoT infrastructure. Read More »

Data Destruction In Current Hard Disks & Data Destruction Techniques

Data destruction is a process traditionally applied using physical techniques, aiming at the completely destruction of the hard disk, however, there is an increasing interest in the use of logical techniques for data destruction, that allow reusing the physical device. Read More »

Subscribe today


Faster Searching For Known Illegal Content

Cryptographic (“MD5”) hash searching for known illegal material is one of the most thorough methods of digital forensic investigation. However, the technique is hampered by the ever-increasing size of media being examined, and the size of the hash list being searched. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue