iPhone Forensics

Book Title: iPhone Forensics
Subtitle: Recovering Evidence, Personal Data & Corporate Assets
Author: Jonathan Zdziarski
Publisher: O’Reilly
Date of Publication: 17 September 2008
Price: £30.99 (UK), $39.99 (USA)
ISBN: 978-0-596-15358-8

Reviewer: Tony Campbell

Cover of iPhone Forensics
Cover image: iPhone Forensics from O'Reilly


I love my iPhone and so should you (he says in a monotone, robotic voice). But, the real question is, am I just another Apple fanboy, brainwashed by Steve Jobs’ celebrity industry presence and marketing genius? Or have I really made a buying decision based on the facts? It’s true that the iPhone is probably the sexiest piece of kit in this arm of the Milky Way, but is there something lurking under the glitzy hood, that could rise up and bite us in the proverbial “you know what”?
Whether you are an individual or an organisation (and on whatever side of the law you happen to operate), you’ll need to know exactly how much risk you are taking when you do business on your iPhone. How secure is your data and, forensically, how many of your daily activities, transactions and communications are accountable in the eyes of the law?

So, how do you dig into Apple’s prizewinning marrow while donning the cap of the forensics investigator? That’s the easy part: pick up a copy of Jonathan Zdziarski’s iPhone Forensics, published by O’Reilly Media, and you’ll see exactly what’s going on beneath the glossy veneer. This book is a great technical companion for computer forensics guys who have a need (or a calling) to dig into the iPhone platform. True, it’s a very short book with a high price point (just 113 pages of technical content for £30.99), so the real proposition is pitched in terms of technical punch rather than kilograms of rainforest.

The foreword, written by the enigmatic John T Draper (Cap’n Crunch), sets the scene for the rest of the book, showing that it’s fairly easy for investigators to get a bucket load of valuable data from the iPhone as long as they know where to look. Zdziarski kicks off with a great introductory chapter that takes us through the rules of evidence collection and good forensic practice, before launching into the technical chapters. Even if it is aimed primarily at the newbie investigator, this introduction gives the book a nice, well-rounded feel.

Chapters 2 and 3 cover the basics of understanding the iPhone architecture and how to gain access to the underlying system. These chapters are invaluable and written in an easy to follow style, but quickly get you to the stage where you are looking at the iPhone device with its pants pulled well and truly down. Zdziarski then spends the next three chapters focusing on the forensic recovery of data, and analysing a whole bunch of interesting tools, such as Foremost and Scalpel. He then launches into e-discovery where he details techniques for finding evidence inside iPhone database files (SQLite) and XML property lists (these contain items such as cookies, account details, and Safari browsing history).

Chapter 6 ties the iPhone forensic investigation to the desktop PC, describing tools and techniques for pairing evidence between the two platforms. Finally, Chapter 7 cuts to the chase and explains in terms of specific kinds of investigation (and real-life cases) which information is the most useful, and how it would be presented in court.

This book is an excellent resource for any computer forensics investigator. I recommend buying it, and also registering on O’Reilly’s website for their up-to-date iPhone Forensics Data Recovery Training and listening to some of the webcasts by Jonathan Zdziarski himself. For more information on these resources, see http://search.oreilly.com/?q=iphone+forensics .