dfm covers
 
 

iPhorensics – No Pain, No Gain

Written by Brian cusack & Ben Knight

iPhorensics – No Pain, No Gain!

by Brian cusack & Ben Knight


The Apple iPhone has introduced a suite of complex challenges for the digital forensic investigator. This article lifts the lid on the challenges and communicates elements of best practice from the laboratory. The focus is on the iPhone hardware and software environment with recognition of the other set of complex problems posed for network forensic investigators. How might a forensic investigator extract evidence in a robust way, so that the findings are acceptable in court? What are the issues and problems that must be confronted? The rapidity of change and variation in the environment, and the volatility of the evidence are acknowledged. By Brian Cusack & Ben Knight


Pop the top on an Apple iPhone and immediately everything looks small. The device is designed for mobility and connectivity in the smallest hands. No room has been left for amateur mechanics or spot the leak “guessabees” who want to remove or reattach components. There is no hard drive to neatly unplug and mount – it is a solid state and soldered in along with the flash chips. Only limited portions of active files are accessible and there is a kill command to zero the storage either internally or by remote access. The Apple iPhone is simply not made for taking things out or putting them in, and requires more than the standard set of digital forensic tricks. It’s a jungle of interwoven trade-offs, which often have unsatisfactory paybacks for the unwary.


The first advice to an investigator is to identify the iPhone release number. Each of the four releases had different firmware, hardware and storage capabilities. To find the number, simply plug into iTunes but make sure the sync function is turned off (there is no write blocker here!). Now make some hard decisions. Most of the software tools available will only extract the logical files. So what if the user deleted relevant material before the acquisition? What about the kill function? In releases 1 and 2 the memory is zeroed over a couple of hours but for releases 3 & 4 the encryption keys are deleted in a few seconds. Is a Faraday bag blocking network connectivity? And the chain of custody documentation filled? Has the risk of all external modification of the data been mitigated?


For the answers to these questions, see issue 4, out on 1 August. Subscribe now!


The full article appears in Issue 4 of Digital Forensics Magazine, published 1st Aug 2010. You must log in with a valid subscription to read on...


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

George Bailey

George Bailey is an IT security professional with over 15 years of experience

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 41 on sale from November 2019:


Forensic Syntactical & Linguistic Investigation

Mark Iwazko presents a case study regarding a Forensic Syntactical & Linguistic investigation: Instructed by the Moscow General Council of one of the actual big four accountants. Read More »

Forensic Readiness: A Proactive Approach to Support Forensic Digital Analysis

An increasing number of criminal actions are inflicting financial and brand damage to organizations around the globe. An impressive number of such cases do not reach the courts, mainly because of the organization’s inefficiency to produce robust digital evidences that are acceptable in the courts of law. Read More »

Subscribe today


Using Error-Patterns for Attribution: An Applied Linguistics Technique

Corpus Linguistics within Second Language Acquisition has developed models of error patterns made by defined groups of second language learners. This knowledge base can be leveraged by a knowledgeable analyst to attribute content to a subset of authors. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue