File000092

Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics

Module XXXVII Page | 3377 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Computer Hacking Forensic Investigator (CHFI)

Module XXXVII: iPod and iPhone Forensics

Exam 312-49



News: Students Charged: iPod Used as Criminal Tool

Source: http://www.mobilemag.com/

A student from an Ohio high school faced charges for hacking the school's computers. The student had downloaded the personnel files related to staff and students into an iPod. The student was charged with possession of a criminal tool by the local law enforcement authorities.

The incident happened at Clay High School in Oregon City, Ohio, USA. The student knowingly accessed the staff personnel records and shared them with another student. One of the staff members overheard their conversation, inquired about the action, and seized the iPod that was used to initiate the hack. The student denied the charges.

The school authorities started upgrading their network security because of this incident.



News: Sparkling iPod Ignites Investigation in Japan

Source: http://www.macnewsworld.com/

According to reports from the Japanese government, Apple reported a problem on March 7, 2008, about the sparks generated when recharging the iPod Nano model MA099J/A. The Japanese ministry confirmed that the sparks had not caused any injuries to the customers and confirmed that no casualties had been reported.

The Japanese government looked for a possible solution to the problem.

Jack Gold, principal analyst with J. Gold Associates, said that these are common problems and these problems were reported earlier in laptops. These problems mainly occur when the technology outpaces the design of a particular lithium-ion battery, which is used for powering the iPod. He also said that these problems do occur frequently when a battery is overheated.



News: iPhone Tantalizes, Frustrates Forensics Experts

Source: http://www.wired.com

Derrick Donnelly, chief technology officer of Blackbag Technologies, a Silicon Valley-based company specializing in Apple forensic solutions, explains that the iPhone’s web, email, and phone functionality is associated with 4- or 8-GB storage capacity, so that it can work as a window.

Amber Schroader, a CEO of Utah-based Paraben, a leader in digital-forensics software development, said that the iPhone uses the Mac OS X operating system and is a totally closed system. If it is not closed properly, it is not an easy for forensic experts to make sure that the data received from an iPhone has not been tampered.

He said that the Mac experts were struggling to get the data from the iPhone’s closed system without changing any data. Donnelly explained that the iPhone is not capable of being used with existing forensic software and data-extraction systems. Forensic experts stopped using old techniques such as photographing data as it is exhibited on the screen itself.

Using a laptop or desktop computer can help you with the situation significantly. You cannot get the data off the iPhone but you can get the other devices which are connected to the iPhone. Analyst can search for the user phone data which was uploaded on the connected computer.

The iPhone can store a huge amount of personal user data, so that they can provide information about the user.



Module Objective

This module will familiarize you with:

iPod

iPhone Overview

iPhone OS Overview

iPhone Disk Partitions

Apple HFS+ and FAT32

iPod and iPhone Forensics

Write Blocking

Write Blocking in Different OS

Recover IPSW File

Forensic information from the windows registry

Timeline Generation

Tools



Module Flow



iPod

The iPod is a portable digital audio player. It is designed by Apple Inc. iPods can be used as digital media storage devices along with audio and video players. They offer a huge storage capacity which can be used to store a large amount of audio, video, and other digital data in various formats. MP3, M4A/AAC, Protected AAC, AIFF, WAV, audible audio book, and Apple Lossless audio file formats can be played on an iPod. All iPods use a hard disk to store data, except iPod Nano and iPod Shuffle, which use flash memory. iTunes is the media player in iPods that plays and organizes music and video files.

The idea of iPod devices was first conceived by Tony Fadell, who was later hired by Apple to develop the iPod. Later versions of iPods were developed by Apple's Industrial Design Group. iPods have a simple user interface. They contain a central scroll wheel which is used to browse songs.

iPod Touch

The iPod Touch is an iPod with Wi-Fi and a multi-touch interface, which features the Safari browser and wireless access to the iTunes Store and YouTube. It has the iPhone OS as operating system, which makes access user friendly.The following figure shows various components of an iPod:

Figure 37-01: Components of iPod



iPhone Overview

The iPhone is an Internet-connected multimedia smartphone designed and marketed by Apple Inc. with a multi-touch screen and a minimal hardware interface. With advanced technology, it has a virtual keyboard instead of a physical one and the user can operate it via the touch screen.

Features:

Phone: iPhone has a calling feature where the user can make calls to the end user connecting with a cell phone, landline, or a compatible iPhone

Mail: It provides the flexibility of connecting to the Internet where the user can access email

Safari: Safari is an advanced web browser which helps the iPhone user to access any requested web page

iPod: It can be used as a portable digital audio and video player with a 3.5 inch widescreen display and touch screen

SMS: It provides the SMS feature that helps the users send text messages

Maps with GPS: This feature helps the user find their own location, get directions, and see traffic

iTunes: With a Wi-Fi connection, user can shop for the songs on iTunes by clicking the iTunes button on the iPhone

App Store: The App Store feature gives the flexibility of finding applications in various categories i.e., from games to business, education to entertainment, finance to fitness, and productivity to social networking

Calendar: The calendar helps the user plan their schedule

YouTube: The iPhone keeps the user entertained with a YouTube application

Photos and camera: iPhone has a built-in camera, which let the users take photos and sync those pictures with a personal computer or Mac

Stocks, weather, notes: Provides stock quotes and weather reports with a tap

Calculator: The calculator on the iPhone provides a full-featured scientific calculator



What a Criminal Can Do with an iPod

The iPod’s large storage capacity and rapid data transfer using a USB cable makes it potentially useful for attackers in information theft. The use of iPods in crimes and criminal investigations has already been recognized. Though major threats of an iPod include corporate espionage and data theft, it can be used wherever there is a need to store data.

The small size and easy operability of iPods make them suitable for criminal activity. Moreover, their popularity as “innocent” media players until now has made them popular among criminals. The police in the past had established the connections of iPods and various crimes, and successfully traced the criminals through iPod investigations.

iPods can be hacked or customized using various techniques. They can be configured to work as an external device or the custom scripts can be written to use it in nearly any preferred way.

Criminal uses the iPod and all its features in a variety of ways, such as to:

Spread viruses and Trojans

Store and distribute child pornography images and videos

Keep entries such as the date and time of crime

Keep and distribute contact information of other criminals with photos and other documents



What a Criminal Can Do with an iPhone

The iPhone is an advanced personal device that provides users with a touch screen iPod, a phone, and a flexible Internet device. It offers various advantages not only to the user but also to an attacker as they can misuse the information or application that is present in the iPhone.

The following are the activities that a criminal can do with the iPhone:

Send the viruses and Trojans to other users which infects their devices, too

Distribute child pornography images and videos which are legally prohibited

Data theft such as theft of contact numbers, email addresses, or information on SMS, etc.

Store and transmit personal and corporate information by connecting the iPhone to the system or laptop used at the organization

Send threatening or offensive SMS and MMS

Attackers aware of the SIM properties can manipulate it

Clone the SIM data for illicit use

Remove the Service Provider Lock (SP-Lock), limit the MS to a single network

Spamming



iPhone OS Overview

The iPhone is an Apple product, and the iPhone OS is the operating system developed by Apple Inc., which runs both on the iPhone and iPod Touch. It is derived from Mac OS X and uses the Darwin foundation. It takes less than half a GB of the device’s total memory storage.

The iPhone OS has four abstraction layers, which are as follows:

1. The core OS layer: The core OS layer of the iPhone OS provides the kernel environment, drivers, and the basic interfaces of the operating system

2. The core services layer: This provides the fundamental services for applications in the iPhone such as the address book, core location, CFNetwork, security, and SQLite

3. The media layer: The media layer of the iPhone provides graphics and media technologies such as core audio, openAL, and video technologies in the iPhone OS, which help in gaining advanced multimedia experience on a mobile device

4. The cocoa touch layer: This layer of the iPhone consists of UI Kit and Foundation frameworks which provide the user with the tools for implementing graphical and event-driven applications in the iPhone operating system



iPhone Disk Partitions

The iPhone offers disk partitions to manage the stored information. It has a solid state NAND flash memory and is configured with two partitions by default, as follows:

1. Root Partition: This partition consists of the operating system and all the preloaded applications with the 300 MB limit size. By default, it is mounted as a read-only partition and stays in the manufactured state.

2. User Partition: The remaining space left for the user’s usage. It consists of the user’s data such as music, photos, etc., which a user can read, write, delete, or edit at any moment. It is mounted as /private/var on the iPhone.



Apple HFS+ and FAT32

iPods formatted with Mac computers have Apple’s HFS+ file system and those formatted with Windows machines have the FAT32 file system.

HFS+, or HFS Plus, is a file system developed by Apple Inc. It can support larger files, as it uses 32-bit block addresses. The HFS+ system uses unicode to name file and folders, and supports up to 255 character length names. The FAT32 file system was developed by Microsoft Corporation.

When conducting a forensics analysis of an iPod, it is important to know which type of system the iPod has been synchronized with. Knowledge of the format used makes it easier to match the iPod’s device to the host that has been synchronized with.



Application Formats

iPods use file formats for storing various kinds of data. They use the standard vCard file format for storing contact information. This format exchanges electronic business cards. vCards contain personal identifiable information such as name and address, and they can be attached with email nmessages.

Calendar entries are stored in an industry standard vCalendar format. The vCalendar file format is also known as the Personal Calendaring and Scheduling Exchange Format. It can be used to interchange calendar and time scheduling information.

Music can be stored in different folders on the device. iPods can play MP3s, M4A/AACs, Protected AACs, AIFFs, WAVs, and Apple lossless audio file formats. New iPods can also play .m4v (H.264) and .mp4 (MPEG-4) video file formats. Windows versions of iPods can play unprotected WMA file formats.

iPods use ID3 tags to sort files. ID3 tags are metadata containers used to store information about an audio file, especially an .mp3 file, such as the title, artist, album, and track number. Users can store files on the device securely as an encrypted or hidden file. They can also be used as a voice recorder and digital camera photo storage by using third-party applications and accessories.



iPod and iPhone Forensics

iPod and iPhone forensics refers to the recovery of digital evidence from the iPod and the iPhone under forensically sound conditions using accepted methods. It includes recovery and analysis of data and helps in tracing and prosecuting criminals where iPod and iPhones are used as a means for committing a crime. It also helps in other criminal cases to get contact details and conversations or other forms of communication logs.

Data stored in iPods and iPhones provide general insight information for the cases.



Evidence Stored on iPod and iPhone

iPods and iPhones have different characteristics, which give important information that helps in investigations. They consist of the following forensics information:

Text messages

Calendar events

Photos and videos

Caches

Logs of recent activity

Map and satellite imagery

Personal alarms

Notes

Music

Email

Web browsing activity

Passwords and personal credentials

Fragments of typed communication

Voicemail

Call history

Contacts

Information pertaining to interoperability with other devices

Items of personal interest



Forensic Prerequisites

To perform iPod forensics and get exact forensics results, it is necessary to use proper investigation devices. These forensics requirement includes both hardware and software devices. The following are some of the devices required for iPod forensics:

Hardware requirement:

iPod: The device which is collected at the scene

Two commodity computers, a PC and a Macintosh: Most of the investigation is done on the PC computer; a Macintosh is used when there is a need

Software requirement:

Windows or Mac operating systems:

Investigator should use Windows or Mac operating systems. If he/she is using a Wndows OS, then it should have the following configuration:

o Processor: AMD Athlon 64 2800

o Ram: 512 MB

o Hard drive: 160 GB

While in case of Mac OS:

o OS: Mac OSX

o Processor: 500 MHz

o Ram: 128 MB

o Hard drive: 8 GB

Data recovery tools such as Recover My iPod and iPod Data Recovery

Forensics tools such as Encase and Forensic Toolkit



Collecting iPod/iPhone Connected with Mac

While collecting the device, first check its state of at the scene. Collect the iPod if it is not connected to the computer. If an iPod is connected to a computer, check whether the device is mounted. Determine this by checking the iPod screen for a “Do Not Disconnect” sign.

If it is not unmounted, unmount the device before disconnecting it from the computer. To unmount the device, drag the icon of the iPod to the trashcan on the Macintosh desktop.

While unmounting the device, do not directly disconnect or unplug the computer, which might damage the device.

Figure 37-02: Collecting iPod/iPhone connected with Mac



Collecting iPods Connected with Windows

There is a different procedure to follow while collecting the device connected to a Windows computer. Write down the iPod’s name, visible on the desktop, before unmounting it from the computer. To unmount the device, click on “Unplug or eject hardware.” Disconnect or unplug the iPod properly from the computer, improper unplugging may damage the iPod disk, which results into a loss of data.

Depending on the machine to which the iPod is connected, the forensics investigator uses a particular tool to analyze the iPod.

Figure 37-03: Collecting iPod connected with Windows



Disable Automatic Syncing

Automatic syncing involves synchronizing information on the device with the information stored on the system. Disabling this prevents cross contamination of iPod/iPhone data. The steps to disable automatic syncing are as follows:

1. Open iTunes on the desktop machine

2. Select Preferences from the iTunes menu

3. Click the Syncing tab

4. Check the box labeled Disable automatic syncing for all iPhones and iPods



Write Blocking

Write blocking is a technique which avoids the alteration and maintains the integrity of data storage devices. Generally, in order to prevent the original evidence from being altered, imaging techniques are used. Imaging can be performed using software and hardware tools. But sometimes, this image also may get altered and give some different results. In order to get the exact forensics output, write blocking is one of the best techniques.

Write blocking protects the evidence from any type of changes and gives read-only access to the evidence. Hardware blockers are more preferable than software blockers. Hardware blockers are difficult to implement because of their design. Generally, hardware blockers are used for hard disks. But because of the cost of USB write-blocking hardware, an investigator prefers software blocking. Use a software writer blocker such as PDBLOCK, and hardware write blocker such as WiebeTech Forensic SATADock to prevent the information from alteration. In the case of Linux and Macintosh, write blocking is performed using commands.



Write Blocking in Different OS

Depending on the type of OS, there are different write blocking techniques. In some operating systems, software tools can be used to give read only access, while in some, commands are used. Generally, in the case of iPods using Windows, software write blocking tools are used, while in the case of Linux and Macintosh, some commands are used. The following are the different OS of iPods, which have different write blocking techniques:

Windows:

In Windows XP service pack 2, there is a registry key

HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies

Change this key value to the hex value of 0x00000001 and restart the computer. It blocks write access to any USB storage devices. To enable this blocking, change this key value to 0x00000000 and restart the computer. Manual blocking can be performed by setting the proper key value or using NCFS USB Write Blocker. These write access changes work only when the system is restarted and registry values are reloaded.

Linux:

There are two techniques available in Linux to perform write blocking. The first one is, as Linux has open source code for different components of the operating system, it is possible to modify that code and recompile it for that iPod device. It protects the device from write blocking. Another is, as Linux has high level of control available within the operating system’s configuration, it is possible to interact with the iPod configuration and prevent it from writing access. But generally, the second option is not used in the investigation.

While using the second option, prevent Linux from automatically mounting the iPod as a drive. It allows the investigator to use that device as a blocked device, and allows mounting the file systems as read only. In Ubuntu Live CD, auto-mounting can be disabled by selecting System from menuPreferences Removable Drives and Media. In the next window, remove the check marks, and click OK.

Macintosh:

Macintosh is mostly based on the concepts of Linux, so write blocking the evidence using a configuration method is conceptually the same. These methods include:

o Preventing the Mac OS from automatically mounting removable media

o Preventing the iTune from loading when the iPod is connected



o Mounting the iPod drives with read-only access when they need to mount



Image the Evidence

Data acquisition is an important step in the iPod investigation. Before acquiring the data from the original device, an investigator generally creates the image of the evidence. Imaging is the process of creating an exact copy of the contents of a digital device. This step is considered as a critical and important step in the investigation. The main aim of imaging is to prevent the original device from alteration. Different data imaging tools are present for the iPod devices, such as EnCase. These data imaging tools make exact bit-to-bit copies of the originals, and prevent any alteration.

Imaging of the iPod sometimes will not get accurate results. When an iPod gets connected using the USB’s interface, the iPod gives direct access to the drive. The iPod has both software and more hardware control functions such as Disk Mode. This is the mode with which an iPod operates when the iPod is connected to a computer. When the iPod is connected to the computer, software switches it into the Disk Mode automatically. Disk mode can be acquired by toggling the “Hold Switch” on and off. Press the Select and Menu buttons until the Apple logo appears; immediately release the Menu and Select buttons and hold down the Select and Play buttons until the Disk Mode screen appears. This mode provides the method of accessing the data it contains. In disk mode, the iPod gives direct access to the hard disk, which makes the connection between the iPod and computer unstable and creates problem in imaging. So it is better to use data imaging tools such as Encase and GNU DD. Use hashing techniques to ensure that the image and the original copy are same. Use hashing tools such as MD5 for hashing.

Recover the data from these images. Use data recovery tools such as Recover My iPod and iPod Data Recovery.



View the iPod System Partition

The system partition of the iPod does not store the user’s identifiable data. It is comprised of the information related to the iPod running software, such as iPod OS

Images used in the operation of the device

Games and other applications stored on the device

There are many similarities in the system partition of both iPods. As the formatting of this partition is unknown, the analyst opens this partition in hex editor for analysis.



View the Data Partition

Depending on the type of iPod, it has a two- or three-partition structure. Both the iPods have both a system partition and a data partition. The only the difference is that the Windows iPod has only two partitions while the Macintosh iPod has three. The extra partition on the Macintosh is because of the HFS+ file system used by the iPod. This third partition in the Macintosh iPod splits into a resource fork including data partition files information and a data fork, which contains the actual files.

The data partition on the iPod consists of the user’s information stored on the iPod. This information includes:

Calendar entries

Contact entries

Note entries

Hidden iPod_Control directory

iTunes configuration information

Music stored on the iPod

This partition can be viewed by using Forensic Toolkit, EnCase, a hex editor, and various Linux and Macintosh analysis commands. This data partition is the same in structure for both Windows and Macintosh iPods, and consists of same files and directories.



Break Passcode to Access the Locked iPhone

The steps to be followed for breaking the passcode to access a locked iPhone are as follows:

From the keypad, press the Emergency Call button

Type *#301# followed by the green [phone] button

Delete the previous entry by hitting the delete key six times

Type the number 0 followed by the green [phone] button

Answer the call by pressing the green [phone] button

End the call by pressing the red [phone] button

Press the [Decline] button

In the Contacts tab, press the [+] button at the top to create a new contact

In the Add new URL tab, Enter prefs: and press the [save] button

Touch the No Name contact entry

Click the home page prefs: button

Click the General tab in setting menu

Click the Passcode Lock tab

Click the Turn Passcode Off tab

Return to the General tab by clicking on [cancel]

Click Auto-Lock and reset it to Never



Acquire the DeviceInfo File

The file \iPod_Control\iTunes\DeviceInfo in the iPod consists of a number of pieces of forensics information. This file is created by iTunes when the iPod is set up within iTunes and is connected to the computer on which iTunes is running. The file creation time is linked with the time of the connected computer. Once this connection is established, the following information is recorded into this file:

Data related to the name given to the iPod

Data related to the username logged into the computer

Data related to the name of the computer to which the iPod is connected

This is possible only when the iPod is set up within iTunes.

Figure 37-04: Acquring device information



Acquire SysInfo File

The SysInfo in the iPod consists of a number of pieces of forensics information. This file is present in the data partition under the \iPod_Control\Device directory (\iPod_Control\Device\SysInfo). This file is created by the iPod Updater software. This file generates when the iPod is disconnected from the computer and connected to the power adapter. This file will not change after that, and this time is considered as the last restored time of the iPod.

This file consists of the following forensics information:

Model number of the iPod present in the identification of ModelNumStr

Serial number of the iPod present in the identification of pszSerialNumber

Serial number the iPod presents to the computer in the identification of FirewireGuid

This identifier identifies the connection of the iPod to a Windows computer and is recorded in the \Windows\setupapi.log file

This file exists at the same location in both Windows and Mac OS. It also exists in both Windows and Mac OS iPods at the same byte offset from the beginning of the drive beginning at the hexadecimal byte offset 5F02200. It makes it easy to extract the information using forensics tools or searching with hex editor while using hex editor search hexadecimal byte offset 5F02200 directly or searching for “BoardHWName.” If still not obtaining the information, try to search the serial number of the iPod, which is present at the back cover.

SysInfo file



Recover IPSW File

.IPSW is the iPod Touch and iPhone software update file format. Its file consists of the data for software restores and minor updates in the iPod/iPhone and gives information of the running, installed, and uninstalled application. It also helps in deleting the software, if corrupted while downloading. It is stored in the following location in the iPhone:

Library/iTunes/iPhone Software Updates

Figure 37-05: Screenshot to recover IPSW file (Source: http://ioriginal.wordpress.com/)



Check the Internet Connection Status

The following are the steps to be followed for checking the Internet connection status:

Check if the E on screen shows the slower Edge network

Check if the 3G icon shows the faster but limited-area third-generation network

Check if the radiating signal bars show Wi-Fi connectivity



View Firmware Version

To view the firmware version in the iPod:

1. Connect the iPod to iTunes

2. Click on the iPod in the left column of the iTunes window

3. Go to the Summary tab

Figure 37-06: Firmware information in iPod

To view the firmware version in the iPhone:

1. Select Home -> Settings -> General -> About

2. Check the entry for Version



Figure 37-07: Software version in the iPhone



Recover Network Information

Network information can be recovered using the Devinfo application in the iPhone. The Devinfo application includes the following information:

Network interfaces including VPN, GPRS/EDGE/3G, Wi-Fi

TCP/UDP connections

Routing table

Running processes

System info, memory, and disk usage

Figure 37-08: Network information in the iPhone



Recovering Data from SIM Card

The SIM card contains important information related to the forensics investigation:

Service-related information such as unique identifiers for the (U)SIM, the Integrated Circuit Card Identification (ICCID), the subscriber, and the International Mobile Subscriber Identity (IMSI)

Phonebook and call information such as Abbreviated Dialing Numbers (ADN) and Last Numbers Dialed (LND)

Messaging information including SMS, EMS, and multimedia messages

Location information, including Location Area Information (LAI) for voice communications and Routing Area Information (RAI) for data communications

The SIM card data can be recovered using the following tools:

SIM Analyzer

SIMCon

SIM Card Data Recovery Software



Acquire the User Account Information

An iPod keeps a record of the computer with which it is mounted. It stores the name of the computer and the user names of all users who had accessed the system while it was mounted. This information can be found with the iPod’s name in several locations.

The DeviceInfo file under a user name in the iTunes folder contains information about the computer with which it was used. This information can be used to verify the ownership of iPods. If the user name stored in the iPod device is the same as the one used by the person in question, it can be ascertained that he has used the iPod. Establishing the ownership of the iPod is necessary to prove the case in court as the person may deny charges of ownership of the device.



View the Calendar and Contact Entries

iPods also possess limited PDA capabilities. They can be used to store calendars, schedules, and contact information. This information in iPods can be easily searched with a simple string search. iPods use a standard vCard file format to store contact information and a vCalendar format to store calendar and scheduling information. Calendar and scheduling information is stored in an .ics file in the Calendars folder and contact entries are stored in .vcf files in the Contacts folder. These file formats store information in plain text format on the hard drive and can be easily read.

Calendar and contact entries are stored with the file header “BEGIN:VCALENDAR” and “BEGIN:VCARD,” respectively. File headers indicate the beginning of each vCalendar or vCard entry and remain intact even after the file is deleted or the iPod is restored to the factory settings.

Figure 37-09: Calendar and contact entries in an iPod (Source: http://the-gadgeteer.com/)



Recovering Photos

iTunes is used to manage the content of the iPhone. Photos may be considered as evidence and can help the investigators in tracking the attacker. The steps to recover the deleted photos are as follows:

1. Connect the laptop with the iPhone

2. Run iTunes

3. Click the Photos tab

4. Adjust the settings

5. Specify the folder to which photos should be synced

6. Use the Cellebrite UME 36 Pro tool to download the photos directly



Recovering Address Book Entries

Address book entries provide information such as email addresses, contact numbers, and other sensitive information that can be used as evidence. The steps for recovering address book entries are as follows:

1. Check the address book entries, which are stored in the following database in the iPhone:

Library_AddressBook_AddressBook.sqlitedb

Library_AddressBook_AddressBookImages.sqlitedb

2. Retrieve the databases using iTunes

3. Use the tools such as Cellebrite UME 36 Pro and WOLF to recover address book entries after connecting it with the iPhone

Figure 37-10: Address book entries



Recovering Calendar Events

Stored and deleted calendar events in the iPhone provide information such as schedules for particular days/times, venues of meetings, the people with whom to meet, and other sensitive information that can be used as evidence. After the scheduled event, this sensitive information may be deleted by the attacker or the user. Investigators can recover the information and the steps are as follows:

1. Check the calendar events stored in the following database in the iPhone:

Library_Calendar_Calendar.sqlitedb

2. Retrieve this database using iTunes

3. Use the tool Cellebrite UME 36 Pro to recover calendar events after connecting it with the iPhone



Figure 37-11: Calendar events in the iPhone (Source: http://www.apple.com/)



Recovering Call Logs

Call logs in the iPhone provide information which may be useful for investigators and can help in solving a case. Call logs include the following:

Dialed numbers, date and time of dialing the number, and contact name if already stored

Received numbers, date and time of dialing the number, and contact name if already stored

Missed numbers, date and time of dialing the number, and contact name if already stored

The steps to be followed by an investigator to recover the call logs are as follows:

1. Check the call logs, which are stored in the following database in the iPhone:

Library_CallHistory_call_history.db

2. Use the tool WOLF to recover the call logs



Recovering Map Tile Images

The steps for recovering map tile images are as follows:

1. Check where the map tile images are stored in the iPhone:

Library_Maps_Bookmarks.plist

Library_Maps_History.plist

2. Use Cellebrite UME 36 Pro to directly recover map tile images after connecting it with the iPhone

Figure 37-12: Map tile images (Source: http://www.apple.com/)



Recovering Cookies

A cookie is a piece of information that stored by a web browser. It helps the investigator to reopen the web pages that were accessed by the user or an attacker. Since the users and the attackers are familiar with the property of cookies, they tend to delete them to avoid the exposure of the details cookies provide. The following steps are performed for recovering cookies:

1. Check where the cookies are stored in the iPhone:

Library_Cookies_Cookies.plist

2. Download the cookies to a computer during an iTunes sync process



Recovering Cached and Deleted Email

The steps for recovering cached and deleted emails are as follows:

1. Check the location/database of the iPhone where the email is stored:

Library_Mail_Accounts.plist

Library_Mail_AutoFetchEnabled

2. Download cached and deleted emails to a computer during an iTunes sync process

Figure 37-13: Cached and deleted email in an iPhone (Source: http://www.iphonefreak.com/)



Recover Deleted Files

Files deleted in an iPod are not really erased; they are just marked as deleted. The “.Trashes” folder in the iPod shows all the deleted files. These deleted files can be easily recovered by using various forensics tools. When the “.Trashes” folder is full or the folder is emptied, deleted files are moved to the “.Trashes\501” folder. These files cannot be seen normally and look like that they have completely erased, but these files can still be recovered using various deleted file recovery tools.

Figure 37-14: Screenshot of deleting files in an iPod



Forensic Information from the Windows: Registry

Forensic information related to the iPod forensics investigation can also be acquired from the computer to which the iPod is connected. If the iPod is connected to the Windows computer then most of the forensics information will get into the Windows registry. This registry maintains information about the events occurring on the Windows computer. It also generates connection events with the iPod. The registry contains the following information:

Key created while connecting the iPod to the Windows computer

Last time when registry keys were changed

Serial number of the iPod

The registry gives information about the keys generated by the connection of the iPod to that computer and the last time when these keys were changed.

The Windows computer creates a series of registry keys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ key when the iPod is connected to it. Under USBSTOR keys, there are several keys. These keys determine the vendor, product, and revision code. Directly under this key there is another key which represents the iPod serial number which is generally followed by “&0”.



Figure 37-15: Screenshot of AccessData Registry Viewer



Forensic Information from the Windows: setupapi.log

The setupapi.log file is similar to the registry files in Windows. This file stores events such as drivers and application installation within the Windows computer, including the connection time of the iPod with the system. This file is found within the Windows installation directory and records all driver installations which occur after boot time.

The setupapi.log records the events when the iPod is connected the first time with the system after boot time. It will not record the event if the iPod is connected during boot time. If the iPod software is not installed, then the file records only the first entry when the iPod is connected; if installed, then the file records every series of entry whenever the iPod is connected to the computer after boot time

Generally, the registry key gives accurate results of the last time the installation of the iPod drivers occurred, as compared to the timestamps of the setupapi.log file. If the iPod is removed and reconnected, the registry shows the time when the drivers were installed, but the setupapi.log file indicates the reconnection time. This information within the registry and the setupapi.log file can be used to create the partial timeline that will help in the investigation.

Figure 37-16: Setupapi.log files



.

Recovering SMS Messages

The steps for recovering SMS messages are as follows:

1. Check the location/database where the SMS messages are stored in the iPhone:

Library_SMS_sms.db

2. Use the tool Tansee iPhone Transfer SMS for recovering SMS messages after connecting it with the iPhone



Other Files Which Are Downloaded to the Computer During the iTunes Sync Process

The other files that are downloaded to the computer during the iTunes sync process are as follows:

Library_Keyboard_dynamic-text.dat

Library_LockBackground.jpg

Library_Notes_notes.db

Library_Preferences_.GlobalPreferences.plist

Library_Preferences_SBShutdownCookie

Library_Preferences_SystemConfiguration_com.apple.AutoWake.plist

Library_Preferences_SystemConfiguration_com.apple.network.identification.plist

Library_Preferences_SystemConfiguration_com.apple.wifi.plist

Library_Preferences_SystemConfiguration_preferences.plist

Library_Preferences_com.apple.AppSupport.plist

Library_Preferences_com.apple.BTServer.plist

Library_Preferences_com.apple.Maps.plist

Library_Preferences_com.apple.MobileSMS.plist

Library_Preferences_com.apple.PeoplePicker.plist

Library_Preferences_com.apple.Preferences.plist

Library_Preferences_com.apple.WebFoundation.plist

Library_Preferences_com.apple.calculator.plist

Library_Preferences_com.apple.celestial.plist

Library_Preferences_com.apple.commcenter.plist

Library_Preferences_com.apple.mobilecal.alarmengine.plist

Library_Preferences_com.apple.mobilecal.plist

Library_Preferences_com.apple.mobileiPod.plist



Library_Preferences_com.apple.mobilemail.plist

Library_Preferences_com.apple.mobilenotes.plist

Library_Preferences_com.apple.mobilephone.plist

Library_Preferences_com.apple.mobilephone.speeddial.plist

Library_Preferences_com.apple.mobilesafari.plist

Library_Preferences_com.apple.mobileslideshow.plist

Library_Preferences_com.apple.mobiletimer.plist

Library_Preferences_com.apple.mobilevpn.plist

Library_Preferences_com.apple.preferences.network.plist

Library_Preferences_com.apple.preferences.sounds.plist

Library_Preferences_com.apple.springboard.plist

Library_Preferences_com.apple.stocks.plist

Library_Preferences_com.apple.weather.plist

Library_Preferences_com.apple.youtube.plist

Library_Preferences_csidata

Library_Safari_Bookmarks.plist

Library_Safari_History.plist



Analyze the Information

The last step in the investigation is to analyze the data. The forensic analyst analyzes the data once it is acquired for the evidence. Analysis includes some of the following points:

Find out the user name and computer by examining the \iPod_Control\iTunes\DeviceInfo file

If the information is hidden, try to recover that information

Use steganalysis tools such as Stegdetect to extract the hidden information

Use cryptanalysis tools such as Crank and Jipher to reveal the encrypted information

Use different audio and video players to reveal the audio and video files

Prepare the timeline of every events of the iPod connected to the system

If the files are password protected, use Hydra and other password cracking tools

Compare the timing in the registry or setupapi.log files with the event timings in the iPod

Open the data partition using hex editor, and check the user’s information such as contacts, calendar, and music files



Timeline Generation

The investigator should create the timeline file during the investigation which helps during the analysis. For getting the exact investigation results, the timing of events are more important. Times of every activity are maintained in the form of timestamps in the iPod. Registry file and setupapi.log files in the Windows computer connected to the iPod also keep the records of every activity with the iPod starting from the first connection between the computer and iPod.

The timeline file should include the following information:

\iPod_Control\Device\SysInfo modified time

\iPod_Control\iTunes\iTunesControl creation time

\iPod_Control\iTunes\DeviceInfo (and others) modified time

iPod when connected to the computer and initialized

Creation time for all music files

Modification time of all music files



Timeline Generation: File Status After Initializing the iPod with iTunes and Before Closing iTunes:

Table 37-02: File status before closing iTunes



File Status After Closing iTunes for the First Time:

Table 37-03: File status after closing iTunes



Timeline Generation: File Status After Connecting iPod to the Computer for Second Time, Copying Music, and Closing iTunes

Table 37-04: File status after connecting the iPod to the computer for the second time



Time Issues

Time is an important factor in the investigation process. The investigator has to understand how time is reflected in the data analysis. An iPod has an internal clock, and it will create problems if it changes the file’s creation and modification time. This clock has been tested using the following method:

Set a different date and time in the iPod compared to computer connected to it

Connect the iPod to the computer, copy some music files to the iPod using iTunes; note the file creation, accessed, and modification times of the files

Disconnect the iPod from the computer

Check the time on the internal clock of the iPod

Play the songs on the iPod

Reconnect the iPod to the computer

Recheck the file created, accessed, and modified times

This can be checked again by copying the notes, calendar entries, and contacts to the iPod.



Jailbreaking in iPod Touch and iPhone



Jailbreaking

Jailbreaking is the process to unlock the iPhone and iPod touch devices to permit the installation of third-party applications. It can also add ringtones or change the wallpaper on the iPhone. It opens up the file system of the iPhone so that it can be accessed from the computer.

Attackers use different techniques to jailbreak the iPod. After jailbreaking, they can install malicious code or software, which helps to access the information in the iPod. There are some tools used for jailbreaking such as:

iFuntastic

iDemocracy

iActivator

iNdependence



AppSnapp

Source: http://jailbreakme.com/

AppSnapp is a tool for jailbreaking and allowing the installation of non-sanctioned third-party applications to the iPhone and iPod touch. This tool jailbreaks the iPhone or iPod Touch, then pushes the Installer.app to the device which contains a catalog of native applications that can be installed directly over a Wi-Fi or EDGE connection. It automates the process on iPhones running software/firmware. It can be completed purely using the iPhone without interacting with a Mac or Windows computer.

Features:

Patches Springboard to load third-party apps

Activates non-AT&T iPhones automatically, while leaving already activated phones alone

Fixes YouTube on non-AT&T iPhones automatically, while leaving already activated phones alone

Installs Installer.app v3.0b5 on the iPhone/iPod Touch with Community Sources preinstalled

Fixes Apple's TIFF bug, making your device MORE secure than it was without AppSnapp

Enables afc2 protocol and adds special commands to allow killing Springboard, lockdownd, etc.

Figure 37-17: Screenshot of AppSnapp (Source: http://gizmodo.com/)



Tool for Jailbreaking: iFuntastic

Source: http://www.tuaw.com/tag/iFuntastic/

iFuntastic is an iPhone hacking and modification tool. It provides a GUI for almost any iPhone modification task. It can dig into your iPhone and edit images and logos. It can replace any system sounds and color iChat SMS balloons. It has a full file browser feature, which simply browses the iPhone's internal file system, and edits UI images.

Features:

Provides a “permanent jailbreak” tool called unshackling

Has multiple, editable home screen layouts with custom wallpaper

Comprises of simplified/improved ringtone installation



Figure 37-18: Screenshot of iFuntastic



Pwnage: Tool to Unlock iPod Touch

Source: http://wikee.iphwn.org/

The Pwnage tool is used to jailbreak both iPhones and iPod Touches.

Figure 37-19: Screenshot of Pwnage



Erica Utilities for iPod Touch

Source: http://ericasadun.com/

Erica helps an investigator extract different forensics information about the iPod Touch.

Features:

Query your iPod or iPhone for device attributes including platform name, processor, etc.

Search the App Store from the command line. Enter a simple query phrase

The Erica utilities are as follows:

abquery Search your address book by name. Enter a search phrase that abquery matches to the address book name fields

appLoad. Force Springboard to acknowledge new applications in the standard locations (/Applications and /var/mobile/Applications)

appSearch. Search the App Store from the command line. Enter a simple query phrase

badge. Badge application icons on Springboard with names, numbers, etc.

deviceInfo. Query your iPod or iPhone for device attributes including platform name, processor, etc.

findme Return your current location's latitude and longitude. New version returns XML

ip-print Show the current IP address used by your iPhone

itmsSearch. Launch an iTunes store search from the command line

launch. Run an application from the command line as if it had been launched in Springboard. You must submit the application ID, e.g. launch com.apple.Calculator

notificationWatcher. Listen for standard and/or core telephony notifications. Notification Watcher eavesdrops on these system-wide notifications, which are sent using the BSD notification system (aka "Darwin Notification Center").

openURL. Launch a URL from the command line

play. Play an audio file; it takes one argument, the name of the file

plutil. Property-list utility based on Apple's and expanded with extra functionality. Run without arguments for a usage message



recAudio Record audio from the onboard microphone

restart. A non-locking 2.0 safe version of restarting Springboard

sb. A Springboard-specific utility that allows you to set, reset, and query your springboard prefs. Run without arguments for usage message

sbar. Test status bar icons. Usage message gives info on how to use this utility

tweet. Send an update to Twitter. Takes three arguments: user name, password, and the tweet itself; use quotes if necessary on the tweet to keep it as one argument

urlclip Create a webclip (either normal or tel://) on Springboard from the command line



Tools



EnCase

Source: http://www.guidancesoftware.com/

EnCase is the most efficient and user-friendly tool for recovering data from the HFS+ file system used by Mac computers and iPods formatted by Mac computers. It displays the file structure of HFS+ formatted device, including hidden folders.

EnCase is a platform-independent application. It can be used with both Mac and Windows versions of iPods. EnCase is able to extract deleted information after several factory settings restorations of the device, and switch between HFS+ and FAT file systems.

EnCase automatically displays deleted files in an iPod. The Find File script can be used to recover deleted files including images and Word documents.

Features:

It acquires data by using software with supreme records in courts worldwide

It investigates and analyzes multiple platforms such as Windows, Linux, AIX, OS X and Solaris

It saves the days of analysis time by automating complicated and routine tasks with rebuild EnScript modules, such as Initialized Case and Event Log analysis

It finds information in spite of efforts to hide, cloak. or delete

It easily handles large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space

It transfers evidence files directly to law enforcement or legal representatives

Review options enable non-investigators such as attorneys to review evidence easily

Reporting options allow quick report preparation



Figure 37-20: Screenshot of EnCase



DiskInternals Music Recovery

Source: http://www.diskinternals.com/music-recovery/

DiskInternals Music Recovery recovers media files which have been deleted or corrupted. It supports most media types, data storages, and file systems. It recovers even if the storage device was formatted and all information was erased or if the information is corrupted.

Features:

It supports a number of media format including mp3, wma, asf, wav, ogg, wv, ra, rm, vqf, mid, and voc. It supports Windows, Mac OS, Linux, and other disk types.

It can recover files from hard drives, iPods, USB-flash, mp3 players, and CD and DVD discs.

It comes with an integrated media player so users can have a preview of the files they want to recover. If a file is audible, it certainly can be recovered

Along with the restored media, DiskInternals Music Recovery presents additional information. The utility provides the “Music Slideshow” feature which shows the sequence of tags and album covers of media files, while DiskInternals Music Recovery scans for the deleted files.



Figure 37-21: Screenshot of DiskInternals Music Recovery



Recover My iPod: Tool

Source: http://www.recovermyipod.com/

Recover My iPod is an iPod recovery software. It allows you to recover deleted or lost iPod files.

Features:

Recovers music, video, and images of m4a, .mp3, .mov, QuickTime, and jpeg file types from any iPod

Supports a range of iPods, such as iPod, Shuffle, iPod Mini, Nano, and other devices

Recovers data from iPod Reset or Restore

System requirements:

Operating system: Windows 9X/ME/200X/XP/2003

RAM: 64 MB recommended

Hard disk: At least 6 MB of free disk space

Recover My iPod has two search modes:

A "Fast Search" of an iPod is used to quickly search for deleted iPod files

A "Deep Search" to recover all deleted, lost, corrupted, or unrecognized iPod drives

The Recover My iPod search results screen previews all iPod files that can be recovered, including full song title names.



Figure 37-22: Screenshot of Recover My iPod



iPod Data Recovery Software

Source: http://www.datadoctor.org/

iPod Data Recovery software is developed specifically for iPod music users. The software is designed to recover data from all Apple iPods including Mini, Shuffle, Nano, and the iPod latest fifth generation series. iPod Music Recovery software recover songs, images, pictures, video, audio, photos, mp3s, and mp4s from Windows 98, Windows NT, Windows 2000, and Windows XP series. It supports all latest versions of the iTunes (including iTunes 7).

Features:

Recovers video files, audio files, music files, mp3s, pictures, etc.

Retrieves all your missing files from Windows operating system

Supports all Apple iPods including iPod Mini, iPod Nano, iPod Shuffle, etc.

Restores files which are lost due to accidental formatting or deletion

Retrieves even if data reset operation is performed by your iPod music device

Enables access even if disk partition volume is not recognized by your computer

Recovers data if “drive not formatted” message is displayed on the computer while accessing your iPod as a disk drive

Compatible with all versions of iTunes

Supports iPods in all storage capacity

It supports the following iPod models:

o Apple iPod first generation

o Apple iPod second generation

o Apple iPod third generation

o Apple iPod fourth generation

o Apple iPod fifth generation

o Apple iPod Mini (first & second generation)

o Apple iPod Nano (first & second generation)



o Apple iPod Shuffle (first & second generation)

o Apple iPod U2

o Apple iPod Hi-Fi

Figure 37-23: Screenshot of iPod Data Recovery software



iPod Copy Manager

Source: http://www.aimersoft.com/

iPod Copy Manager is an iPod backup and recovery software.

Features:

It copy back the songs, videos, and DVD movies from an iPod to a computer when your iTunes Library is lost

It can back up your iPod videos and music to a computer when you need to send your iPod for repair or when the system crashes

It transfers videos, songs, movies, and TV shows to the iPod directly



Figure 37-24: Screenshot of iPod Copy Manager



Stellar Phoenix iPod Recovery

Source: http://www.stellarinfo.com/

Stellar Phoenix iPod Recovery is a tool designed with the unique ability to recover all your music files, graphics, videos, documents, and other contents from an iPod.

Key Features:

Viable for all iPod data contents including music files, video files, podcasts, audio books, graphic files, and documents

iPod recovery in the file deletion case

Restoration of the play list in the same order after recovery

Graphically rich user interface

Compatible with all generations of iPod like iPod classic, iPod Mini, iPod Shuffle, iPod Nano, and iPod Touch

Complete and valuable iPod recovery from formatted or crashed media

Read-only utility to ensure no-write operation

Find File, File Mask, and File Filter options to help you search, view, and recover any specific file type

Available for Windows and Macintosh operating systems



Figure 37-25: Screenshot of Stellar Phoenix iPod Recovery



Tool: Aceso

Source: http://www.radio-tactics.com/

Aceso is the forensic tool that downloads data stored in mobile phone SIM/USIM cards, handsets, and memory cards.

Features:

Handset Access Card creation

o Blocks network access for all SIM and USIM cards

o Prevents overwrite of existing data

SIM/USIM acquisition

o Dual mode also supported

Handset acquisition

o 421 supported handsets including Blackberry, Symbian, and iPhone

o Data types supported: contacts, SMS, MMS, call registers, calendar, file system

Memory card acquisition

o Raw bit-for-bit image

o File system

Figure 37-26: Aceso



Tool: Cellebrite UME 36 Pro

Source: http://www.cellebrite.com

Cellebrite UME 36 Pro is the forensic tool which transfers the all forms of memory content as a backup and it supports a wide range of mobile phones, smartphones, and PDAs including the iPhone.

The contents that Cellebrite can transfer are as follows:

Pictures

Videos

Ringtones

SMS

Phonebook contacts data

Features:

Based on Windows CE

Supports transfer of content across all mobile handset technologies - GSM, CDMA, UMTS, 3G, TDMA, IDEN, and more

Transfer of phone's internal memory and SIM card content

Transfer of phonebooks, pictures, videos, ringtones, and SMS

Supports multiple language encodings

Available connectivity: USB, Serial, IrDA, and Bluetooth connections to phones

Transfer, back up, and restore of mobile phone content

Supports SymbianTM, Microsoft Mobile™ Palm™, and Blackberry™ operating systems

Integrated SIM/Smart Card reader.

Integrated PC connection allowing content backup and management

Stand-alone device or an integrated PC solution

User-friendly and self-explanatory

Easily upgraded through software file downloads



Figure 37-27: Cellebrite UME 36 Pro



Tool: Wolf

Source: http://sixthlegion.com

Wolf allows the user/examiner to forensically examine the memory of the revolutionary smartphone from Apple. It can process iPhones protected by a security passcode without relying on hacking solutions that alter undisclosed files on the device. It is the application which retrieves the content of the iPhone. It extracts the content without jailbreaking.

The contents which it can extract are as follows:

Handset info

Contacts

Call logs

Messages

Internet info and history

Photos

Music and videos



Figure 37-28: Screenshot of Wolf



Tool: Device Seizure

Source: http://www.paraben-forensics.com

Device seizure acquires and analyzes data from various mobile phones, PDAs, and GPS devices including the iPhone. Text messages and images can be found in a physical data dump of a phone. Device Seizure can acquire the following data:

SMS history (text messages)

Deleted SMS (text messages)

Phonebook

Call history received calls

o Dialed numbers

o Missed calls

o Call dates and durations

Datebook

Scheduler

Calendar

To-do list

File system



Figure 37-29: Screenshot of Device Seizure (Source: http://www.fileheap.com/)



Tool: PhoneView

Source: http://www.ecamm.com/

PhoneView provides easy access to iTunes media, photos, notes, SMS messages, call history, and contacts.

Features:

File storage made easy: Makes it simple to transfer files between a Mac and an iPhone

Powerful notes access: It can add, view, and edit iPhone's notes on a Mac desktop

Export SMS messages and recent calls: This information can be viewed in a text editor or spreadsheet

Figure 37-30: Screenshot of PhoneView (Source: http://www.ecamm.com/)



Tool: iPhone Drive

Source: http://www.findmysoft.com/

iPhoneDrive is a Mac OS X application which allows the use of an iPhone for file storage. Its drag-and-drop feature makes it easy to move files back and forth between the Mac and iPhone.

Features:

It stores any type of data

Copy files and folders to and from the iPhone

Back up important data

Figure 37-31: Screenshot of iPhone Drive (Source: http://www.macworld.com/)



Tool: Tansee iPhone Transfer SMS

Source: http://pocket.qweas.com/

Tansee iPhone Transfer SMS is the tool which copies the SMS from the iPhone to the computer.

Features:

Back up SMS in iPhone to computer

View and manage old iPhone SMS in the computer

View SMS in text file format or ants file format on computer

Password protection support for ants file

Figure 37-32: Screenshot of Tansee iPhone Transfer SMS



Tool: SIM Analyzer

Source: http://cpa.datalifter.com/

SIM Analyzer is a cell phone forensics tool that recovers the contents from SIM card of different cell phones.

It recovers:

Last number dialed, abbreviated dialing numbers

Active and deleted text (SMS) messages

All the general files found in the Telecom group as defined in the GSM 11.11v6 standards

Figure 37-33: Screenshot of SIM Analyzer



Tool: SIMCon – SIM Card Recovery

Source: http://www.simcon.no/

SIMCon is a program that allows the user to securely image all files on a GSM/3G SIM card to a computer file with the SIMCon forensic SIM card reader

Features:

Read all available files on a SIM card and store in an archive file

Analyze and interpret content of files including text messages and stored numbers

Recover deleted text messages stored on the card but not readable on phones

Manage PIN and PUK codes

Compatible with SIM and USIM cards

Print report that can be used as evidence based on user selection of items

Secure file archive using MD5 and SHA1 hash values

Export items to files that can be imported in popular spreadsheet programs



Figure 37-34: Screenshot of SIMCon



Tool: SIM Card Data Recovery Software

Source: http://www.datadoctor.in

SIM Card Data Recovery Software recovers accidentally deleted data from mobile phone SIM cards.

Features:

Retrieve all deleted contact numbers (phone numbers), unreadable messages, corrupt phone book directory

Undelete both viewed and unread inbox text SMSes, outbox messages; and draft, save, and favorite, text messages; and sent items that have been deleted from SIM card memory

Provides full details about a SIM card, like its provider and ICC–ID

Figure 37-35: Screenshot of SIM Card Data Recovery



Summary

iPods can be used as a digital media storage device along with audio and video players

uClinux is the port of the Linux kernel that supports CPUs without a memory-management unit

The iPods formatted with Mac computers have Apple’s HFS+ file system and the Windows version is formatted with Windows machines that have the FAT32 file system

The iPod uses the standard vCard file format for storing contact information

Jailbreaking is the process to unlock the iPhone and iPod Touch devices to permit the installation of the third-party applications

While unmounting the device, do not directly disconnect or unplug the computer, which might damage the device

The main aimto preserve the evidence is to maintain its integrity

Write blocking is a technique which avoids the alteration and maintains the integrity of the data storage devices. The file \iPod_Control\iTunes\DeviceInfo in the iPod consists of a number of forensics information

The data partition on the iPod consists of all the user information stored on the iPod

The Trashes folder in iPods shows all the deleted files

The registry gives information about the keys generated by the connection of the iPod to a computer and the last time when these keys were changed

The setupapi.log file is somewhat the same as the registry files in Windows. This file stores events that occur with the Windows computer including the connection time of the iPod with the system



Exercise:

1. Discuss different features of the iPod and iPhone.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

2. Write a brief note on the trash in iPods and iPhones. How do you recover deleted files from the

trash?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

3. List various files that are downloaded to the computer during iTunes sync process.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

4. Explain the four abstraction layers of the iPhone.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

5. Discuss the various application formats of the iPod.



___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

6. What are the pre-requisites for iPod forensics?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

7. Discuss the various techniques used for iPod forensics.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

8. Explain jailbreaking in iPod and iPhone Touch devices.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

9. Discuss the various tools that are frequently used for jailbreaking.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________



___________________________________________________________________

___________________________________________________________________

10. Discuss the various iPod and iPhone forensics tools.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________



Hands-On

1. Find the file system on your iPod and iPhone.

2. Use iTunes and try to download the songs into your iPod.

3. Create a bitstream image of the iPod and iPhone using FTK.

4. Run EnCase and see the results.

File000092

Entertainment & Humor

Transcript of File000092