iPhone Forensics

iPhone Forensics

by Jonathan Zdziarski
Released September 2008
Publisher(s): O'Reilly Media, Inc.
ISBN: 9780596153588

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

"This book is a must for anyone attempting to examine the iPhone. The level of forensic detail is excellent. If only all guides to forensics were written with this clarity!"-Andrew Sheldon, Director of Evidence Talks, computer forensics experts

With iPhone use increasing in business networks, IT and security professionals face a serious challenge: these devices store an enormous amount of information. If your staff conducts business with an iPhone, you need to know how to recover, analyze, and securely destroy sensitive data. iPhone Forensics supplies the knowledge necessary to conduct complete and highly specialized forensic analysis of the iPhone, iPhone 3G, and iPod Touch. This book helps you:

  • Determine what type of data is stored on the device
  • Break v1.x and v2.x passcode-protected iPhones to gain access to the device
  • Build a custom recovery toolkit for the iPhone
  • Interrupt iPhone 3G's "secure wipe" process
  • Conduct data recovery of a v1.x and v2.x iPhone user disk partition, and preserve and recover the entire raw user disk partition
  • Recover deleted voicemail, images, email, and other personal data, using data carving techniques
  • Recover geotagged metadata from camera photos
  • Discover Google map lookups, typing cache, and other data stored on the live file system
  • Extract contact information from the iPhone's database
  • Use different recovery strategies based on case needs

And more. iPhone Forensics includes techniques used by more than 200 law enforcement agencies worldwide, and is a must-have for any corporate compliance and disaster recovery plan.

Publisher resources

View/Submit Errata

Table of contents

  1. Dedication
  2. A Note Regarding Supplemental Files
  3. Foreword
  4. Preface
    1. Audience of This Book
    2. Acknowledgments
    3. Organization of the Material
    4. Conventions Used in This Book
    5. Using Code Examples
    6. Legal Disclaimer
    7. Safari® Books Online
    8. We’d Like to Hear from You
  5. 1. Introduction to Computer Forensics
    1. Making Your Search Legal
    2. Rules of Evidence
    3. Good Forensic Practices
      1. Preserve the Evidence
      2. Document the Evidence
      3. Document All Changes
      4. Establish an Investigation Checklist
      5. Be Detailed
    4. Technical Processes
  6. 2. Understanding the iPhone
    1. What’s Stored
    2. Equipment You’ll Need
    3. Determining the Firmware Version
    4. Disk Layout
    5. Communication
    6. Upgrading the iPhone Firmware
    7. Restore Mode and Integrity of Evidence
    8. Cross-Contamination and Syncing
      1. The Takeaway
  7. 3. Accessing the iPhone
    1. Installing the Recovery Toolkit (Firmware v1.0.2–1.1.4)
      1. Step 1: Download and Install iLiberty+
        1. Mac OS X (iLiberty+ v1.6)
        2. Windows (iLiberty+ v1.3.0.113)
      2. Step 2: Dock the iPhone and Launch iTunes
      3. Step 3: Launch iLiberty+ and Verify Connectivity
        1. Booting out of recovery mode
        2. Mac OS X
        3. Windows
      4. Step 4: Activate the Forensic Toolkit Payload
        1. Mac OS X
        2. Windows
      5. Step 5: Install the Payload
        1. Mac OS X
        2. Windows
        3. It’s stuck!
        4. What to watch for
    2. Circumventing Passcode Protection (Firmware v1.0.2–1.1.4)
      1. Automated Bypass
      2. Manual Bypass
        1. Step 1: Prepare a custom RAM disk
        2. Step 2: Enter recovery mode
        3. Step 3: Upload and boot the custom bypass RAM disk
    3. Installing the Recovery Toolkit (Firmware v2.x)
      1. Step 1: Install and Run Pwnage v2.x
      2. Step 2: Use Xpwn to Customize the Stage 1 Firmware
      3. Step 3: Use Xpwn to Customize the Stage 2 Firmware
      4. Step 4: Install the Staged Firmware Bundles
    4. Removing the Forensic Recovery Toolkit
  8. 4. Forensic Recovery
    1. Configuring Wi-Fi and SSH
      1. Connecting to an Access Point
      2. Creating an Ad-Hoc Network
        1. Mac OS X
        2. Windows
      3. SSH to the iPhone
    2. Recovering the Media Partition
      1. Command-Line Terminal
        1. Mac OS X
        2. Windows
      2. Tools Needed
      3. MD5 Digests
      4. Unencrypted Recovery
        1. Mac OS X
        2. Windows
        3. Sending the data
      5. Encrypted Recovery of the Media Partition
      6. Making Commercial Tools Compatible
    3. Data Carving Using Foremost/Scalpel
      1. Configuration for iPhone Recovery
        1. Dynamic dictionaries
        2. Voicemail messages
        3. Property lists
        4. SQLite databases
        5. Email
        6. Web pages
        7. Other files
        8. PGP blocks
        9. Images
      2. Building Rules
      3. Scanning with Foremost/Scalpel
    4. Validating Images with ImageMagick
    5. Strings Dump
      1. Extracting Strings
        1. Mac OS X
        2. Windows
    6. The Takeaway
  9. 5. Electronic Discovery
    1. Converting Timestamps
    2. Mounting the Disk Image
      1. Disk Analysis Software
        1. Mac OS X and native HFS support
        2. Windows and HFSExplorer
    3. Graphical File Navigation
      1. Images of Interest
    4. Extracting Image Geotags with Exifprobe
    5. SQLite Databases
      1. Connecting to a Database
      2. SQLite Built-in Commands
      3. Issuing SQL Queries
    6. Important Database Files
      1. Address Book Contacts
        1. Putting it all together
      2. Address Book Images
      3. Google Maps Data
      4. Calendar Events
      5. Call History
      6. Email Database
      7. Notes
      8. SMS Messages
      9. Voicemail
    7. Property Lists
      1. Binary Property Lists
        1. Mac OS X
        2. Windows
      2. Important Property List Files
    8. Other Important Files
  10. 6. Desktop Trace
    1. Proving Trusted Pairing Relationships
      1. Pairing Records
    2. Serial Number Records
      1. Mac OS X
      2. Windows XP
      3. Windows Vista
    3. Device Backups
    4. Activation Records
  11. 7. Case Help
    1. Employee Suspected of Inappropriate Communication
      1. Live Filesystem
      2. Data Carving
      3. Strings Dumps
    2. Employee Destroyed Important Data
    3. Seized iPhone: Whose Is It and Where Is He?
      1. Who?
      2. What?
      3. When and Where?
      4. How Can I Be Sure?
  12. A. Disclosures and Source Code
    1. Power-On Device Modifications (Disclosure)
    2. Installation Record (Disclosure)
    3. Technical Procedure
      1. Unsigned RAM Disks
      2. Source Code Examples
  13. Index
  14. About the Author
  15. Colophon
  16. Copyright

Product information

  • Title: iPhone Forensics
  • Author(s): Jonathan Zdziarski
  • Release date: September 2008
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9780596153588