You are previewing iOS Forensic Analysis for iPhone, iPad, and iPod touch.
O'Reilly logo
iOS Forensic Analysis for iPhone, iPad, and iPod touch

Book Description

iOS Forensic Analysis provides an in-depth look at investigative processes for the iPhone, iPod Touch, and iPad devices. The methods and procedures outlined in the book can be taken into any courtroom. With iOS information never published before and data sets that are new and evolving, this book gives the examiner and investigator the knowledge to complete a full device examination that will be credible and accepted in the forensic community.

Table of Contents

  1. Copyright
  2. Foreword
  3. About the Author
  4. About the Technical Reviewer
  5. Acknowledgments
  6. Introduction
  7. 1. History of Apple Mobile Devices
    1. 1.1. The iPod
    2. 1.2. The Evolution of Apple iPhones
    3. 1.3. The ROCKR
      1. 1.3.1. The Apple iPhone 2G
        1. 1.3.1.1. Web Apps
        2. 1.3.1.2. Competitive Advantages
      2. 1.3.2. The 3G iPhone
      3. 1.3.3. The 3G[S] iPhone
      4. 1.3.4. The iPhone 4
    4. 1.4. The Apple iPad
    5. 1.5. Under the Surface: iPhone and iPad Hardware
      1. 1.5.1. 2G iPhone Internals
      2. 1.5.2. 3G iPhone Internals
      3. 1.5.3. iPhone 3G[S] Internals
      4. 1.5.4. iPhone 4 Internals
      5. 1.5.5. iPad Internals
    6. 1.6. The Apple App Store
    7. 1.7. Rise of the iPhone Hackers
    8. 1.8. Summary
  8. 2. iOS Operating and File System Analysis
    1. 2.1. Changing iOS Features
      1. 2.1.1. iOS 1
      2. 2.1.2. iOS 2
      3. 2.1.3. iOS 3
      4. 2.1.4. iOS 4
    2. 2.2. Application Development
    3. 2.3. The iOS File System
      1. 2.3.1. HFS+ File System
      2. 2.3.2. HFSX
    4. 2.4. iPhone Partition and Volume Information
      1. 2.4.1. OS Partition
      2. 2.4.2. iOS System Partition
      3. 2.4.3. iOS Data Partition
    5. 2.5. SQLite Databases
      1. 2.5.1. Address Book Database
      2. 2.5.2. SMS Database
      3. 2.5.3. Call History Database
    6. 2.6. Working with the Databases
      1. 2.6.1. Retrieving Data from SQLite Databases
      2. 2.6.2. Property Lists
      3. 2.6.3. Viewing Property Lists
    7. 2.7. Summary
  9. 3. Search, Seizure, and Incident Response
    1. 3.1. The Fourth Amendment of the U.S. Constitution
    2. 3.2. Tracking an Individual by Cell Phone
    3. 3.3. Cell Phone Searches Incident to Arrest
    4. 3.4. Changing Technology and the Apple iPhone
    5. 3.5. Responding to the Apple Device
    6. 3.6. Isolating the Device
    7. 3.7. Passcode Lock
    8. 3.8. Identifying Jailbroken iPhones
    9. 3.9. Information Collection of the iPhone
    10. 3.10. Responding to Mac/Windows in Connection to iPhones
    11. 3.11. Summary
    12. 3.12. References
  10. 4. iPhone Logical Acquisition
    1. 4.1. Acquiring Data from iPhone, iPod touch, and iPad
      1. 4.1.1. Acquiring Data Using mdhelper
    2. 4.2. Available Tools and Software
      1. 4.2.1. Lantern
        1. 4.2.1.1. Phone Information
        2. 4.2.1.2. Call Logs
        3. 4.2.1.3. Voicemail
        4. 4.2.1.4. Contacts
        5. 4.2.1.5. Messages
        6. 4.2.1.6. Notes
        7. 4.2.1.7. Calendar
        8. 4.2.1.8. Internet History
        9. 4.2.1.9. iPod and Media
        10. 4.2.1.10. Photos
        11. 4.2.1.11. Dynamic Text Data
        12. 4.2.1.12. Maps
        13. 4.2.1.13. Directory Structure and More Detail
      2. 4.2.2. Susteen Secure View 2
        1. 4.2.2.1. Setting Up and Navigating the Interface
        2. 4.2.2.2. Acquiring Data
        3. 4.2.2.3. Reporting Data
      3. 4.2.3. Paraben Device Seizure
        1. 4.2.3.1. Supported Devices
        2. 4.2.3.2. The Good
        3. 4.2.3.3. The Bad
      4. 4.2.4. Oxygen Forensic Suite 2010
        1. 4.2.4.1. Apple Devices Supported
        2. 4.2.4.2. Oxygen Connection Wizard
        3. 4.2.4.3. Oxygen Data Extraction Wizard
        4. 4.2.4.4. Viewing Backup Data
      5. 4.2.5. Cellebrite
        1. 4.2.5.1. Supported Devices
        2. 4.2.5.2. Setting Up Cellebrite
    3. 4.3. Comparing the Tools and Results
      1. 4.3.1. Buyer Beware
      2. 4.3.2. Paraben Device Seizure Results
      3. 4.3.3. Oxygen Forensic Suite 2010 Results
      4. 4.3.4. Cellebrite Results
      5. 4.3.5. Susteen Secure View 2 Results
      6. 4.3.6. Katana Forensics Lantern Results
      7. 4.3.7. The Issue of Support
    4. 4.4. Summary
  11. 5. Logical Data Analysis
    1. 5.1. Setting Up a Forensic Workstation
    2. 5.2. Library Domain
      1. 5.2.1. AddressBook
      2. 5.2.2. Caches
      3. 5.2.3. Call History
      4. 5.2.4. Configuration Profiles
      5. 5.2.5. Cookies
      6. 5.2.6. Keyboard
      7. 5.2.7. Logs
      8. 5.2.8. Maps
      9. 5.2.9. Map History
      10. 5.2.10. Notes
      11. 5.2.11. Preferences
      12. 5.2.12. Safari
      13. 5.2.13. Suspended State
      14. 5.2.14. SMS and MMS
      15. 5.2.15. Voicemails
      16. 5.2.16. WebClips
      17. 5.2.17. WebKits
    3. 5.3. System Configuration Data
    4. 5.4. Media Domain
      1. 5.4.1. Media Directory
      2. 5.4.2. Photos.sqlite Database
      3. 5.4.3. PhotosAux.sqlite Database
      4. 5.4.4. Recordings
      5. 5.4.5. iPhoto Photos
      6. 5.4.6. Multimedia
    5. 5.5. Third-Party Applications
      1. 5.5.1. Social Networking Analysis
      2. 5.5.2. Skype
      3. 5.5.3. Facebook
      4. 5.5.4. AOL AIM
      5. 5.5.5. LinkedIn
      6. 5.5.6. Twitter
      7. 5.5.7. MySpace
      8. 5.5.8. Google Voice
      9. 5.5.9. Craigslist
      10. 5.5.10. Analytics
      11. 5.5.11. iDisk
      12. 5.5.12. Google Mobile
      13. 5.5.13. Opera
      14. 5.5.14. Bing
      15. 5.5.15. Documents and Document Recovery
    6. 5.6. Antiforensic Applications and Processes
      1. 5.6.1. Image Vaults
      2. 5.6.2. Picture Safe
      3. 5.6.3. Picture Vault
      4. 5.6.4. Incognito Web Browser
      5. 5.6.5. Invisible Browser
      6. 5.6.6. tigertext
    7. 5.7. Jailbreaking
    8. 5.8. Summary
  12. 6. Mac and Windows Artifacts
    1. 6.1. Artifacts from a Mac
      1. 6.1.1. Property List
      2. 6.1.2. The MobileSync Database
      3. 6.1.3. Apple Changes to Backup Files Over Time
      4. 6.1.4. Lockdown Certificates
    2. 6.2. Artifacts from Windows
      1. 6.2.1. iPodDevices.xml
      2. 6.2.2. MobileSync Backups
      3. 6.2.3. Lockdown Certificates
    3. 6.3. Analysis of the iDevice Backups
      1. 6.3.1. iPhone Backup Extractor
      2. 6.3.2. JuicePhone
      3. 6.3.3. mdhelper
      4. 6.3.4. Oxygen Forensics Suite 2010
    4. 6.4. Windows Forensic Tools and Backup Files
      1. 6.4.1. FTK Imager
      2. 6.4.2. FTK 1.8
      3. 6.4.3. Tips and Tricks
    5. 6.5. Summary
  13. 7. GPS Analysis
    1. 7.1. Maps Application
    2. 7.2. Geotagging of Images and Video
    3. 7.3. Cell Tower Data
      1. 7.3.1. GeoHunter
    4. 7.4. Navigation Applications
      1. 7.4.1. Navigon
      2. 7.4.2. Tom Tom
    5. 7.5. Summary
  14. 8. Media Exploitation
    1. 8.1. What Is Digital Rights Management (DRM)?
      1. 8.1.1. Legal Elements of Digital Rights Management
        1. 8.1.1.1. United States Constitution
        2. 8.1.1.2. Digital Millennium Copyright Act (DMCA)
        3. 8.1.1.3. First Sale Doctrine
        4. 8.1.1.4. Fair Use Doctrine
        5. 8.1.1.5. Secondary Infringement Liability
        6. 8.1.1.6. Case Study: DMCA
      2. 8.1.2. Case in Point: Jailbreaking the iPhone
      3. 8.1.3. Case in Point: Apple v. Psystar
      4. 8.1.4. Case in Point: Online Music Downloading
      5. 8.1.5. Case in Point: The Sony BMG Case
      6. 8.1.6. The Future of DRM
    2. 8.2. Media Exploitation
      1. 8.2.1. Media Exploitation Tools
        1. 8.2.1.1. iXAM
        2. 8.2.1.2. Other Jailbreak Methods
    3. 8.3. Image Validation
    4. 8.4. Summary
    5. 8.5. References
  15. 9. Media Exploitation Analysis
    1. 9.1. Reviewing Exploited Media Using a Mac
    2. 9.2. Mail
      1. 9.2.1. IMAP
      2. 9.2.2. POP Mail
      3. 9.2.3. Exchange
    3. 9.3. Carving
      1. 9.3.1. MacForensicsLab
      2. 9.3.2. Access Data Forensic Toolkit
      3. 9.3.3. FTK and Images
        1. 9.3.3.1. SQLite Databases
      4. 9.3.4. EnCase
    4. 9.4. Spyware
      1. 9.4.1. Mobile Spy
      2. 9.4.2. FlexiSpy
    5. 9.5. Summary
  16. 10. Network Analysis
    1. 10.1. Custody Considerations
    2. 10.2. Networking 101: The Basics
    3. 10.3. Networking 201: Advanced Topics
      1. 10.3.1. DHCP
      2. 10.3.2. Wireless Encryption and Authentication
      3. 10.3.3. Forensic Analysis
        1. 10.3.3.1. com.apple.wifi.plist
        2. 10.3.3.2. com.apple.network.identification.plist
        3. 10.3.3.3. consolidated.db (iOS 4+)
      4. 10.3.4. Network Traffic Analysis
    4. 10.4. Summary