You are previewing iPhone Forensics.
O'Reilly logo
iPhone Forensics

Book Description

"This book is a must for anyone attempting to examine the iPhone.The level of forensic detail is excellent. If only all guides toforensics were written with this clarity!" -Andrew Sheldon,Director of Evidence Talks, computer forensics expertsWith iPhone use increasing in business networks, IT and securityprofessionals face a serious challenge: these devices store anenormous amount of information. If your staff conducts businesswith an iPhone, you need to know how to recover, analyze, andsecurely destroy sensitive data. iPhone Forensics suppliesthe knowledge necessary to conduct complete and highly specializedforensic analysis of the iPhone, iPhone 3G, and iPod Touch. Thisbook helps you:

  • Determine what type of data is stored on the device

  • Break v1.x and v2.x passcode-protected iPhones to gain accessto the device

  • Build a custom recovery toolkit for the iPhone

  • Interrupt iPhone 3G's "secure wipe" process

  • Conduct data recovery of a v1.x and v2.x iPhone user diskpartition, and preserve and recover the entire raw user diskpartition

  • Recover deleted voicemail, images, email, and other personaldata, using data carving techniques

  • Recover geotagged metadata from camera photos

  • Discover Google map lookups, typing cache, and other datastored on the live file system

  • Extract contact information from the iPhone's database

  • Use different recovery strategies based on case needs

  • And more. iPhone Forensics includes techniques used bymore than 200 law enforcement agencies worldwide, and is amust-have for any corporate compliance and disaster recoveryplan.

    Table of Contents

    1. Dedication
    2. Special Upgrade Offer
    3. A Note Regarding Supplemental Files
    4. Foreword
    5. Preface
      1. Audience of This Book
      2. Acknowledgments
      3. Organization of the Material
      4. Conventions Used in This Book
      5. Using Code Examples
      6. Legal Disclaimer
      7. Safari® Books Online
      8. We’d Like to Hear from You
    6. 1. Introduction to Computer Forensics
      1. Making Your Search Legal
      2. Rules of Evidence
      3. Good Forensic Practices
        1. Preserve the Evidence
        2. Document the Evidence
        3. Document All Changes
        4. Establish an Investigation Checklist
        5. Be Detailed
      4. Technical Processes
    7. 2. Understanding the iPhone
      1. What’s Stored
      2. Equipment You’ll Need
      3. Determining the Firmware Version
      4. Disk Layout
      5. Communication
      6. Upgrading the iPhone Firmware
      7. Restore Mode and Integrity of Evidence
      8. Cross-Contamination and Syncing
        1. The Takeaway
    8. 3. Accessing the iPhone
      1. Installing the Recovery Toolkit (Firmware v1.0.2–1.1.4)
        1. Step 1: Download and Install iLiberty+
          1. Mac OS X (iLiberty+ v1.6)
          2. Windows (iLiberty+ v1.3.0.113)
        2. Step 2: Dock the iPhone and Launch iTunes
        3. Step 3: Launch iLiberty+ and Verify Connectivity
          1. Booting out of recovery mode
          2. Mac OS X
          3. Windows
        4. Step 4: Activate the Forensic Toolkit Payload
          1. Mac OS X
          2. Windows
        5. Step 5: Install the Payload
          1. Mac OS X
          2. Windows
          3. It’s stuck!
          4. What to watch for
      2. Circumventing Passcode Protection (Firmware v1.0.2–1.1.4)
        1. Automated Bypass
        2. Manual Bypass
          1. Step 1: Prepare a custom RAM disk
          2. Step 2: Enter recovery mode
          3. Step 3: Upload and boot the custom bypass RAM disk
      3. Installing the Recovery Toolkit (Firmware v2.x)
        1. Step 1: Install and Run Pwnage v2.x
        2. Step 2: Use Xpwn to Customize the Stage 1 Firmware
        3. Step 3: Use Xpwn to Customize the Stage 2 Firmware
        4. Step 4: Install the Staged Firmware Bundles
      4. Removing the Forensic Recovery Toolkit
    9. 4. Forensic Recovery
      1. Configuring Wi-Fi and SSH
        1. Connecting to an Access Point
        2. Creating an Ad-Hoc Network
          1. Mac OS X
          2. Windows
        3. SSH to the iPhone
      2. Recovering the Media Partition
        1. Command-Line Terminal
          1. Mac OS X
          2. Windows
        2. Tools Needed
        3. MD5 Digests
        4. Unencrypted Recovery
          1. Mac OS X
          2. Windows
          3. Sending the data
        5. Encrypted Recovery of the Media Partition
        6. Making Commercial Tools Compatible
      3. Data Carving Using Foremost/Scalpel
        1. Configuration for iPhone Recovery
          1. Dynamic dictionaries
          2. Voicemail messages
          3. Property lists
          4. SQLite databases
          5. Email
          6. Web pages
          7. Other files
          8. PGP blocks
          9. Images
        2. Building Rules
        3. Scanning with Foremost/Scalpel
      4. Validating Images with ImageMagick
      5. Strings Dump
        1. Extracting Strings
          1. Mac OS X
          2. Windows
      6. The Takeaway
    10. 5. Electronic Discovery
      1. Converting Timestamps
      2. Mounting the Disk Image
        1. Disk Analysis Software
          1. Mac OS X and native HFS support
          2. Windows and HFSExplorer
      3. Graphical File Navigation
        1. Images of Interest
      4. Extracting Image Geotags with Exifprobe
      5. SQLite Databases
        1. Connecting to a Database
        2. SQLite Built-in Commands
        3. Issuing SQL Queries
      6. Important Database Files
        1. Address Book Contacts
          1. Putting it all together
        2. Address Book Images
        3. Google Maps Data
        4. Calendar Events
        5. Call History
        6. Email Database
        7. Notes
        8. SMS Messages
        9. Voicemail
      7. Property Lists
        1. Binary Property Lists
          1. Mac OS X
          2. Windows
        2. Important Property List Files
      8. Other Important Files
    11. 6. Desktop Trace
      1. Proving Trusted Pairing Relationships
        1. Pairing Records
      2. Serial Number Records
        1. Mac OS X
        2. Windows XP
        3. Windows Vista
      3. Device Backups
      4. Activation Records
    12. 7. Case Help
      1. Employee Suspected of Inappropriate Communication
        1. Live Filesystem
        2. Data Carving
        3. Strings Dumps
      2. Employee Destroyed Important Data
      3. Seized iPhone: Whose Is It and Where Is He?
        1. Who?
        2. What?
        3. When and Where?
        4. How Can I Be Sure?
    13. A. Disclosures and Source Code
      1. Power-On Device Modifications (Disclosure)
      2. Installation Record (Disclosure)
      3. Technical Procedure
        1. Unsigned RAM Disks
        2. Source Code Examples
    14. Index
    15. About the Author
    16. Colophon
    17. Special Upgrade Offer
    18. Copyright