Chapter 7. Case Help
Different cases require different types of information. This chapter will cover some of the most common corporate and law enforcement scenarios, and walk through the data you’ll want to gather. These scenarios, of course, provide only an overview of the evidence gathering process, so you should be sure to examine all of the evidence, not just what is outlined here.
All of these examples presume that you’ve already performed forensic recovery of the media partition and can view the live filesystem using one of the tools mentioned in Chapter 5. Some techniques are most easily executed by using the iPhone’s user interface, so if you have physical possession of the iPhone, your job will be a little easier.
Employee Suspected of Inappropriate Communication
Inappropriate communication could involve an affair with another coworker, sexual harassment, selling secrets, insider trading, or any other activities that may be a violation of corporate policy. If this is done on a company-owned device, you might have the right to seize the iPhone and conduct an examination.
Live Filesystem
There are many different forms of communication stored on the iPhone, with the two most dominant being email and SMS messages. Other forms of communication might include photos from the user’s photo library, which can be attached to outgoing email and online web forms. Finally, the suspect may have made personal notes such as safe combinations or box numbers using the iPhone’s notepad, or even ...
Get iPhone Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
