iPhone Forensics

Recovering Evidence, Personal Data, and Corporate Assets

Larger Cover

iPhone Forensics

Recovering Evidence, Personal Data, and Corporate Assets

By Jonathan Zdziarski

Publisher: O'Reilly Media

Released: September 2008

Pages: 144

"This book is a must for anyone attempting to examine the iPhone. The level of forensic detail is excellent. If only all guides to forensics were written with this clarity!"-Andrew Sheldon, Director of Evidence Talks, computer forensics experts

With iPhone use increasing in business networks, IT and security professionals face a serious challenge: these devices store an enormous amount of information. If your staff conducts business with an iPhone, you need to know how to recover, analyze, and securely destroy sensitive data. iPhone Forensics supplies the knowledge necessary to conduct complete and highly specialized forensic analysis of the iPhone, iPhone 3G, and iPod Touch. This book helps you:

Determine what type of data is stored on the device
Break v1.x and v2.x passcode-protected iPhones to gain access to the device
Build a custom recovery toolkit for the iPhone
Interrupt iPhone 3G's "secure wipe" process
Conduct data recovery of a v1.x and v2.x iPhone user disk partition, and preserve and recover the entire raw user disk partition
Recover deleted voicemail, images, email, and other personal data, using data carving techniques
Recover geotagged metadata from camera photos
Discover Google map lookups, typing cache, and other data stored on the live file system
Extract contact information from the iPhone's database
Use different recovery strategies based on case needs

And more. iPhone Forensics includes techniques used by more than 200 law enforcement agencies worldwide, and is a must-have for any corporate compliance and disaster recovery plan.

Chapter 1 Introduction to Computer Forensics
1. Making Your Search Legal
2. Rules of Evidence
3. Good Forensic Practices
4. Technical Processes
Chapter 2 Understanding the iPhone
1. What’s Stored
2. Equipment You’ll Need
3. Determining the Firmware Version
4. Disk Layout
5. Communication
6. Upgrading the iPhone Firmware
7. Restore Mode and Integrity of Evidence
8. Cross-Contamination and Syncing
Chapter 3 Accessing the iPhone
1. Installing the Recovery Toolkit (Firmware v1.0.2–1.1.4)
2. Circumventing Passcode Protection (Firmware v1.0.2–1.1.4)
3. Installing the Recovery Toolkit (Firmware v2.x)
4. Removing the Forensic Recovery Toolkit
Chapter 4 Forensic Recovery
1. Configuring Wi-Fi and SSH
2. Recovering the Media Partition
3. Data Carving Using Foremost/Scalpel
4. Validating Images with ImageMagick
5. Strings Dump
6. The Takeaway
Chapter 5 Electronic Discovery
1. Converting Timestamps
2. Mounting the Disk Image
3. Graphical File Navigation
4. Extracting Image Geotags with Exifprobe
5. SQLite Databases
6. Important Database Files
7. Property Lists
8. Other Important Files
Chapter 6 Desktop Trace
1. Proving Trusted Pairing Relationships
2. Serial Number Records
3. Device Backups
4. Activation Records
Chapter 7 Case Help
1. Employee Suspected of Inappropriate Communication
2. Employee Destroyed Important Data
3. Seized iPhone: Whose Is It and Where Is He?

Appendix Disclosures and Source Code
1. Power-On Device Modifications (Disclosure)
2. Installation Record (Disclosure)
3. Technical Procedure
Colophon

Title:

iPhone Forensics

By:

Jonathan Zdziarski

Publisher:

O'Reilly Media

Formats:

Print
Ebook
Safari Books Online

Print:

September 2008

Ebook:

December 2008

Pages:

144

Print ISBN:

978-0-596-15358-8

| ISBN 10:

0-596-15358-9

Ebook ISBN:

978-0-596-15901-6

| ISBN 10:

0-596-15901-3

Colophon

Our look is the result of reader comments, our own experimentation, andfeedback from distribution channels. Distinctive covers complement our distinctiveapproach to technical topics, breathing personality and life into potentiallydry subjects.

The animals on the cover of iPhone Forensics are least weasels (Mustela nivalis). There are 67 species of weasel, including the mink, ermine, ferret, otter,and skunk. Weasels, who are characterized by long, slender bodies and shortlegs, are found on all continents except Antarctica and Australia, and in a vastvariety of habitats. The least weasel is the smallest of the 67 species of weasel.Weighing in at approximately two ounces and measuring less than ten incheslong, the least weasel is the smallest carnivore on Earth. They are foundthroughout the world, in northern climates. In warm weather this weasel'scoat is brown, with a white underside. In winter it turns completely white.Thanks to its camouflage abilities and its speed and agility, the least weasel israrely caught.

The diet of the least weasel is made up primarily of voles and mice, which,because of the weasels' high metabolism, they hunt constantly. One family ofthese little weasels can consume thousands of rodents each year, making themimportant in controlling pest populations. Because it is so small, the leastweasel can follow mice into their burrows and eat them there. Like other weasels,they will occasionally then make their victim's home their own, lining itwith the fur of the former resident when preparing to nest. Least weasels canproduce two litters a year, with three to five young per litter.

The cover image is from Lydekker's Library of Natural History. The cover fontis Adobe ITC Garamond. The text font is Linotype Birka; the heading font isAdobe Myriad Condensed; and the code font is LucasFont's TheSansMono-Condensed.

Description

Table of Contents

Product Details

About the Author

Colophon

Recommended for You

Recently Viewed

Mac OS X Snow Leopard: The Missing Manual

By David Pogue

October 2009

Ebook: $27.99

Print & Ebook: $38.49

Print: $34.99

Linux Networking Cookbook

From Asterisk to Zebra with Easy-to-Use Recipes

By Carla Schroder

November 2007

Ebook: $35.99

Print & Ebook: $49.49

Print: $44.99

Backup & Recovery

Inexpensive Backup Solutions for Open Systems

By W. Curtis Preston

January 2007

Ebook: $39.99

Print & Ebook: $54.99

Print: $49.99

Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews

oreillyiPhone Forensics

3.0

(based on 4 reviews)

33%

of respondents would recommend this to a friend.

Reviewed by 4 customers

Sort by

Displaying reviews 1-4

1/12/2011

(4 of 4 customers found this review helpful)

2.0

Good for academia, but outdated

By RP

from Vancouver, BC

Comments about oreilly iPhone Forensics:

This book is good if you're interested in how things once were, and to understand forensic methods in the iPhone, but the information in the book is completely out of date. The iOS systems have changed, some of the exploits no longer exist, and some of the files/tools used are no longer in development, have been amalgamated into other programs, or otherwise will not work with phones running current software.

Zdziarski won't update his material because he's limiting it to law enforcement, so this book is completely moot.

8/2/2010

(0 of 1 customers found this review helpful)

4.0

Great introduction to iPhone forensics

By ueberhund

from Salt Lake City, UT

About Me Developer

Pros

Accurate
Concise
Easy to understand
Well-written

Cons

Not comprehensive enough

Best Uses

Intermediate
Novice

Comments about oreilly iPhone Forensics:

This is an invaluable resource to understanding forensic details in regards to the iPhone. While it is small in size (coming in at just over 100 pages), it is dense in detail. This book provides good detail about where data on the iPhone is located, how to recover it, and how to keep your forensic footprint small.

For readers not as versed in computer forensics, the book does a good job introducing the subject. The iPhone is disceted in detail, and much information is provided regarding how to access the details of the phone that Apple doesn't want you to get at. Once you get at that information, the book shows how to extract that data onto a non-iPhone device. This is a great read for anyone who may have to deal with recovering data off an iPhone due to terminiation or other law enforcement issues.

My only complaint about the book is that this first edition was printed in September 2008, so it's missing some information about current versions of the iPhone firmware and hardware for the iPhone 3GS iPhone 4. Aside from that single issue, this is an excellent resource, and certainly a great resource for hardware up to the iPhone 3 and firmware versions up to 2.x.

7/24/2010

(5 of 5 customers found this review helpful)

2.0

Outdated information

By Mike

from Austin, Texas

About Me Sys Admin

Pros

Easy to understand

Cons

Best Uses

Comments about oreilly iPhone Forensics:

Useless outdated information. Save your money.

9/16/2008

(1 of 2 customers found this review helpful)

4.0

Need to examine an iphone/ipod touch? Get this book.

By Anonymous

from Undisclosed

Comments about oreilly iPhone Forensics:

For such a popular device, you'd think you would find alot more resources for forensic examination of it. Alas, this text is the largest single wealth of information on the subject I could find. It's a good thing for us that it's very well written.

Be warned, this is not for the forensic newbie. You'll want to be comfortable with the command line at the least. More likely you're experienced with computer forensic work in general, or I hope so if you're expecting to go to court! While Jonathan does a great job writing at length about recovering the evidence and of iphone specific discovery, you're going to have to apply general forensics knowledge after that to finish and complete your discovery. This shouldn't be a problem for the audience of the book though.

The book covers recovery for firmware 1.0.2 through the latest release as of this writing, 2.1. Pre-1.0.2 recovery requires either a method that the author does not know about or is perhaps not feasible. In that case the author recommends upgrading the firmware as a last resort. Not a very good solution, but that's not Jonathan's fault. If anyone knows another way, please do shoot him an e-mail and he'll probably add it to the errata.

All in all an excellent book on the subject. Anyone who needs to do some iphone/ipod touch forensics would be remiss not to pick this up. Even if think you can just grab the payloads and do it yourself, there's alot of pitfalls and helpful advice on evidence collection and discovery you'll be missing out on!

Displaying reviews 1-4

Save a Tree - Go Digital what is this?

Ebook: $31.99

Formats: DAISY, ePub, Mobi, PDF

Print & Ebook: $43.99

Print: $39.99

Safari Books Online - Read now >

Chapter 1 Introduction to Computer Forensics

Making Your Search Legal

Rules of Evidence

Good Forensic Practices

Technical Processes

Chapter 2 Understanding the iPhone

What’s Stored

Equipment You’ll Need

Determining the Firmware Version

Disk Layout

Communication

Upgrading the iPhone Firmware

Restore Mode and Integrity of Evidence

Cross-Contamination and Syncing

Chapter 3 Accessing the iPhone

Installing the Recovery Toolkit (Firmware v1.0.2–1.1.4)

Circumventing Passcode Protection (Firmware v1.0.2–1.1.4)

Installing the Recovery Toolkit (Firmware v2.x)

Removing the Forensic Recovery Toolkit

Chapter 4 Forensic Recovery

Configuring Wi-Fi and SSH

Recovering the Media Partition

Data Carving Using Foremost/Scalpel

Validating Images with ImageMagick

Strings Dump

The Takeaway

Chapter 5 Electronic Discovery

Converting Timestamps

Mounting the Disk Image

Graphical File Navigation

Extracting Image Geotags with Exifprobe

SQLite Databases

Important Database Files

Property Lists

Other Important Files

Chapter 6 Desktop Trace

Proving Trusted Pairing Relationships

Serial Number Records

Device Backups

Activation Records

Chapter 7 Case Help

Employee Suspected of Inappropriate Communication

Employee Destroyed Important Data

Seized iPhone: Whose Is It and Where Is He?

Appendix Disclosures and Source Code

Power-On Device Modifications (Disclosure)

Installation Record (Disclosure)

Technical Procedure

Colophon

Jonathan Zdziarski

About O'Reilly

Community

More O'Reilly Sites

Partner Sites

Shop O'Reilly