iPod Forensic Investigation Techniques
Loading...
Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.
Favorites, Groups & Events
iPod Forensic Investigation Techniques - Presentation Transcript
- Presented by: Conzetti Finocchiaro, Eric Goldman, Abhiney Natarajan, Maegan Stanek
- Why we choose the iPod
- How iPods can be used for crimes
- General Techniques and Procedures
- Forensic Demonstrations
- Summary
- Questions
- References
- Usually seen as only a “music player”, many do not realize all the extra functionalities
- More dangerous than portable hard drive because data can be read using iPod’s screen
- Can provide clues in forensic investigation of a normal PC or lead to new evidence
- iPod may not always be included on a warrant for PC related data
- iPod is inconspicuous, no one would think you are using it to steal company data
- Drug dealers or loan sharks use an iPod like a PDA to store data in odd places and update his records right on the street without a PC
- In general, can be used as data storage with a lower likelihood of being identified or seized
- Like with any system, you must learn the file structure and which directories and files will usually have important information
- It is possible to write to the system partition, but only an advanced criminal knows how
- The iPod not only store music, but also can store contact and calendar information
- Should always be on the lookout for stego!
- What we did:
- We studied previous research on forensic investigations of iPods
- Learned where to find important evidence
- We then developed forensic techniques using…
- FTK
- EnCase
- Autopsy/Helix
- Sleuthkit/automated Script
- Contacts, Calendars, DeviceInfo…..
- Depending on the program and operating used to sync with the iPod, different artifacts are left on the iPod and the host PC
- Should develop file system baselines for both system and user space
- Demonstrations and explanations follow
- Data recover, analysis, device and system information, etc.
- Analyze files using string searches and file carving
- Hard drive must be imaged sector by sector, including allocated and unallocated clusters for further analysis
- Finding Deleted Files
- Finding Suspicious Files
- Device Information
- Highlights the file system of the device
- How many bytes per sector
- Why is this significant?
- System Information
- Stores device related information and other non-user identifiable information (this is provided as a result from using all the tools we earlier mentioned)
- Owner Identification
- Deleted Files:
- Sysinfo:
- Interesting Findings:
- Advantages
- Simple GUI
- Fast Searching
- Bookmarking
- Reporting
- Autopsy proved useful for identifying :
- Deleted Files
- Renamed Files
- Potential User Information
- Autopsy makes it easy to find deleted files
- Provides MAC times
- Should be used in conjunction with file-carving tool
- File header information provides useful information for what the file actually is
- Isn’t so useful for viewing the file ‘normally’
- Should be used with a file-carving tool
- Viewing file header contents may reveal owner
- Microsoft Word documents may contain username information
- Contacts
- IPod may be configured to synchronize address book
- iSync.vcf
- Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek scalpel -b -o -v Scalpel IPod_modified_part2.img
- Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
- iSync.vcf
- Found traces of stego in image
- We wrote a small script that would automate some of the common activities needed for an iPod forensic investigation
- The tools is written as a bash script and uses some system commands and Sleuthkit
- The script is currently limited to our test images, but could easily be expanded with further research
- Some examples from the script:
- Create some hashes first:
- echo "MD5 Hash: ` md5sum $iPodImage | cut -d " " -f 1`";
- echo "SHA1 Hash: ` sha1sum $iPodImage | cut -d " " -f 1`";
- Check for host identifying files:
- onLinux=`ifind $iPodImage -n "iPod_Control/iTunes/gtkpod.prefs"`;
- echo "Linux: `if [[ "$onLinux" =~ [0-9][0-9]* ]]; then echo "Yes"; else echo "No"; fi;`";
- Check for known important files:
- sysInfoInode=`ifind $iPodImage -n /iPod_Control/Device/SysInfo"`;
- if [[ $sysInfoInode =~ [0-9][0-9]* ]]; then icat $iPodImage $sysInfoInode; else echo "The SysInfo File was not present"; fi;
- Basic Image Cataloging Information
- iPod Image Being Cataloging: /forensics/images/ipod_B.img
- MD5 Hash: 2d58d084af0f19038138ef84cb0519a3
- SHA1 Hash: f2b5c32a8c941e6ae330623627821050f9193b73
- File System Type: fat32
- --Likely host PC type(s)—
- Linux: Yes
- Key Files
- -----SysInfo------
- ModelNumStr: xA107
- -----DeviceInfo----
- The DeviceInfo File was not present
- ---Deleted Files----
- r/r * 1686: iPod_Control/iTunes/_TGPLA~1
- r/r * 83886127: iPod_Control/Music/F00/gtkpod447937.mp3
- r/r * 83886130: iPod_Control/Music/F00/gtkpod522989.mp3
- d/d * 21: .fseventsd
- r/r * 802823: .fseventsd/fseventsd-uuid
- ...
- PIM Files Found
- -----Contacts------
- r/r 520: ipod_created_instructions.vcf
- r/r 523: ipod_created_sample.vcf
- ----Calendar-----
- (none found)
- **Remember this script is not a substitute for a full manual investigation of the iPod
- Even if Apple does not provide law enforcement with tools, they may still be able to use their own internal tools to provide info:
- Every iPod has a serial number and it may be possible to track down the owner
- DRMed music or other downloads may be used to identify the account used to access the music
- Criminal may know how to circumvent identification, but not everyone
- iPod and other “non-computers” will increasingly be used for criminal activity
- In digital forensics artifacts can show how different pieces of evidence are connected
- Users can easily copy personal information from their PC, to cloud, to devices which is good for providing forensic evidence
- Criminal who is smart enough to use an iPod is also likely to use stego or other tricks
- Users can interact with devices in unintended and unpredictable ways; this can complicate the forensic examiners job
- With a closed system you are at the will of the manufacturer ; may be harder to decipher special and protected files
- Using many tools can be a great asset to the forensic investigator
- Previous research and best practice must be updated and modified over time
- There is a full report with detailed explanation of the tools/scripts and the processes of performing the investigation available. The report can be found by visiting:
- http://ericgoldman.name/security/17-forensics
- 1. iPod Forensics: Forensically Sound Examination of an Apple iPod. Slay, Dr. Jill and Przibilla, Andrew. s.l. : IEEE, 2007. Proceedings of the 40th Hawaii International Conference on System Sciences. 0-7695-2755-8/07.
- 2. Stern, Hadley. Hacking iPod and iTunes. O'Reilly. [Online] O'Reilly Media, Inc., October 28, 2004. [Cited: February 10, 2009.] http://digitalmedia.oreilly.com/pub/a/oreilly/digitalmedia/2004/10/28/ipoditunes_hcks.html?page=3.
- 3. iPod Forensics. Marisco, Christopher V. and Rogers, Marcus K. 2, Fall 2005, International Journal of Digital Evidence, Vol. 4.
+
223 views, 0 favs, more stats
This presentation covers tools and techniques which more
More info about this document
© All Rights Reserved
Go to text version
- Total Views 223
- 222 on SlideShare
- Comments 0
- Favorites 0
- Downloads 0
Most viewed embeds
All embeds
- Upload Info
- Also on LinkedIn
- Uploaded via SlideShare
- Uploaded as Microsoft PowerPoint
0 comments
Post a comment