Presented by: Conzetti Finocchiaro, Eric Goldman,  Abhiney Natarajan, Maegan Stanek
<ul><li>Why we choose the iPod  </li></ul><ul><li>How iPods can be used for crimes </li></ul><ul><li>General Techniques an...
<ul><li>Usually seen as only a “music player”, many do not realize all the extra functionalities </li></ul><ul><li>More da...
<ul><li>iPod is inconspicuous, no one would think you are using it to steal company data </li></ul><ul><li>Drug dealers or...
<ul><li>Like with any system, you must learn the file structure and which directories and files will usually have importan...
<ul><li>What we did: </li></ul><ul><ul><li>We studied previous research on forensic investigations of iPods </li></ul></ul...
<ul><li>Contacts, Calendars, DeviceInfo….. </li></ul><ul><li>Depending on the program and operating used to sync with the ...
<ul><li>Demonstrations and explanations follow </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C....
<ul><li>Data recover, analysis, device and system information, etc. </li></ul><ul><li>Analyze files using string searches ...
<ul><li>Finding Deleted Files </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. ...
<ul><li>Finding Suspicious Files  </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro,...
<ul><li>Device Information </li></ul><ul><ul><li>Highlights the file system of the device </li></ul></ul><ul><ul><li>How m...
<ul><li>Deleted Files: </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman...
<ul><li>Sysinfo: </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. N...
<ul><li>Interesting Findings: </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. ...
<ul><li>Advantages </li></ul><ul><ul><li>Simple GUI </li></ul></ul><ul><ul><li>Fast Searching </li></ul></ul><ul><ul><li>B...
<ul><li>Autopsy proved useful for identifying : </li></ul><ul><ul><li>Deleted Files </li></ul></ul><ul><ul><li>Renamed Fil...
<ul><li>Autopsy makes it easy to find deleted files </li></ul><ul><ul><li>Provides MAC times </li></ul></ul><ul><li>Should...
<ul><li>File header information provides useful information for what the file actually is </li></ul><ul><li>Isn’t so usefu...
<ul><li>Viewing file header contents may reveal owner </li></ul><ul><ul><li>Microsoft Word documents may contain username ...
Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek scalpel...
Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
<ul><li>iSync.vcf </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. ...
<ul><li>Found traces of stego in image </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocch...
<ul><li>We wrote a small script that would automate some of the common activities needed for an iPod forensic investigatio...
<ul><li>Some examples from the script: </li></ul><ul><li>Create some hashes first: </li></ul><ul><li>echo &quot;MD5 Hash: ...
<ul><li>Basic Image Cataloging Information  </li></ul><ul><li>iPod Image Being Cataloging: /forensics/images/ipod_B.img </...
<ul><li>---Deleted Files---- </li></ul><ul><li>r/r * 1686: iPod_Control/iTunes/_TGPLA~1 </li></ul><ul><li>r/r * 83886127: ...
<ul><li>Even if Apple does not provide law enforcement with tools, they may still be able to use their own internal tools ...
<ul><li>iPod and other “non-computers” will increasingly be used for criminal activity </li></ul><ul><li>In digital forens...
<ul><li>Users can interact with devices in unintended and unpredictable ways; this can complicate the forensic examiners j...
<ul><li>There is a full report with detailed explanation of the tools/scripts and  the processes of performing the investi...
<ul><li>1.  iPod Forensics: Forensically Sound Examination of an Apple iPod.  Slay, Dr. Jill and Przibilla, Andrew.  s.l. ...
Upcoming SlideShare
Loading in...5
×

iPod Forensic Investigation Techniques

4,632

Published on

This presentation covers tools and techniques which can be used to perform a computer forensic investigation on an Apple iPod. Many forensic investigators may be unaware of the valuable information a mobile entertainment device may hold. Criminals may intentionally hide information on such an inconspicuous device or the normal functionality and data syncing may provide valuable case clues.

Full Report available at:
http://ericgoldman.name/security/17-forensics/37-conducting-an-ipod-forensic-investigation-full-report

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
4,632
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

iPod Forensic Investigation Techniques

  1. 1. Presented by: Conzetti Finocchiaro, Eric Goldman, Abhiney Natarajan, Maegan Stanek
  2. 2. <ul><li>Why we choose the iPod </li></ul><ul><li>How iPods can be used for crimes </li></ul><ul><li>General Techniques and Procedures </li></ul><ul><li>Forensic Demonstrations </li></ul><ul><li>Summary </li></ul><ul><li>Questions </li></ul><ul><li>References </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  3. 3. <ul><li>Usually seen as only a “music player”, many do not realize all the extra functionalities </li></ul><ul><li>More dangerous than portable hard drive because data can be read using iPod’s screen </li></ul><ul><li>Can provide clues in forensic investigation of a normal PC or lead to new evidence </li></ul><ul><li>iPod may not always be included on a warrant for PC related data </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  4. 4. <ul><li>iPod is inconspicuous, no one would think you are using it to steal company data </li></ul><ul><li>Drug dealers or loan sharks use an iPod like a PDA to store data in odd places and update his records right on the street without a PC </li></ul><ul><li>In general, can be used as data storage with a lower likelihood of being identified or seized </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  5. 5. <ul><li>Like with any system, you must learn the file structure and which directories and files will usually have important information </li></ul><ul><li>It is possible to write to the system partition, but only an advanced criminal knows how </li></ul><ul><li>The iPod not only store music, but also can store contact and calendar information </li></ul><ul><li>Should always be on the lookout for stego! </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  6. 6. <ul><li>What we did: </li></ul><ul><ul><li>We studied previous research on forensic investigations of iPods </li></ul></ul><ul><ul><li>Learned where to find important evidence </li></ul></ul><ul><ul><li>We then developed forensic techniques using… </li></ul></ul><ul><ul><ul><li>FTK </li></ul></ul></ul><ul><ul><ul><li>EnCase </li></ul></ul></ul><ul><ul><ul><li>Autopsy/Helix </li></ul></ul></ul><ul><ul><ul><li>Sleuthkit/automated Script </li></ul></ul></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  7. 7. <ul><li>Contacts, Calendars, DeviceInfo….. </li></ul><ul><li>Depending on the program and operating used to sync with the iPod, different artifacts are left on the iPod and the host PC </li></ul><ul><li>Should develop file system baselines for both system and user space </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  8. 8. <ul><li>Demonstrations and explanations follow </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  9. 9. <ul><li>Data recover, analysis, device and system information, etc. </li></ul><ul><li>Analyze files using string searches and file carving </li></ul><ul><li>Hard drive must be imaged sector by sector, including allocated and unallocated clusters for further analysis </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  10. 10. <ul><li>Finding Deleted Files </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  11. 11. <ul><li>Finding Suspicious Files </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  12. 12. <ul><li>Device Information </li></ul><ul><ul><li>Highlights the file system of the device </li></ul></ul><ul><ul><li>How many bytes per sector </li></ul></ul><ul><ul><li>Why is this significant? </li></ul></ul><ul><li>System Information </li></ul><ul><ul><li>Stores device related information and other non-user identifiable information (this is provided as a result from using all the tools we earlier mentioned) </li></ul></ul><ul><li>Owner Identification </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  13. 13. <ul><li>Deleted Files: </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  14. 14. <ul><li>Sysinfo: </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  15. 15. <ul><li>Interesting Findings: </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  16. 16. <ul><li>Advantages </li></ul><ul><ul><li>Simple GUI </li></ul></ul><ul><ul><li>Fast Searching </li></ul></ul><ul><ul><li>Bookmarking </li></ul></ul><ul><ul><li>Reporting </li></ul></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  17. 17. <ul><li>Autopsy proved useful for identifying : </li></ul><ul><ul><li>Deleted Files </li></ul></ul><ul><ul><li>Renamed Files </li></ul></ul><ul><ul><li>Potential User Information </li></ul></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  18. 18. <ul><li>Autopsy makes it easy to find deleted files </li></ul><ul><ul><li>Provides MAC times </li></ul></ul><ul><li>Should be used in conjunction with file-carving tool </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  19. 19. <ul><li>File header information provides useful information for what the file actually is </li></ul><ul><li>Isn’t so useful for viewing the file ‘normally’ </li></ul><ul><li>Should be used with a file-carving tool </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  20. 20. <ul><li>Viewing file header contents may reveal owner </li></ul><ul><ul><li>Microsoft Word documents may contain username information </li></ul></ul><ul><li>Contacts </li></ul><ul><ul><li>IPod may be configured to synchronize address book </li></ul></ul><ul><ul><ul><li>iSync.vcf </li></ul></ul></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  21. 21. Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek scalpel -b -o -v Scalpel IPod_modified_part2.img
  22. 22. Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  23. 23. <ul><li>iSync.vcf </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  24. 24. <ul><li>Found traces of stego in image </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek stegdetect -t p 00000000.jpg 00000000.jpg : jphide(***)
  25. 25. <ul><li>We wrote a small script that would automate some of the common activities needed for an iPod forensic investigation </li></ul><ul><li>The tools is written as a bash script and uses some system commands and Sleuthkit </li></ul><ul><li>The script is currently limited to our test images, but could easily be expanded with further research </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  26. 26. <ul><li>Some examples from the script: </li></ul><ul><li>Create some hashes first: </li></ul><ul><li>echo &quot;MD5 Hash: ` md5sum $iPodImage | cut -d &quot; &quot; -f 1`&quot;; </li></ul><ul><li>echo &quot;SHA1 Hash: ` sha1sum $iPodImage | cut -d &quot; &quot; -f 1`&quot;; </li></ul><ul><li>Check for host identifying files: </li></ul><ul><li>onLinux=`ifind $iPodImage -n &quot;iPod_Control/iTunes/gtkpod.prefs&quot;`; </li></ul><ul><li>echo &quot;Linux: `if [[ &quot;$onLinux&quot; =~ [0-9][0-9]* ]]; then echo &quot;Yes&quot;; else echo &quot;No&quot;; fi;`&quot;; </li></ul><ul><li>Check for known important files: </li></ul><ul><li>sysInfoInode=`ifind $iPodImage -n /iPod_Control/Device/SysInfo&quot;`; </li></ul><ul><li>if [[ $sysInfoInode =~ [0-9][0-9]* ]]; then icat $iPodImage $sysInfoInode; else echo &quot;The SysInfo File was not present&quot;; fi; </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  27. 27. <ul><li>Basic Image Cataloging Information </li></ul><ul><li>iPod Image Being Cataloging: /forensics/images/ipod_B.img </li></ul><ul><li>MD5 Hash: 2d58d084af0f19038138ef84cb0519a3 </li></ul><ul><li>SHA1 Hash: f2b5c32a8c941e6ae330623627821050f9193b73 </li></ul><ul><li>File System Type: fat32 </li></ul><ul><li>--Likely host PC type(s)— </li></ul><ul><li>Linux: Yes </li></ul><ul><li>Key Files </li></ul><ul><li>-----SysInfo------ </li></ul><ul><li>ModelNumStr: xA107 </li></ul><ul><li>-----DeviceInfo---- </li></ul><ul><li>The DeviceInfo File was not present </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  28. 28. <ul><li>---Deleted Files---- </li></ul><ul><li>r/r * 1686: iPod_Control/iTunes/_TGPLA~1 </li></ul><ul><li>r/r * 83886127: iPod_Control/Music/F00/gtkpod447937.mp3 </li></ul><ul><li>r/r * 83886130: iPod_Control/Music/F00/gtkpod522989.mp3 </li></ul><ul><li>d/d * 21: .fseventsd </li></ul><ul><li>r/r * 802823: .fseventsd/fseventsd-uuid </li></ul><ul><li>... </li></ul><ul><li>PIM Files Found </li></ul><ul><li>-----Contacts------ </li></ul><ul><li>r/r 520: ipod_created_instructions.vcf </li></ul><ul><li>r/r 523: ipod_created_sample.vcf </li></ul><ul><li>----Calendar----- </li></ul><ul><li>(none found) </li></ul><ul><li>**Remember this script is not a substitute for a full manual investigation of the iPod </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  29. 29. <ul><li>Even if Apple does not provide law enforcement with tools, they may still be able to use their own internal tools to provide info: </li></ul><ul><ul><li>Every iPod has a serial number and it may be possible to track down the owner </li></ul></ul><ul><ul><li>DRMed music or other downloads may be used to identify the account used to access the music </li></ul></ul><ul><li>Criminal may know how to circumvent identification, but not everyone </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  30. 30. <ul><li>iPod and other “non-computers” will increasingly be used for criminal activity </li></ul><ul><li>In digital forensics artifacts can show how different pieces of evidence are connected </li></ul><ul><li>Users can easily copy personal information from their PC, to cloud, to devices which is good for providing forensic evidence </li></ul><ul><li>Criminal who is smart enough to use an iPod is also likely to use stego or other tricks </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  31. 31. <ul><li>Users can interact with devices in unintended and unpredictable ways; this can complicate the forensic examiners job </li></ul><ul><li>With a closed system you are at the will of the manufacturer ; may be harder to decipher special and protected files </li></ul><ul><li>Using many tools can be a great asset to the forensic investigator </li></ul><ul><li>Previous research and best practice must be updated and modified over time </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  32. 32. <ul><li>There is a full report with detailed explanation of the tools/scripts and the processes of performing the investigation available. The report can be found by visiting: </li></ul><ul><li>http://ericgoldman.name/security/17-forensics </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek
  33. 33. <ul><li>1. iPod Forensics: Forensically Sound Examination of an Apple iPod. Slay, Dr. Jill and Przibilla, Andrew. s.l. : IEEE, 2007. Proceedings of the 40th Hawaii International Conference on System Sciences. 0-7695-2755-8/07. </li></ul><ul><li>2. Stern, Hadley. Hacking iPod and iTunes. O'Reilly. [Online] O'Reilly Media, Inc., October 28, 2004. [Cited: February 10, 2009.] http://digitalmedia.oreilly.com/pub/a/oreilly/digitalmedia/2004/10/28/ipoditunes_hcks.html?page=3. </li></ul><ul><li>3. iPod Forensics. Marisco, Christopher V. and Rogers, Marcus K. 2, Fall 2005, International Journal of Digital Evidence, Vol. 4. </li></ul>Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek

×