iPod Forensic Investigation Techniques

Presented by: Conzetti Finocchiaro, Eric Goldman, Abhiney Natarajan, Maegan Stanek

Why we choose the iPod
How iPods can be used for crimes
General Techniques and Procedures
Forensic Demonstrations
Summary
Questions
References
Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek

Usually seen as only a “music player”, many do not realize all the extra functionalities
More dangerous than portable hard drive because data can be read using iPod’s screen
Can provide clues in forensic investigation of a normal PC or lead to new evidence
iPod may not always be included on a warrant for PC related data

iPod is inconspicuous, no one would think you are using it to steal company data
Drug dealers or loan sharks use an iPod like a PDA to store data in odd places and update his records right on the street without a PC
In general, can be used as data storage with a lower likelihood of being identified or seized

Like with any system, you must learn the file structure and which directories and files will usually have important information
It is possible to write to the system partition, but only an advanced criminal knows how
The iPod not only store music, but also can store contact and calendar information
Should always be on the lookout for stego!

What we did:
We studied previous research on forensic investigations of iPods
Learned where to find important evidence
We then developed forensic techniques using…
FTK
EnCase
Autopsy/Helix
Sleuthkit/automated Script

Contacts, Calendars, DeviceInfo…..
Depending on the program and operating used to sync with the iPod, different artifacts are left on the iPod and the host PC
Should develop file system baselines for both system and user space

Demonstrations and explanations follow

Data recover, analysis, device and system information, etc.
Analyze files using string searches and file carving
Hard drive must be imaged sector by sector, including allocated and unallocated clusters for further analysis

Finding Deleted Files

Finding Suspicious Files

Device Information
Highlights the file system of the device
How many bytes per sector
Why is this significant?
System Information
Stores device related information and other non-user identifiable information (this is provided as a result from using all the tools we earlier mentioned)
Owner Identification

Deleted Files:

Sysinfo:

Interesting Findings:

Advantages
Simple GUI
Fast Searching
Bookmarking
Reporting

Autopsy proved useful for identifying :
Deleted Files
Renamed Files
Potential User Information

Autopsy makes it easy to find deleted files
Provides MAC times
Should be used in conjunction with file-carving tool

File header information provides useful information for what the file actually is
Isn’t so useful for viewing the file ‘normally’
Should be used with a file-carving tool

Viewing file header contents may reveal owner
Microsoft Word documents may contain username information
Contacts
IPod may be configured to synchronize address book
iSync.vcf

iSync.vcf

Found traces of stego in image
Visit www.EricGoldman.name -- Presentation Copyright © 2009 by C. Finocchiaro, E. Goldman, A. Natarajan, M. Stanek stegdetect -t p 00000000.jpg 00000000.jpg : jphide(***)

We wrote a small script that would automate some of the common activities needed for an iPod forensic investigation
The tools is written as a bash script and uses some system commands and Sleuthkit
The script is currently limited to our test images, but could easily be expanded with further research

Some examples from the script:
Create some hashes first:
echo "MD5 Hash: ` md5sum $iPodImage | cut -d " " -f 1`";
echo "SHA1 Hash: ` sha1sum $iPodImage | cut -d " " -f 1`";
Check for host identifying files:
onLinux=ìfind $iPodImage -n "iPod_Control/iTunes/gtkpod.prefs"`;
echo "Linux: ìf [[ "$onLinux" =~ [0-9][0-9]* ]]; then echo "Yes"; else echo "No"; fi;`";
Check for known important files:
sysInfoInode=ìfind $iPodImage -n /iPod_Control/Device/SysInfo"`;
if [[ $sysInfoInode =~ [0-9][0-9]* ]]; then icat $iPodImage $sysInfoInode; else echo "The SysInfo File was not present"; fi;

Basic Image Cataloging Information
iPod Image Being Cataloging: /forensics/images/ipod_B.img
MD5 Hash: 2d58d084af0f19038138ef84cb0519a3
SHA1 Hash: f2b5c32a8c941e6ae330623627821050f9193b73
File System Type: fat32
--Likely host PC type(s)—
Linux: Yes
Key Files
-----SysInfo------
ModelNumStr: xA107
-----DeviceInfo----
The DeviceInfo File was not present

---Deleted Files----
r/r * 1686: iPod_Control/iTunes/_TGPLA~1
r/r * 83886127: iPod_Control/Music/F00/gtkpod447937.mp3
r/r * 83886130: iPod_Control/Music/F00/gtkpod522989.mp3
d/d * 21: .fseventsd
r/r * 802823: .fseventsd/fseventsd-uuid
...
PIM Files Found
-----Contacts------
r/r 520: ipod_created_instructions.vcf
r/r 523: ipod_created_sample.vcf
----Calendar-----
(none found)
**Remember this script is not a substitute for a full manual investigation of the iPod

Even if Apple does not provide law enforcement with tools, they may still be able to use their own internal tools to provide info:
Every iPod has a serial number and it may be possible to track down the owner
DRMed music or other downloads may be used to identify the account used to access the music
Criminal may know how to circumvent identification, but not everyone

iPod and other “non-computers” will increasingly be used for criminal activity
In digital forensics artifacts can show how different pieces of evidence are connected
Users can easily copy personal information from their PC, to cloud, to devices which is good for providing forensic evidence
Criminal who is smart enough to use an iPod is also likely to use stego or other tricks

Users can interact with devices in unintended and unpredictable ways; this can complicate the forensic examiners job
With a closed system you are at the will of the manufacturer ; may be harder to decipher special and protected files
Using many tools can be a great asset to the forensic investigator
Previous research and best practice must be updated and modified over time

There is a full report with detailed explanation of the tools/scripts and the processes of performing the investigation available. The report can be found by visiting:
http://ericgoldman.name/security/17-forensics

1. iPod Forensics: Forensically Sound Examination of an Apple iPod. Slay, Dr. Jill and Przibilla, Andrew. s.l. : IEEE, 2007. Proceedings of the 40th Hawaii International Conference on System Sciences. 0-7695-2755-8/07.
2. Stern, Hadley. Hacking iPod and iTunes. O'Reilly. [Online] O'Reilly Media, Inc., October 28, 2004. [Cited: February 10, 2009.] http://digitalmedia.oreilly.com/pub/a/oreilly/digitalmedia/2004/10/28/ipoditunes_hcks.html?page=3.
3. iPod Forensics. Marisco, Christopher V. and Rogers, Marcus K. 2, Fall 2005, International Journal of Digital Evidence, Vol. 4.

http://www.ericgoldman.name	68
http://www.slideshare.net	18
http://ericgoldman.name	2

iPod Forensic Investigation Techniques

by Eric Goldman on Oct 20, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 88

Statistics

iPod Forensic Investigation Techniques — Presentation Transcript