• Like
File000092
Upcoming SlideShare
Loading in...5
×

File000092

  • 1,046 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,046
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3377 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Computer Hacking Forensic Investigator (CHFI) Module XXXVII: iPod and iPhone Forensics Exam 312-49
  • 2. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3378 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  News: Students Charged: iPod Used as Criminal Tool Source: http://www.mobilemag.com/ A student from an Ohio high school faced charges for hacking the school's computers. The student had downloaded the personnel files related to staff and students into an iPod. The student was charged with possession of a criminal tool by the local law enforcement authorities. The incident happened at Clay High School in Oregon City, Ohio, USA. The student knowingly accessed the staff personnel records and shared them with another student. One of the staff members overheard their conversation, inquired about the action, and seized the iPod that was used to initiate the hack. The student denied the charges. The school authorities started upgrading their network security because of this incident.
  • 3. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3379 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  News: Sparkling iPod Ignites Investigation in Japan Source: http://www.macnewsworld.com/ According to reports from the Japanese government, Apple reported a problem on March 7, 2008, about the sparks generated when recharging the iPod Nano model MA099J/A. The Japanese ministry confirmed that the sparks had not caused any injuries to the customers and confirmed that no casualties had been reported. The Japanese government looked for a possible solution to the problem. Jack Gold, principal analyst with J. Gold Associates, said that these are common problems and these problems were reported earlier in laptops. These problems mainly occur when the technology outpaces the design of a particular lithium-ion battery, which is used for powering the iPod. He also said that these problems do occur frequently when a battery is overheated.
  • 4. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3380 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.    News: iPhone Tantalizes, Frustrates Forensics Experts Source: http://www.wired.com Derrick Donnelly, chief technology officer of Blackbag Technologies, a Silicon Valley-based company specializing in Apple forensic solutions, explains that the iPhone’s web, email, and phone functionality is associated with 4- or 8-GB storage capacity, so that it can work as a window. Amber Schroader, a CEO of Utah-based Paraben, a leader in digital-forensics software development, said that the iPhone uses the Mac OS X operating system and is a totally closed system. If it is not closed properly, it is not an easy for forensic experts to make sure that the data received from an iPhone has not been tampered. He said that the Mac experts were struggling to get the data from the iPhone’s closed system without changing any data. Donnelly explained that the iPhone is not capable of being used with existing forensic software and data-extraction systems. Forensic experts stopped using old techniques such as photographing data as it is exhibited on the screen itself. Using a laptop or desktop computer can help you with the situation significantly. You cannot get the data off the iPhone but you can get the other devices which are connected to the iPhone. Analyst can search for the user phone data which was uploaded on the connected computer. The iPhone can store a huge amount of personal user data, so that they can provide information about the user.
  • 5. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3381 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Objective This module will familiarize you with:  iPod  iPhone Overview  iPhone OS Overview  iPhone Disk Partitions  Apple HFS+ and FAT32  iPod and iPhone Forensics  Write Blocking  Write Blocking in Different OS  Recover IPSW File  Forensic information from the windows registry  Timeline Generation  Tools
  • 6. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3382 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow
  • 7. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3383 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  iPod The iPod is a portable digital audio player. It is designed by Apple Inc. iPods can be used as digital media storage devices along with audio and video players. They offer a huge storage capacity which can be used to store a large amount of audio, video, and other digital data in various formats. MP3, M4A/AAC, Protected AAC, AIFF, WAV, audible audio book, and Apple Lossless audio file formats can be played on an iPod. All iPods use a hard disk to store data, except iPod Nano and iPod Shuffle, which use flash memory. iTunes is the media player in iPods that plays and organizes music and video files. The idea of iPod devices was first conceived by Tony Fadell, who was later hired by Apple to develop the iPod. Later versions of iPods were developed by Apple's Industrial Design Group. iPods have a simple user interface. They contain a central scroll wheel which is used to browse songs. iPod Touch The iPod Touch is an iPod with Wi-Fi and a multi-touch interface, which features the Safari browser and wireless access to the iTunes Store and YouTube. It has the iPhone OS as operating system, which makes access user friendly.The following figure shows various components of an iPod: Figure 37-01: Components of iPod
  • 8. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3384 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  iPhone Overview The iPhone is an Internet-connected multimedia smartphone designed and marketed by Apple Inc. with a multi-touch screen and a minimal hardware interface. With advanced technology, it has a virtual keyboard instead of a physical one and the user can operate it via the touch screen. Features:  Phone: iPhone has a calling feature where the user can make calls to the end user connecting with a cell phone, landline, or a compatible iPhone  Mail: It provides the flexibility of connecting to the Internet where the user can access email  Safari: Safari is an advanced web browser which helps the iPhone user to access any requested web page  iPod: It can be used as a portable digital audio and video player with a 3.5 inch widescreen display and touch screen  SMS: It provides the SMS feature that helps the users send text messages  Maps with GPS: This feature helps the user find their own location, get directions, and see traffic  iTunes: With a Wi-Fi connection, user can shop for the songs on iTunes by clicking the iTunes button on the iPhone  App Store: The App Store feature gives the flexibility of finding applications in various categories i.e., from games to business, education to entertainment, finance to fitness, and productivity to social networking  Calendar: The calendar helps the user plan their schedule  YouTube: The iPhone keeps the user entertained with a YouTube application  Photos and camera: iPhone has a built-in camera, which let the users take photos and sync those pictures with a personal computer or Mac  Stocks, weather, notes: Provides stock quotes and weather reports with a tap  Calculator: The calculator on the iPhone provides a full-featured scientific calculator
  • 9. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3385 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  What a Criminal Can Do with an iPod The iPod’s large storage capacity and rapid data transfer using a USB cable makes it potentially useful for attackers in information theft. The use of iPods in crimes and criminal investigations has already been recognized. Though major threats of an iPod include corporate espionage and data theft, it can be used wherever there is a need to store data. The small size and easy operability of iPods make them suitable for criminal activity. Moreover, their popularity as “innocent” media players until now has made them popular among criminals. The police in the past had established the connections of iPods and various crimes, and successfully traced the criminals through iPod investigations. iPods can be hacked or customized using various techniques. They can be configured to work as an external device or the custom scripts can be written to use it in nearly any preferred way. Criminal uses the iPod and all its features in a variety of ways, such as to:  Spread viruses and Trojans  Store and distribute child pornography images and videos  Keep entries such as the date and time of crime  Keep and distribute contact information of other criminals with photos and other documents
  • 10. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3386 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  What a Criminal Can Do with an iPhone The iPhone is an advanced personal device that provides users with a touch screen iPod, a phone, and a flexible Internet device. It offers various advantages not only to the user but also to an attacker as they can misuse the information or application that is present in the iPhone. The following are the activities that a criminal can do with the iPhone:  Send the viruses and Trojans to other users which infects their devices, too  Distribute child pornography images and videos which are legally prohibited  Data theft such as theft of contact numbers, email addresses, or information on SMS, etc.  Store and transmit personal and corporate information by connecting the iPhone to the system or laptop used at the organization  Send threatening or offensive SMS and MMS  Attackers aware of the SIM properties can manipulate it  Clone the SIM data for illicit use  Remove the Service Provider Lock (SP-Lock), limit the MS to a single network  Spamming  
  • 11. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3387 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  iPhone OS Overview The iPhone is an Apple product, and the iPhone OS is the operating system developed by Apple Inc., which runs both on the iPhone and iPod Touch. It is derived from Mac OS X and uses the Darwin foundation. It takes less than half a GB of the device’s total memory storage. The iPhone OS has four abstraction layers, which are as follows: 1. The core OS layer: The core OS layer of the iPhone OS provides the kernel environment, drivers, and the basic interfaces of the operating system 2. The core services layer: This provides the fundamental services for applications in the iPhone such as the address book, core location, CFNetwork, security, and SQLite 3. The media layer: The media layer of the iPhone provides graphics and media technologies such as core audio, openAL, and video technologies in the iPhone OS, which help in gaining advanced multimedia experience on a mobile device 4. The cocoa touch layer: This layer of the iPhone consists of UI Kit and Foundation frameworks which provide the user with the tools for implementing graphical and event-driven applications in the iPhone operating system
  • 12. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3388 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  iPhone Disk Partitions The iPhone offers disk partitions to manage the stored information. It has a solid state NAND flash memory and is configured with two partitions by default, as follows: 1. Root Partition: This partition consists of the operating system and all the preloaded applications with the 300 MB limit size. By default, it is mounted as a read-only partition and stays in the manufactured state. 2. User Partition: The remaining space left for the user’s usage. It consists of the user’s data such as music, photos, etc., which a user can read, write, delete, or edit at any moment. It is mounted as /private/var on the iPhone.
  • 13. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3389 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Apple HFS+ and FAT32 iPods formatted with Mac computers have Apple’s HFS+ file system and those formatted with Windows machines have the FAT32 file system. HFS+, or HFS Plus, is a file system developed by Apple Inc. It can support larger files, as it uses 32-bit block addresses. The HFS+ system uses unicode to name file and folders, and supports up to 255 character length names. The FAT32 file system was developed by Microsoft Corporation. When conducting a forensics analysis of an iPod, it is important to know which type of system the iPod has been synchronized with. Knowledge of the format used makes it easier to match the iPod’s device to the host that has been synchronized with.
  • 14. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3390 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Application Formats iPods use file formats for storing various kinds of data. They use the standard vCard file format for storing contact information. This format exchanges electronic business cards. vCards contain personal identifiable information such as name and address, and they can be attached with email nmessages. Calendar entries are stored in an industry standard vCalendar format. The vCalendar file format is also known as the Personal Calendaring and Scheduling Exchange Format. It can be used to interchange calendar and time scheduling information. Music can be stored in different folders on the device. iPods can play MP3s, M4A/AACs, Protected AACs, AIFFs, WAVs, and Apple lossless audio file formats. New iPods can also play .m4v (H.264) and .mp4 (MPEG-4) video file formats. Windows versions of iPods can play unprotected WMA file formats. iPods use ID3 tags to sort files. ID3 tags are metadata containers used to store information about an audio file, especially an .mp3 file, such as the title, artist, album, and track number. Users can store files on the device securely as an encrypted or hidden file. They can also be used as a voice recorder and digital camera photo storage by using third-party applications and accessories.
  • 15. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3391 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  iPod and iPhone Forensics iPod and iPhone forensics refers to the recovery of digital evidence from the iPod and the iPhone under forensically sound conditions using accepted methods. It includes recovery and analysis of data and helps in tracing and prosecuting criminals where iPod and iPhones are used as a means for committing a crime. It also helps in other criminal cases to get contact details and conversations or other forms of communication logs. Data stored in iPods and iPhones provide general insight information for the cases.
  • 16. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3392 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Evidence Stored on iPod and iPhone iPods and iPhones have different characteristics, which give important information that helps in investigations. They consist of the following forensics information:  Text messages  Calendar events  Photos and videos  Caches  Logs of recent activity  Map and satellite imagery  Personal alarms  Notes  Music  Email  Web browsing activity  Passwords and personal credentials  Fragments of typed communication  Voicemail  Call history  Contacts  Information pertaining to interoperability with other devices  Items of personal interest
  • 17. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3393 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Forensic Prerequisites To perform iPod forensics and get exact forensics results, it is necessary to use proper investigation devices. These forensics requirement includes both hardware and software devices. The following are some of the devices required for iPod forensics: Hardware requirement:  iPod: The device which is collected at the scene  Two commodity computers, a PC and a Macintosh: Most of the investigation is done on the PC computer; a Macintosh is used when there is a need Software requirement:  Windows or Mac operating systems: Investigator should use Windows or Mac operating systems. If he/she is using a Wndows OS, then it should have the following configuration: o Processor: AMD Athlon 64 2800 o Ram: 512 MB o Hard drive: 160 GB  While in case of Mac OS: o OS: Mac OSX o Processor: 500 MHz o Ram: 128 MB o Hard drive: 8 GB  Data recovery tools such as Recover My iPod and iPod Data Recovery  Forensics tools such as Encase and Forensic Toolkit
  • 18. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3394 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Collecting iPod/iPhone Connected with Mac While collecting the device, first check its state of at the scene. Collect the iPod if it is not connected to the computer. If an iPod is connected to a computer, check whether the device is mounted. Determine this by checking the iPod screen for a “Do Not Disconnect” sign. If it is not unmounted, unmount the device before disconnecting it from the computer. To unmount the device, drag the icon of the iPod to the trashcan on the Macintosh desktop. While unmounting the device, do not directly disconnect or unplug the computer, which might damage the device. Figure 37-02: Collecting iPod/iPhone connected with Mac
  • 19. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3395 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Collecting iPods Connected with Windows There is a different procedure to follow while collecting the device connected to a Windows computer. Write down the iPod’s name, visible on the desktop, before unmounting it from the computer. To unmount the device, click on “Unplug or eject hardware.” Disconnect or unplug the iPod properly from the computer, improper unplugging may damage the iPod disk, which results into a loss of data. Depending on the machine to which the iPod is connected, the forensics investigator uses a particular tool to analyze the iPod. Figure 37-03: Collecting iPod connected with Windows
  • 20. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3396 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Disable Automatic Syncing Automatic syncing involves synchronizing information on the device with the information stored on the system. Disabling this prevents cross contamination of iPod/iPhone data. The steps to disable automatic syncing are as follows: 1. Open iTunes on the desktop machine 2. Select Preferences from the iTunes menu 3. Click the Syncing tab 4. Check the box labeled Disable automatic syncing for all iPhones and iPods
  • 21. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3397 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Write Blocking Write blocking is a technique which avoids the alteration and maintains the integrity of data storage devices. Generally, in order to prevent the original evidence from being altered, imaging techniques are used. Imaging can be performed using software and hardware tools. But sometimes, this image also may get altered and give some different results. In order to get the exact forensics output, write blocking is one of the best techniques. Write blocking protects the evidence from any type of changes and gives read-only access to the evidence. Hardware blockers are more preferable than software blockers. Hardware blockers are difficult to implement because of their design. Generally, hardware blockers are used for hard disks. But because of the cost of USB write-blocking hardware, an investigator prefers software blocking. Use a software writer blocker such as PDBLOCK, and hardware write blocker such as WiebeTech Forensic SATADock to prevent the information from alteration. In the case of Linux and Macintosh, write blocking is performed using commands.
  • 22. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3398 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Write Blocking in Different OS Depending on the type of OS, there are different write blocking techniques. In some operating systems, software tools can be used to give read only access, while in some, commands are used. Generally, in the case of iPods using Windows, software write blocking tools are used, while in the case of Linux and Macintosh, some commands are used. The following are the different OS of iPods, which have different write blocking techniques:  Windows: In Windows XP service pack 2, there is a registry key HKEY_LOCAL_MACHINESystemCurrentControlsetControlStorageDevicePolicies Change this key value to the hex value of 0x00000001 and restart the computer. It blocks write access to any USB storage devices. To enable this blocking, change this key value to 0x00000000 and restart the computer. Manual blocking can be performed by setting the proper key value or using NCFS USB Write Blocker. These write access changes work only when the system is restarted and registry values are reloaded.  Linux: There are two techniques available in Linux to perform write blocking. The first one is, as Linux has open source code for different components of the operating system, it is possible to modify that code and recompile it for that iPod device. It protects the device from write blocking. Another is, as Linux has high level of control available within the operating system’s configuration, it is possible to interact with the iPod configuration and prevent it from writing access. But generally, the second option is not used in the investigation. While using the second option, prevent Linux from automatically mounting the iPod as a drive. It allows the investigator to use that device as a blocked device, and allows mounting the file systems as read only. In Ubuntu Live CD, auto-mounting can be disabled by selecting System from menuPreferences Removable Drives and Media. In the next window, remove the check marks, and click OK.  Macintosh: Macintosh is mostly based on the concepts of Linux, so write blocking the evidence using a configuration method is conceptually the same. These methods include: o Preventing the Mac OS from automatically mounting removable media o Preventing the iTune from loading when the iPod is connected 
  • 23. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3399 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. o Mounting the iPod drives with read-only access when they need to mount 
  • 24. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3400 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Image the Evidence Data acquisition is an important step in the iPod investigation. Before acquiring the data from the original device, an investigator generally creates the image of the evidence. Imaging is the process of creating an exact copy of the contents of a digital device. This step is considered as a critical and important step in the investigation. The main aim of imaging is to prevent the original device from alteration. Different data imaging tools are present for the iPod devices, such as EnCase. These data imaging tools make exact bit- to-bit copies of the originals, and prevent any alteration. Imaging of the iPod sometimes will not get accurate results. When an iPod gets connected using the USB’s interface, the iPod gives direct access to the drive. The iPod has both software and more hardware control functions such as Disk Mode. This is the mode with which an iPod operates when the iPod is connected to a computer. When the iPod is connected to the computer, software switches it into the Disk Mode automatically. Disk mode can be acquired by toggling the “Hold Switch” on and off. Press the Select and Menu buttons until the Apple logo appears; immediately release the Menu and Select buttons and hold down the Select and Play buttons until the Disk Mode screen appears. This mode provides the method of accessing the data it contains. In disk mode, the iPod gives direct access to the hard disk, which makes the connection between the iPod and computer unstable and creates problem in imaging. So it is better to use data imaging tools such as Encase and GNU DD. Use hashing techniques to ensure that the image and the original copy are same. Use hashing tools such as MD5 for hashing. Recover the data from these images. Use data recovery tools such as Recover My iPod and iPod Data Recovery.
  • 25. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3401 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  View the iPod System Partition The system partition of the iPod does not store the user’s identifiable data. It is comprised of the information related to the iPod running software, such as iPod OS  Images used in the operation of the device  Games and other applications stored on the device There are many similarities in the system partition of both iPods. As the formatting of this partition is unknown, the analyst opens this partition in hex editor for analysis.
  • 26. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3402 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  View the Data Partition Depending on the type of iPod, it has a two- or three-partition structure. Both the iPods have both a system partition and a data partition. The only the difference is that the Windows iPod has only two partitions while the Macintosh iPod has three. The extra partition on the Macintosh is because of the HFS+ file system used by the iPod. This third partition in the Macintosh iPod splits into a resource fork including data partition files information and a data fork, which contains the actual files. The data partition on the iPod consists of the user’s information stored on the iPod. This information includes:  Calendar entries  Contact entries  Note entries  Hidden iPod_Control directory  iTunes configuration information  Music stored on the iPod This partition can be viewed by using Forensic Toolkit, EnCase, a hex editor, and various Linux and Macintosh analysis commands. This data partition is the same in structure for both Windows and Macintosh iPods, and consists of same files and directories.
  • 27. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3403 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Break Passcode to Access the Locked iPhone The steps to be followed for breaking the passcode to access a locked iPhone are as follows:  From the keypad, press the Emergency Call button  Type *#301# followed by the green [phone] button  Delete the previous entry by hitting the delete key six times  Type the number 0 followed by the green [phone] button  Answer the call by pressing the green [phone] button  End the call by pressing the red [phone] button  Press the [Decline] button  In the Contacts tab, press the [+] button at the top to create a new contact  In the Add new URL tab, Enter prefs: and press the [save] button  Touch the No Name contact entry  Click the home page prefs: button  Click the General tab in setting menu  Click the Passcode Lock tab  Click the Turn Passcode Off tab  Return to the General tab by clicking on [cancel]  Click Auto-Lock and reset it to Never
  • 28. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3404 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Acquire the DeviceInfo File The file iPod_ControliTunesDeviceInfo in the iPod consists of a number of pieces of forensics information. This file is created by iTunes when the iPod is set up within iTunes and is connected to the computer on which iTunes is running. The file creation time is linked with the time of the connected computer. Once this connection is established, the following information is recorded into this file:  Data related to the name given to the iPod  Data related to the username logged into the computer  Data related to the name of the computer to which the iPod is connected This is possible only when the iPod is set up within iTunes. Figure 37-04: Acquring device information
  • 29. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3405 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Acquire SysInfo File The SysInfo in the iPod consists of a number of pieces of forensics information. This file is present in the data partition under the iPod_ControlDevice directory (iPod_ControlDeviceSysInfo). This file is created by the iPod Updater software. This file generates when the iPod is disconnected from the computer and connected to the power adapter. This file will not change after that, and this time is considered as the last restored time of the iPod. This file consists of the following forensics information:  Model number of the iPod present in the identification of ModelNumStr  Serial number of the iPod present in the identification of pszSerialNumber  Serial number the iPod presents to the computer in the identification of FirewireGuid  This identifier identifies the connection of the iPod to a Windows computer and is recorded in the Windowssetupapi.log file This file exists at the same location in both Windows and Mac OS. It also exists in both Windows and Mac OS iPods at the same byte offset from the beginning of the drive beginning at the hexadecimal byte offset 5F02200. It makes it easy to extract the information using forensics tools or searching with hex editor while using hex editor search hexadecimal byte offset 5F02200 directly or searching for “BoardHWName.” If still not obtaining the information, try to search the serial number of the iPod, which is present at the back cover. SysInfo file
  • 30. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3406 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recover IPSW File  .IPSW is the iPod Touch and iPhone software update file format. Its file consists of the data for software restores and minor updates in the iPod/iPhone and gives information of the running, installed, and uninstalled application. It also helps in deleting the software, if corrupted while downloading. It is stored in the following location in the iPhone: Library/iTunes/iPhone Software Updates   Figure 37-05: Screenshot to recover IPSW file (Source: http://ioriginal.wordpress.com/)
  • 31. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3407 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Check the Internet Connection Status The following are the steps to be followed for checking the Internet connection status:  Check if the E on screen shows the slower Edge network  Check if the 3G icon shows the faster but limited-area third-generation network  Check if the radiating signal bars show Wi-Fi connectivity
  • 32. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3408 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  View Firmware Version To view the firmware version in the iPod: 1. Connect the iPod to iTunes 2. Click on the iPod in the left column of the iTunes window 3. Go to the Summary tab Figure 37-06: Firmware information in iPod To view the firmware version in the iPhone: 1. Select Home -> Settings -> General -> About 2. Check the entry for Version
  • 33. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3409 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.   Figure 37-07: Software version in the iPhone  
  • 34. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3410 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recover Network Information Network information can be recovered using the Devinfo application in the iPhone. The Devinfo application includes the following information:  Network interfaces including VPN, GPRS/EDGE/3G, Wi-Fi  TCP/UDP connections  Routing table  Running processes  System info, memory, and disk usage   Figure 37-08: Network information in the iPhone
  • 35. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3411 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Data from SIM Card The SIM card contains important information related to the forensics investigation:  Service-related information such as unique identifiers for the (U)SIM, the Integrated Circuit Card Identification (ICCID), the subscriber, and the International Mobile Subscriber Identity (IMSI)  Phonebook and call information such as Abbreviated Dialing Numbers (ADN) and Last Numbers Dialed (LND)  Messaging information including SMS, EMS, and multimedia messages  Location information, including Location Area Information (LAI) for voice communications and Routing Area Information (RAI) for data communications The SIM card data can be recovered using the following tools:  SIM Analyzer  SIMCon  SIM Card Data Recovery Software
  • 36. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3412 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Acquire the User Account Information An iPod keeps a record of the computer with which it is mounted. It stores the name of the computer and the user names of all users who had accessed the system while it was mounted. This information can be found with the iPod’s name in several locations. The DeviceInfo file under a user name in the iTunes folder contains information about the computer with which it was used. This information can be used to verify the ownership of iPods. If the user name stored in the iPod device is the same as the one used by the person in question, it can be ascertained that he has used the iPod. Establishing the ownership of the iPod is necessary to prove the case in court as the person may deny charges of ownership of the device.
  • 37. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3413 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  View the Calendar and Contact Entries iPods also possess limited PDA capabilities. They can be used to store calendars, schedules, and contact information. This information in iPods can be easily searched with a simple string search. iPods use a standard vCard file format to store contact information and a vCalendar format to store calendar and scheduling information. Calendar and scheduling information is stored in an .ics file in the Calendars folder and contact entries are stored in .vcf files in the Contacts folder. These file formats store information in plain text format on the hard drive and can be easily read. Calendar and contact entries are stored with the file header “BEGIN:VCALENDAR” and “BEGIN:VCARD,” respectively. File headers indicate the beginning of each vCalendar or vCard entry and remain intact even after the file is deleted or the iPod is restored to the factory settings. Figure 37-09: Calendar and contact entries in an iPod (Source: http://the-gadgeteer.com/)
  • 38. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3414 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Photos iTunes is used to manage the content of the iPhone. Photos may be considered as evidence and can help the investigators in tracking the attacker. The steps to recover the deleted photos are as follows: 1. Connect the laptop with the iPhone 2. Run iTunes 3. Click the Photos tab 4. Adjust the settings 5. Specify the folder to which photos should be synced 6. Use the Cellebrite UME 36 Pro tool to download the photos directly
  • 39. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3415 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Address Book Entries Address book entries provide information such as email addresses, contact numbers, and other sensitive information that can be used as evidence. The steps for recovering address book entries are as follows: 1. Check the address book entries, which are stored in the following database in the iPhone: Library_AddressBook_AddressBook.sqlitedb Library_AddressBook_AddressBookImages.sqlitedb 2. Retrieve the databases using iTunes 3. Use the tools such as Cellebrite UME 36 Pro and WOLF to recover address book entries after connecting it with the iPhone Figure 37-10: Address book entries
  • 40. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3416 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Calendar Events Stored and deleted calendar events in the iPhone provide information such as schedules for particular days/times, venues of meetings, the people with whom to meet, and other sensitive information that can be used as evidence. After the scheduled event, this sensitive information may be deleted by the attacker or the user. Investigators can recover the information and the steps are as follows: 1. Check the calendar events stored in the following database in the iPhone: Library_Calendar_Calendar.sqlitedb 2. Retrieve this database using iTunes 3. Use the tool Cellebrite UME 36 Pro to recover calendar events after connecting it with the iPhone
  • 41. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3417 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.   Figure 37-11: Calendar events in the iPhone (Source: http://www.apple.com/)
  • 42. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3418 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Call Logs Call logs in the iPhone provide information which may be useful for investigators and can help in solving a case. Call logs include the following:  Dialed numbers, date and time of dialing the number, and contact name if already stored  Received numbers, date and time of dialing the number, and contact name if already stored  Missed numbers, date and time of dialing the number, and contact name if already stored The steps to be followed by an investigator to recover the call logs are as follows: 1. Check the call logs, which are stored in the following database in the iPhone: Library_CallHistory_call_history.db 2. Use the tool WOLF to recover the call logs
  • 43. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3419 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Map Tile Images The steps for recovering map tile images are as follows: 1. Check where the map tile images are stored in the iPhone: Library_Maps_Bookmarks.plist Library_Maps_History.plist 2. Use Cellebrite UME 36 Pro to directly recover map tile images after connecting it with the iPhone   Figure 37-12: Map tile images (Source: http://www.apple.com/) 
  • 44. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3420 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Cookies A cookie is a piece of information that stored by a web browser. It helps the investigator to reopen the web pages that were accessed by the user or an attacker. Since the users and the attackers are familiar with the property of cookies, they tend to delete them to avoid the exposure of the details cookies provide. The following steps are performed for recovering cookies: 1. Check where the cookies are stored in the iPhone: Library_Cookies_Cookies.plist 2. Download the cookies to a computer during an iTunes sync process
  • 45. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3421 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recovering Cached and Deleted Email The steps for recovering cached and deleted emails are as follows: 1. Check the location/database of the iPhone where the email is stored: Library_Mail_Accounts.plist Library_Mail_AutoFetchEnabled 2. Download cached and deleted emails to a computer during an iTunes sync process   Figure 37-13: Cached and deleted email in an iPhone (Source: http://www.iphonefreak.com/)
  • 46. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3422 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recover Deleted Files Files deleted in an iPod are not really erased; they are just marked as deleted. The “.Trashes” folder in the iPod shows all the deleted files. These deleted files can be easily recovered by using various forensics tools. When the “.Trashes” folder is full or the folder is emptied, deleted files are moved to the “.Trashes501” folder. These files cannot be seen normally and look like that they have completely erased, but these files can still be recovered using various deleted file recovery tools. Figure 37-14: Screenshot of deleting files in an iPod
  • 47. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3423 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Forensic Information from the Windows: Registry Forensic information related to the iPod forensics investigation can also be acquired from the computer to which the iPod is connected. If the iPod is connected to the Windows computer then most of the forensics information will get into the Windows registry. This registry maintains information about the events occurring on the Windows computer. It also generates connection events with the iPod. The registry contains the following information:  Key created while connecting the iPod to the Windows computer  Last time when registry keys were changed  Serial number of the iPod The registry gives information about the keys generated by the connection of the iPod to that computer and the last time when these keys were changed. The Windows computer creates a series of registry keys in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR key when the iPod is connected to it. Under USBSTOR keys, there are several keys. These keys determine the vendor, product, and revision code. Directly under this key there is another key which represents the iPod serial number which is generally followed by “&0”.
  • 48. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3424 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-15: Screenshot of AccessData Registry Viewer
  • 49. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3425 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 50. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3426 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Forensic Information from the Windows: setupapi.log The setupapi.log file is similar to the registry files in Windows. This file stores events such as drivers and application installation within the Windows computer, including the connection time of the iPod with the system. This file is found within the Windows installation directory and records all driver installations which occur after boot time. The setupapi.log records the events when the iPod is connected the first time with the system after boot time. It will not record the event if the iPod is connected during boot time. If the iPod software is not installed, then the file records only the first entry when the iPod is connected; if installed, then the file records every series of entry whenever the iPod is connected to the computer after boot time Generally, the registry key gives accurate results of the last time the installation of the iPod drivers occurred, as compared to the timestamps of the setupapi.log file. If the iPod is removed and reconnected, the registry shows the time when the drivers were installed, but the setupapi.log file indicates the reconnection time. This information within the registry and the setupapi.log file can be used to create the partial timeline that will help in the investigation. Figure 37-16: Setupapi.log files
  • 51. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3427 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. .  Recovering SMS Messages The steps for recovering SMS messages are as follows: 1. Check the location/database where the SMS messages are stored in the iPhone: Library_SMS_sms.db 2. Use the tool Tansee iPhone Transfer SMS for recovering SMS messages after connecting it with the iPhone
  • 52. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3428 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 53. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3429 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Other Files Which Are Downloaded to the Computer During the iTunes Sync Process The other files that are downloaded to the computer during the iTunes sync process are as follows:  Library_Keyboard_dynamic-text.dat  Library_LockBackground.jpg  Library_Notes_notes.db  Library_Preferences_.GlobalPreferences.plist  Library_Preferences_SBShutdownCookie  Library_Preferences_SystemConfiguration_com.apple.AutoWake.plist  Library_Preferences_SystemConfiguration_com.apple.network.identificatio n.plist  Library_Preferences_SystemConfiguration_com.apple.wifi.plist  Library_Preferences_SystemConfiguration_preferences.plist  Library_Preferences_com.apple.AppSupport.plist  Library_Preferences_com.apple.BTServer.plist  Library_Preferences_com.apple.Maps.plist  Library_Preferences_com.apple.MobileSMS.plist  Library_Preferences_com.apple.PeoplePicker.plist  Library_Preferences_com.apple.Preferences.plist  Library_Preferences_com.apple.WebFoundation.plist  Library_Preferences_com.apple.calculator.plist  Library_Preferences_com.apple.celestial.plist  Library_Preferences_com.apple.commcenter.plist  Library_Preferences_com.apple.mobilecal.alarmengine.plist  Library_Preferences_com.apple.mobilecal.plist  Library_Preferences_com.apple.mobileiPod.plist
  • 54. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3430 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Library_Preferences_com.apple.mobilemail.plist  Library_Preferences_com.apple.mobilenotes.plist  Library_Preferences_com.apple.mobilephone.plist  Library_Preferences_com.apple.mobilephone.speeddial.plist  Library_Preferences_com.apple.mobilesafari.plist  Library_Preferences_com.apple.mobileslideshow.plist  Library_Preferences_com.apple.mobiletimer.plist  Library_Preferences_com.apple.mobilevpn.plist  Library_Preferences_com.apple.preferences.network.plist  Library_Preferences_com.apple.preferences.sounds.plist  Library_Preferences_com.apple.springboard.plist  Library_Preferences_com.apple.stocks.plist  Library_Preferences_com.apple.weather.plist  Library_Preferences_com.apple.youtube.plist  Library_Preferences_csidata  Library_Safari_Bookmarks.plist  Library_Safari_History.plist
  • 55. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3431 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Analyze the Information The last step in the investigation is to analyze the data. The forensic analyst analyzes the data once it is acquired for the evidence. Analysis includes some of the following points:  Find out the user name and computer by examining the iPod_ControliTunesDeviceInfo file  If the information is hidden, try to recover that information  Use steganalysis tools such as Stegdetect to extract the hidden information  Use cryptanalysis tools such as Crank and Jipher to reveal the encrypted information  Use different audio and video players to reveal the audio and video files  Prepare the timeline of every events of the iPod connected to the system  If the files are password protected, use Hydra and other password cracking tools  Compare the timing in the registry or setupapi.log files with the event timings in the iPod  Open the data partition using hex editor, and check the user’s information such as contacts, calendar, and music files
  • 56. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3432 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.    Timeline Generation The investigator should create the timeline file during the investigation which helps during the analysis. For getting the exact investigation results, the timing of events are more important. Times of every activity are maintained in the form of timestamps in the iPod. Registry file and setupapi.log files in the Windows computer connected to the iPod also keep the records of every activity with the iPod starting from the first connection between the computer and iPod. The timeline file should include the following information:  iPod_ControlDeviceSysInfo modified time  iPod_ControliTunesiTunesControl creation time  iPod_ControliTunesDeviceInfo (and others) modified time  iPod when connected to the computer and initialized  Creation time for all music files  Modification time of all music files
  • 57. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3433 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Timeline Generation: File Status After Initializing the iPod with iTunes and Before Closing iTunes: Table 37-02: File status before closing iTunes
  • 58. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3434 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. File Status After Closing iTunes for the First Time: Table 37-03: File status after closing iTunes
  • 59. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3435 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Timeline Generation: File Status After Connecting iPod to the Computer for Second Time, Copying Music, and Closing iTunes Table 37-04: File status after connecting the iPod to the computer for the second time
  • 60. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3436 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Time Issues Time is an important factor in the investigation process. The investigator has to understand how time is reflected in the data analysis. An iPod has an internal clock, and it will create problems if it changes the file’s creation and modification time. This clock has been tested using the following method:  Set a different date and time in the iPod compared to computer connected to it  Connect the iPod to the computer, copy some music files to the iPod using iTunes; note the file creation, accessed, and modification times of the files  Disconnect the iPod from the computer  Check the time on the internal clock of the iPod  Play the songs on the iPod  Reconnect the iPod to the computer  Recheck the file created, accessed, and modified times This can be checked again by copying the notes, calendar entries, and contacts to the iPod.
  • 61. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3437 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Jailbreaking in iPod Touch and iPhone
  • 62. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3438 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Jailbreaking Jailbreaking is the process to unlock the iPhone and iPod touch devices to permit the installation of third- party applications. It can also add ringtones or change the wallpaper on the iPhone. It opens up the file system of the iPhone so that it can be accessed from the computer. Attackers use different techniques to jailbreak the iPod. After jailbreaking, they can install malicious code or software, which helps to access the information in the iPod. There are some tools used for jailbreaking such as:  iFuntastic  iDemocracy  iActivator  iNdependence
  • 63. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3439 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  AppSnapp Source: http://jailbreakme.com/ AppSnapp is a tool for jailbreaking and allowing the installation of non-sanctioned third-party applications to the iPhone and iPod touch. This tool jailbreaks the iPhone or iPod Touch, then pushes the Installer.app to the device which contains a catalog of native applications that can be installed directly over a Wi-Fi or EDGE connection. It automates the process on iPhones running software/firmware. It can be completed purely using the iPhone without interacting with a Mac or Windows computer. Features:  Patches Springboard to load third-party apps  Activates non-AT&T iPhones automatically, while leaving already activated phones alone  Fixes YouTube on non-AT&T iPhones automatically, while leaving already activated phones alone  Installs Installer.app v3.0b5 on the iPhone/iPod Touch with Community Sources preinstalled  Fixes Apple's TIFF bug, making your device MORE secure than it was without AppSnapp  Enables afc2 protocol and adds special commands to allow killing Springboard, lockdownd, etc. Figure 37-17: Screenshot of AppSnapp (Source: http://gizmodo.com/)
  • 64. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3440 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool for Jailbreaking: iFuntastic Source: http://www.tuaw.com/tag/iFuntastic/ iFuntastic is an iPhone hacking and modification tool. It provides a GUI for almost any iPhone modification task. It can dig into your iPhone and edit images and logos. It can replace any system sounds and color iChat SMS balloons. It has a full file browser feature, which simply browses the iPhone's internal file system, and edits UI images. Features:  Provides a “permanent jailbreak” tool called unshackling  Has multiple, editable home screen layouts with custom wallpaper  Comprises of simplified/improved ringtone installation
  • 65. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3441 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-18: Screenshot of iFuntastic
  • 66. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3442 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Pwnage: Tool to Unlock iPod Touch Source: http://wikee.iphwn.org/ The Pwnage tool is used to jailbreak both iPhones and iPod Touches. Figure 37-19: Screenshot of Pwnage
  • 67. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3443 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Erica Utilities for iPod Touch Source: http://ericasadun.com/ Erica helps an investigator extract different forensics information about the iPod Touch. Features:  Query your iPod or iPhone for device attributes including platform name, processor, etc.  Search the App Store from the command line. Enter a simple query phrase The Erica utilities are as follows:  abquery Search your address book by name. Enter a search phrase that abquery matches to the address book name fields  appLoad. Force Springboard to acknowledge new applications in the standard locations (/Applications and /var/mobile/Applications)  appSearch. Search the App Store from the command line. Enter a simple query phrase  badge. Badge application icons on Springboard with names, numbers, etc.  deviceInfo. Query your iPod or iPhone for device attributes including platform name, processor, etc.  findme Return your current location's latitude and longitude. New version returns XML  ip-print Show the current IP address used by your iPhone  itmsSearch. Launch an iTunes store search from the command line  launch. Run an application from the command line as if it had been launched in Springboard. You must submit the application ID, e.g. launch com.apple.Calculator  notificationWatcher. Listen for standard and/or core telephony notifications. Notification Watcher eavesdrops on these system-wide notifications, which are sent using the BSD notification system (aka "Darwin Notification Center").  openURL. Launch a URL from the command line  play. Play an audio file; it takes one argument, the name of the file  plutil. Property-list utility based on Apple's and expanded with extra functionality. Run without arguments for a usage message
  • 68. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3444 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  recAudio Record audio from the onboard microphone  restart. A non-locking 2.0 safe version of restarting Springboard  sb. A Springboard-specific utility that allows you to set, reset, and query your springboard prefs. Run without arguments for usage message  sbar. Test status bar icons. Usage message gives info on how to use this utility  tweet. Send an update to Twitter. Takes three arguments: user name, password, and the tweet itself; use quotes if necessary on the tweet to keep it as one argument  urlclip Create a webclip (either normal or tel://) on Springboard from the command line
  • 69. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3445 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Tools
  • 70. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3446 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  EnCase Source: http://www.guidancesoftware.com/ EnCase is the most efficient and user-friendly tool for recovering data from the HFS+ file system used by Mac computers and iPods formatted by Mac computers. It displays the file structure of HFS+ formatted device, including hidden folders. EnCase is a platform-independent application. It can be used with both Mac and Windows versions of iPods. EnCase is able to extract deleted information after several factory settings restorations of the device, and switch between HFS+ and FAT file systems. EnCase automatically displays deleted files in an iPod. The Find File script can be used to recover deleted files including images and Word documents. Features:  It acquires data by using software with supreme records in courts worldwide  It investigates and analyzes multiple platforms such as Windows, Linux, AIX, OS X and Solaris  It saves the days of analysis time by automating complicated and routine tasks with rebuild EnScript modules, such as Initialized Case and Event Log analysis  It finds information in spite of efforts to hide, cloak. or delete  It easily handles large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space  It transfers evidence files directly to law enforcement or legal representatives  Review options enable non-investigators such as attorneys to review evidence easily  Reporting options allow quick report preparation
  • 71. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3447 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-20: Screenshot of EnCase
  • 72. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3448 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  DiskInternals Music Recovery Source: http://www.diskinternals.com/music-recovery/ DiskInternals Music Recovery recovers media files which have been deleted or corrupted. It supports most media types, data storages, and file systems. It recovers even if the storage device was formatted and all information was erased or if the information is corrupted. Features:  It supports a number of media format including mp3, wma, asf, wav, ogg, wv, ra, rm, vqf, mid, and voc. It supports Windows, Mac OS, Linux, and other disk types.  It can recover files from hard drives, iPods, USB-flash, mp3 players, and CD and DVD discs.  It comes with an integrated media player so users can have a preview of the files they want to recover. If a file is audible, it certainly can be recovered Along with the restored media, DiskInternals Music Recovery presents additional information. The utility provides the “Music Slideshow” feature which shows the sequence of tags and album covers of media files, while DiskInternals Music Recovery scans for the deleted files.
  • 73. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3449 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-21: Screenshot of DiskInternals Music Recovery
  • 74. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3450 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Recover My iPod: Tool Source: http://www.recovermyipod.com/ Recover My iPod is an iPod recovery software. It allows you to recover deleted or lost iPod files. Features:  Recovers music, video, and images of m4a, .mp3, .mov, QuickTime, and jpeg file types from any iPod  Supports a range of iPods, such as iPod, Shuffle, iPod Mini, Nano, and other devices  Recovers data from iPod Reset or Restore System requirements:  Operating system: Windows 9X/ME/200X/XP/2003  RAM: 64 MB recommended  Hard disk: At least 6 MB of free disk space Recover My iPod has two search modes:  A "Fast Search" of an iPod is used to quickly search for deleted iPod files  A "Deep Search" to recover all deleted, lost, corrupted, or unrecognized iPod drives The Recover My iPod search results screen previews all iPod files that can be recovered, including full song title names.
  • 75. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3451 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-22: Screenshot of Recover My iPod
  • 76. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3452 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  iPod Data Recovery Software Source: http://www.datadoctor.org/ iPod Data Recovery software is developed specifically for iPod music users. The software is designed to recover data from all Apple iPods including Mini, Shuffle, Nano, and the iPod latest fifth generation series. iPod Music Recovery software recover songs, images, pictures, video, audio, photos, mp3s, and mp4s from Windows 98, Windows NT, Windows 2000, and Windows XP series. It supports all latest versions of the iTunes (including iTunes 7). Features:  Recovers video files, audio files, music files, mp3s, pictures, etc.  Retrieves all your missing files from Windows operating system  Supports all Apple iPods including iPod Mini, iPod Nano, iPod Shuffle, etc.  Restores files which are lost due to accidental formatting or deletion  Retrieves even if data reset operation is performed by your iPod music device  Enables access even if disk partition volume is not recognized by your computer  Recovers data if “drive not formatted” message is displayed on the computer while accessing your iPod as a disk drive  Compatible with all versions of iTunes  Supports iPods in all storage capacity  It supports the following iPod models: o Apple iPod first generation o Apple iPod second generation o Apple iPod third generation o Apple iPod fourth generation o Apple iPod fifth generation o Apple iPod Mini (first & second generation) o Apple iPod Nano (first & second generation)
  • 77. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3453 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. o Apple iPod Shuffle (first & second generation) o Apple iPod U2 o Apple iPod Hi-Fi Figure 37-23: Screenshot of iPod Data Recovery software
  • 78. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3454 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  iPod Copy Manager Source: http://www.aimersoft.com/ iPod Copy Manager is an iPod backup and recovery software. Features:  It copy back the songs, videos, and DVD movies from an iPod to a computer when your iTunes Library is lost  It can back up your iPod videos and music to a computer when you need to send your iPod for repair or when the system crashes  It transfers videos, songs, movies, and TV shows to the iPod directly
  • 79. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3455 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-24: Screenshot of iPod Copy Manager
  • 80. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3456 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Stellar Phoenix iPod Recovery Source: http://www.stellarinfo.com/ Stellar Phoenix iPod Recovery is a tool designed with the unique ability to recover all your music files, graphics, videos, documents, and other contents from an iPod. Key Features:  Viable for all iPod data contents including music files, video files, podcasts, audio books, graphic files, and documents  iPod recovery in the file deletion case  Restoration of the play list in the same order after recovery  Graphically rich user interface  Compatible with all generations of iPod like iPod classic, iPod Mini, iPod Shuffle, iPod Nano, and iPod Touch  Complete and valuable iPod recovery from formatted or crashed media  Read-only utility to ensure no-write operation  Find File, File Mask, and File Filter options to help you search, view, and recover any specific file type  Available for Windows and Macintosh operating systems
  • 81. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3457 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-25: Screenshot of Stellar Phoenix iPod Recovery
  • 82. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3458 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: Aceso Source: http://www.radio-tactics.com/ Aceso is the forensic tool that downloads data stored in mobile phone SIM/USIM cards, handsets, and memory cards. Features:  Handset Access Card creation o Blocks network access for all SIM and USIM cards o Prevents overwrite of existing data  SIM/USIM acquisition o Dual mode also supported  Handset acquisition o 421 supported handsets including Blackberry, Symbian, and iPhone o Data types supported: contacts, SMS, MMS, call registers, calendar, file system  Memory card acquisition o Raw bit-for-bit image o File system   Figure 37-26: Aceso 
  • 83. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3459 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: Cellebrite UME 36 Pro Source: http://www.cellebrite.com Cellebrite UME 36 Pro is the forensic tool which transfers the all forms of memory content as a backup and it supports a wide range of mobile phones, smartphones, and PDAs including the iPhone. The contents that Cellebrite can transfer are as follows:  Pictures  Videos  Ringtones  SMS  Phonebook contacts data Features:  Based on Windows CE  Supports transfer of content across all mobile handset technologies - GSM, CDMA, UMTS, 3G, TDMA, IDEN, and more  Transfer of phone's internal memory and SIM card content  Transfer of phonebooks, pictures, videos, ringtones, and SMS  Supports multiple language encodings  Available connectivity: USB, Serial, IrDA, and Bluetooth connections to phones  Transfer, back up, and restore of mobile phone content  Supports SymbianTM, Microsoft Mobile™ Palm™, and Blackberry™ operating systems  Integrated SIM/Smart Card reader.  Integrated PC connection allowing content backup and management  Stand-alone device or an integrated PC solution  User-friendly and self-explanatory  Easily upgraded through software file downloads
  • 84. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3460 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.   Figure 37-27: Cellebrite UME 36 Pro
  • 85. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3461 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: Wolf Source: http://sixthlegion.com Wolf allows the user/examiner to forensically examine the memory of the revolutionary smartphone from Apple. It can process iPhones protected by a security passcode without relying on hacking solutions that alter undisclosed files on the device. It is the application which retrieves the content of the iPhone. It extracts the content without jailbreaking. The contents which it can extract are as follows:  Handset info  Contacts  Call logs  Messages  Internet info and history  Photos  Music and videos  
  • 86. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3462 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.   Figure 37-28: Screenshot of Wolf
  • 87. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3463 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: Device Seizure Source: http://www.paraben-forensics.com Device seizure acquires and analyzes data from various mobile phones, PDAs, and GPS devices including the iPhone. Text messages and images can be found in a physical data dump of a phone. Device Seizure can acquire the following data:  SMS history (text messages)  Deleted SMS (text messages)  Phonebook  Call history received calls o Dialed numbers o Missed calls o Call dates and durations  Datebook  Scheduler  Calendar  To-do list  File system
  • 88. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3464 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.   Figure 37-29: Screenshot of Device Seizure (Source: http://www.fileheap.com/)
  • 89. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3465 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: PhoneView Source: http://www.ecamm.com/ PhoneView provides easy access to iTunes media, photos, notes, SMS messages, call history, and contacts. Features:  File storage made easy: Makes it simple to transfer files between a Mac and an iPhone  Powerful notes access: It can add, view, and edit iPhone's notes on a Mac desktop  Export SMS messages and recent calls: This information can be viewed in a text editor or spreadsheet    Figure 37-30: Screenshot of PhoneView (Source: http://www.ecamm.com/) 
  • 90. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3466 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: iPhone Drive Source: http://www.findmysoft.com/ iPhoneDrive is a Mac OS X application which allows the use of an iPhone for file storage. Its drag-and- drop feature makes it easy to move files back and forth between the Mac and iPhone. Features:  It stores any type of data  Copy files and folders to and from the iPhone  Back up important data Figure 37-31: Screenshot of iPhone Drive (Source: http://www.macworld.com/)
  • 91. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3467 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: Tansee iPhone Transfer SMS Source: http://pocket.qweas.com/ Tansee iPhone Transfer SMS is the tool which copies the SMS from the iPhone to the computer. Features:  Back up SMS in iPhone to computer  View and manage old iPhone SMS in the computer  View SMS in text file format or ants file format on computer  Password protection support for ants file     Figure 37-32: Screenshot of Tansee iPhone Transfer SMS
  • 92. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3468 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: SIM Analyzer Source: http://cpa.datalifter.com/ SIM Analyzer is a cell phone forensics tool that recovers the contents from SIM card of different cell phones. It recovers:  Last number dialed, abbreviated dialing numbers  Active and deleted text (SMS) messages  All the general files found in the Telecom group as defined in the GSM 11.11v6 standards   Figure 37-33: Screenshot of SIM Analyzer
  • 93. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3469 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: SIMCon – SIM Card Recovery Source: http://www.simcon.no/ SIMCon is a program that allows the user to securely image all files on a GSM/3G SIM card to a computer file with the SIMCon forensic SIM card reader Features:  Read all available files on a SIM card and store in an archive file  Analyze and interpret content of files including text messages and stored numbers  Recover deleted text messages stored on the card but not readable on phones  Manage PIN and PUK codes  Compatible with SIM and USIM cards  Print report that can be used as evidence based on user selection of items  Secure file archive using MD5 and SHA1 hash values  Export items to files that can be imported in popular spreadsheet programs
  • 94. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3470 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Figure 37-34: Screenshot of SIMCon
  • 95. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3471 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: SIM Card Data Recovery Software Source: http://www.datadoctor.in SIM Card Data Recovery Software recovers accidentally deleted data from mobile phone SIM cards. Features:  Retrieve all deleted contact numbers (phone numbers), unreadable messages, corrupt phone book directory  Undelete both viewed and unread inbox text SMSes, outbox messages; and draft, save, and favorite, text messages; and sent items that have been deleted from SIM card memory  Provides full details about a SIM card, like its provider and ICC–ID Figure 37-35: Screenshot of SIM Card Data Recovery
  • 96. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3472 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Summary  iPods can be used as a digital media storage device along with audio and video players  uClinux is the port of the Linux kernel that supports CPUs without a memory-management unit  The iPods formatted with Mac computers have Apple’s HFS+ file system and the Windows version is formatted with Windows machines that have the FAT32 file system  The iPod uses the standard vCard file format for storing contact information  Jailbreaking is the process to unlock the iPhone and iPod Touch devices to permit the installation of the third-party applications  While unmounting the device, do not directly disconnect or unplug the computer, which might damage the device  The main aimto preserve the evidence is to maintain its integrity  Write blocking is a technique which avoids the alteration and maintains the integrity of the data storage devices. The file iPod_ControliTunesDeviceInfo in the iPod consists of a number of forensics information  The data partition on the iPod consists of all the user information stored on the iPod  The Trashes folder in iPods shows all the deleted files  The registry gives information about the keys generated by the connection of the iPod to a computer and the last time when these keys were changed  The setupapi.log file is somewhat the same as the registry files in Windows. This file stores events that occur with the Windows computer including the connection time of the iPod with the system
  • 97. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3473 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exercise: 1. Discuss different features of the iPod and iPhone. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 2. Write a brief note on the trash in iPods and iPhones. How do you recover deleted files from the trash? ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 3. List various files that are downloaded to the computer during iTunes sync process. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 4. Explain the four abstraction layers of the iPhone. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 5. Discuss the various application formats of the iPod.
  • 98. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3474 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 6. What are the pre-requisites for iPod forensics? ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 7. Discuss the various techniques used for iPod forensics. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 8. Explain jailbreaking in iPod and iPhone Touch devices. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 9. Discuss the various tools that are frequently used for jailbreaking. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________
  • 99. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3475 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. ___________________________________________________________________ ___________________________________________________________________ 10. Discuss the various iPod and iPhone forensics tools. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________
  • 100. Computer Hacking Forensic Investigator Exam 312-49 iPod and iPhone Forensics Module XXXVII Page | 3476 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Hands-On 1. Find the file system on your iPod and iPhone. 2. Use iTunes and try to download the songs into your iPod. 3. Create a bitstream image of the iPod and iPhone using FTK. 4. Run EnCase and see the results.