iPhone and iOS Forensics
Author: Andrew Hoog and Katie Strzempka
With the seemingly unstoppable popularity of Apple mobile devices such as the iPhone and the iPad, forensic specialists need to learn about the specific device models and their features, functions and file system, how to use the most popular commercial tools for analyzing and recovering the data and applications contained within them, and how to do it all in a legal manner. Luckily, all that knowledge is shared in this book.
About the authors
Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language) and owner of viaForensics, an innovative computer and mobile forensic firm.
Katie Strzempka is a Technology Consultant with viaForensics. She performs forensic investigations, security audits and research, and has trained investigators around the world in mobile forensics.
Inside the book
With the advent of smartphones and tablet computers, much of the data that has previously been stored on desktop and laptop computers has also found its way to those devices. And among the most popular devices in these two newer categories are definitely the iPhone (nearly 150 million units sold so far) and the iPad (circa 25 million sold).
Being Apple products and running Apple’s iOS mobile platform, they differ in many ways from similar devices offered by other companies, both in the design and functioning. So, learning how to extract data from them should start with finding out the differences between the various models and the various forensic examination approaches – all covered in the first chapter, with a special mention of Linux forensic tools.
The rather shortish second chapter teaches the user about the various operating modes and settings of Apple mobile devices, as well as the way they interact with iTunes, the App Store and MobileMe. The third one teaches the reader which data is stored on the iPhone and where, and which information can be recovered from it with forensic tools – things that all users should be aware of. In fact, I believe that these two chapters should be available for free download on the Internet, as they are extremely well written and helpful.
The forth chapter contains information important to mobile device administrators and application developers, and offers general recommendations for securing applications and devices – especially those used in enterprises.
The last three chapters are dedicated almost exclusively to forensic experts. Chapter 5 introduces the different types of investigations for which their services may be required and the rules that they have to follow in order for the discovered evidence to be admitted in court. It then proceeds to explain every single step in the imaging (data acquiring) process of all the devices, pointing out not-so-obvious potential mistakes to be avoided.
Once the image is acquired, it’s time for it to be analyzed. Chapter 6 explains the techniques used to do that in great detail, with helpful screenshots and tons of code. The chapter includes the analysis of data collected and stored by popular third-party applications (Facebook, Dropbox, Mint.com, etc.)
Finally, in Chapter 7, the authors review a dozen or so forensic tools and toolkits available for the iPhone: CelleBrite UFED, iXAM, Oxygen Forensic Suite 2010, XRY, Lantern, MacLock Pick, Mobilyze, Zdziarski Technique, Paraben Device Seizure, MobileSyncbrowser, CellDEK, EnCase Neutrino, and iPhone Analyzer. A short description and the installation process for each tool is shared, as well as how to execute the forensic acquisition process and which results can be expected and how they are reported.
iPhone and iOS Forensics is an extremely informative book that may interest even people who aren’t interested in mobile forensics. With the aforementioned numbers of sold Apple mobile devices in the world, I believe that many users should at least have a casual knowledge of what’s going on behind the buttons and the screen, and what information can be extracted from the devices even after it has been deleted.
But the second, more technical part of the book is what will intrigue forensic specialists, and it is for that part that the book is worth reading. While a lot of the information contained in those chapters can be gathered throughout the Internet, this tome helpfully gathered it all in one place for easier perusal – not to mention the fact that the knowledge comes from two people who perform forensic analysis for a living.