PDA

View Full Version : iPod Touch Forensic Analysis




Alzaman
May 29, 2011, 08:45 AM
I'm commencing a final year project and would like some guidance on software, both Windows and Apple, to use, commercial and open source.

Any previous experiences users may have in iPod Touch Forensic Analysis field, or any opinions you may have on the subject are also welcomed.

Thanks in advance.



macingman
May 29, 2011, 10:02 AM
I'm commencing a final year project and would like some guidance on software, both Windows and Apple, to use, commercial and open source.

Any previous experiences users may have in iPod Touch Forensic Analysis field, or any opinions you may have on the subject are also welcomed.

Thanks in advance.

What do you mean by "iPod touch forensic analysis"? What do you want to do?

Alzaman
May 29, 2011, 11:34 AM
My intention is to compare and contrast the iPod touch 4th Generation before and after factory restore has been executed on the device.

I will also be looking at the file artefacts and directory structure for changes during those events, and also if test files can still be recovered after the factory restore has been completed

I'm currently using this scenario on an iPod Nano 1st Gen until the iPod Touch arrives, but i realise the 2 devices are completely different, that is why i am reading books such as iOS Forensic Analysis, Morrisey, 2010.

Thanks for your reply.

Dr Kevorkian94
May 29, 2011, 03:21 PM
I don't think u can gain acess to all the files to see what's changed unless u jailbreak it, but u probably know this already. Then u would also have to separate the files added from jail breaking and then compare. I'm assuming this is also after use of the devise with potential info on it that the bad guy had lol. If something were to come up in an actual case I'm sure if it w important enuph the police would contact apple and have them unlock it or do the forensics themselves. But for u this is the best option especially if u want to be thorough. I'm going to be an a** and say that smart criminals don't carry smart phones, so I would try if possible a regular stupid flip phone, or like u said the nano. U probably know this already though.

I admire computer forensics and regular forensics because there is slot of talent needed if u want to be good at it.

RossMc
Aug 4, 2011, 11:23 AM
I seen you're post in the thread I had up and just incase you come back on to find out if anyone has replied to your thread and miss the other one I will copy my answer into this thread as well.

Yeah I found a way to do it but it involves the iPhone being jailbroken so for Forensic purposes as you may know if you are doing this that this may not be admissible in court as it goes against the first ACPO guideline which is

"No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court."

So unless you know exactly what is happening when you jailbreak the iPhone and what changes it is making and if this is in any way going to affect the evidence which is on the device and be able to fully explain all this then it shouldn't be done. For my assignment it was fine though as this was just showing it could be done.

As stated in the second principle

"In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions."

Basically what you need to do is to SSH into the iPhone and then do the imaging process through SSH with a few commands and a LOT of waiting lol. Once the imaging process is done you will have the Root image and then the Media image and then you can use whichever software you want to analyse the taken image such as Forensic Tool Kit or Sleuth Kit.

If you want detailed information on how to do it with the commands etc then feel free to PM me and I will explain how it was done.

donlab
Aug 4, 2011, 02:54 PM
Is there a program which intercepts the iTunes backup of IOS? Then one could possibly perform forensics on the backup? I'm not sure if the device's file attributes would be changed/flagged during a backup or not.

RossMc
Aug 5, 2011, 10:59 AM
Is there a program which intercepts the iTunes backup of IOS? Then one could possibly perform forensics on the backup? I'm not sure if the device's file attributes would be changed/flagged during a backup or not.

If you are doing Forensics you want a 'bit for bit' copy of the drive. A backup would not give you this.

johnnytsunami
Apr 15, 2014, 11:52 PM
Hello everyone, A question I'm interested in having answered is, in short "What can Police forensics discover from a iPod touch 5th generation"?
1. With no deletion, or factory reset performed, iPod powered on with password on.

2. With Factory Reset performed, No Password enabled?

I'm really interested in knowing from a professionals point of view, what information can the police discover and how much of the information can they discover, example from 2014-2013, to the beginning of the iPod's time, etc.

960design
Apr 16, 2014, 01:22 PM
Back from the DEAD!

Check this site out:
http://www.fldoe.org/asp/ftce/

Just in case link dies:
BlackLight (Mac and Windows based)
Elcomsoft Phone Password Breaker (Windows based)
Elcomsoft iOS Forensic Toolkit 1.0.5 (Mac and Windows based)
Cellebrite (Windows based)
AccessData Forensic Toolkit v3 (Windows based)
Oxygen Forensic Suite (Windows based)
iXAMiner (Windows based)
Lantern (Mac based)
iPhone Backup Analyzer 2 (Multi-platform python)

Espeonia
Apr 16, 2014, 01:40 PM
Back from the DEAD!

Check this site out:
http://www.fldoe.org/asp/ftce/

Just in case link dies:
BlackLight (Mac and Windows based)
Elcomsoft Phone Password Breaker (Windows based)
Elcomsoft iOS Forensic Toolkit 1.0.5 (Mac and Windows based)
Cellebrite (Windows based)
AccessData Forensic Toolkit v3 (Windows based)
Oxygen Forensic Suite (Windows based)
iXAMiner (Windows based)
Lantern (Mac based)
iPhone Backup Analyzer 2 (Multi-platform python)

Florida Teacher Certification Examinations? I think you pasted the wrong link :p
(I think you meant this (http://www.appleexaminer.com/iPhoneiPad/iOSAnalysisTools/iOSAnalysisTools.html))

Dirtysand
Apr 18, 2014, 03:01 PM
Hello everyone, A question I'm interested in having answered is, in short "What can Police forensics discover from a iPod touch 5th generation"?
1. With no deletion, or factory reset performed, iPod powered on with password on.

2. With Factory Reset performed, No Password enabled?

I'm really interested in knowing from a professionals point of view, what information can the police discover and how much of the information can they discover, example from 2014-2013, to the beginning of the iPod's time, etc.
An interesting read:
http://www.ssddfj.org/papers/SSDDFJ_V1_1_Breeuwsma_et_al.pdf