iPod Touch Forensic Analysis

Discussion in 'iPod touch' started by Alzaman, May 29, 2011.

  1. Alzaman macrumors newbie

    May 29, 2011
    I'm commencing a final year project and would like some guidance on software, both Windows and Apple, to use, commercial and open source.

    Any previous experiences users may have in iPod Touch Forensic Analysis field, or any opinions you may have on the subject are also welcomed.

    Thanks in advance.
  2. macingman macrumors 68020


    Jan 2, 2011
    What do you mean by "iPod touch forensic analysis"? What do you want to do?
  3. Alzaman thread starter macrumors newbie

    May 29, 2011
    My intention is to compare and contrast the iPod touch 4th Generation before and after factory restore has been executed on the device.

    I will also be looking at the file artefacts and directory structure for changes during those events, and also if test files can still be recovered after the factory restore has been completed

    I'm currently using this scenario on an iPod Nano 1st Gen until the iPod Touch arrives, but i realise the 2 devices are completely different, that is why i am reading books such as iOS Forensic Analysis, Morrisey, 2010.

    Thanks for your reply.
  4. Dr Kevorkian94, May 29, 2011
    Last edited: May 29, 2011

    Dr Kevorkian94 macrumors 68020

    Jun 9, 2009
    SI, NY
    I don't think u can gain acess to all the files to see what's changed unless u jailbreak it, but u probably know this already. Then u would also have to separate the files added from jail breaking and then compare. I'm assuming this is also after use of the devise with potential info on it that the bad guy had lol. If something were to come up in an actual case I'm sure if it w important enuph the police would contact apple and have them unlock it or do the forensics themselves. But for u this is the best option especially if u want to be thorough. I'm going to be an a** and say that smart criminals don't carry smart phones, so I would try if possible a regular stupid flip phone, or like u said the nano. U probably know this already though.

    I admire computer forensics and regular forensics because there is slot of talent needed if u want to be good at it.
  5. RossMc macrumors 65816


    Apr 30, 2010
    Newcastle, UK
    I seen you're post in the thread I had up and just incase you come back on to find out if anyone has replied to your thread and miss the other one I will copy my answer into this thread as well.

    Yeah I found a way to do it but it involves the iPhone being jailbroken so for Forensic purposes as you may know if you are doing this that this may not be admissible in court as it goes against the first ACPO guideline which is

    "No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court."

    So unless you know exactly what is happening when you jailbreak the iPhone and what changes it is making and if this is in any way going to affect the evidence which is on the device and be able to fully explain all this then it shouldn't be done. For my assignment it was fine though as this was just showing it could be done.

    As stated in the second principle

    "In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions."

    Basically what you need to do is to SSH into the iPhone and then do the imaging process through SSH with a few commands and a LOT of waiting lol. Once the imaging process is done you will have the Root image and then the Media image and then you can use whichever software you want to analyse the taken image such as Forensic Tool Kit or Sleuth Kit.

    If you want detailed information on how to do it with the commands etc then feel free to PM me and I will explain how it was done.
  6. donlab macrumors 6502


    Jun 3, 2004

    Is there a program which intercepts the iTunes backup of IOS? Then one could possibly perform forensics on the backup? I'm not sure if the device's file attributes would be changed/flagged during a backup or not.
  7. RossMc macrumors 65816


    Apr 30, 2010
    Newcastle, UK
    If you are doing Forensics you want a 'bit for bit' copy of the drive. A backup would not give you this.
  8. johnnytsunami macrumors newbie

    Apr 15, 2014
    Hello everyone, A question I'm interested in having answered is, in short "What can Police forensics discover from a iPod touch 5th generation"?
    1. With no deletion, or factory reset performed, iPod powered on with password on.

    2. With Factory Reset performed, No Password enabled?

    I'm really interested in knowing from a professionals point of view, what information can the police discover and how much of the information can they discover, example from 2014-2013, to the beginning of the iPod's time, etc.
  9. 960design, Apr 16, 2014
    Last edited: Apr 21, 2014

    960design macrumors 68030

    Apr 17, 2012
    Destin, FL
    Back from the DEAD!

    Check this site out:

    Just in case link dies:
    BlackLight (Mac and Windows based)
    Elcomsoft Phone Password Breaker (Windows based)
    Elcomsoft iOS Forensic Toolkit 1.0.5 (Mac and Windows based)
    Cellebrite (Windows based)
    AccessData Forensic Toolkit v3 (Windows based)
    Oxygen Forensic Suite (Windows based)
    iXAMiner (Windows based)
    Lantern (Mac based)
    iPhone Backup Analyzer 2 (Multi-platform python)
  10. Espeonia, Apr 16, 2014
    Last edited: Apr 22, 2014

    Espeonia macrumors member


    Sep 10, 2013
    Florida Teacher Certification Examinations? I think you pasted the wrong link :p
    (I think you meant this)
  11. Dirtysand, Apr 18, 2014
    Last edited by a moderator: Apr 21, 2014

    Dirtysand macrumors member

    Feb 10, 2014
    An interesting read:
  12. 960design macrumors 68030

    Apr 17, 2012
    Destin, FL
    Haha! Thank you and corrected. Nothing to see here. I meant to do that. Haha!

Share This Page