Computer Forensic Investigation and Cryptography

Computer Forensic Investigation and Cryptography notes

Ipod/Ipod forensics

There are two data partitions:

Firmware- not usually changed except during firmware upgrades

Data- where most of the user data and settings are stored

Passwd files

Contained in the file /private/etc

Two user- root and mobile, both of which have the default password “alpine”

The data partition

Mount point- /dev/disk0s2 is var/mobile

Most information is now in /private/var/mobile

Folder structure

Numerous folders such as tmp, library, timezone which contain data relative to their name

Approaches

Can directly approach using iphone backup extracter and then selecting what to back up

Jailbreak

Instal dd ssh nc

Which sends output of dd via netcat to another computer

This gets a disk image-

Can find things such as call history in callhistory.db- these are SQLite databases

Can also use sofrware such as cellbrite, which will do most of the work for you

Useful links

Various iPhone Unix Utilities

http://iphone.natetrue.com/

iPhone Database Extractor

http://www.iphonebackupextractor.com/

MacOSX/iPhone forensic

http://www.amazon.co.uk/Macintosh-iPhone-Forensic-Analysis-Toolkit/dp/1597492973/

http://148.197.5.10/TalisPrism/doOpenURLSearch.do?isbn=1597492973

iPhone Forensics

http://www.amazon.co.uk/iPhone-Forensics-Recovering-Evidence-Corporate/dp/0596153589/ref=pd_sim_b_2

http://148.197.5.10/TalisPrism/doOpenURLSearch.do?isbn=0596153589