E-Book, Englisch, 336 Seiten
Hoog / Strzempka iPhone and iOS Forensics
1. Auflage 2011
ISBN: 978-1-59749-660-5
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices
E-Book, Englisch, 336 Seiten
ISBN: 978-1-59749-660-5
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
iPhone and iOS Forensics is a guide to the forensic acquisition and analysis of iPhone and iOS devices, and offers practical advice on how to secure iOS devices, data and apps. The book takes an in-depth look at methods and processes that analyze the iPhone/iPod in an official legal manner, so that all of the methods and procedures outlined in the text can be taken into any courtroom. It includes information data sets that are new and evolving, with official hardware knowledge from Apple itself to help aid investigators.This book consists of 7 chapters covering device features and functions; file system and data storage; iPhone and iPad data security; acquisitions; data and application analysis; and commercial tool testing.This book will appeal to forensic investigators (corporate and law enforcement) and incident response professionals. - Learn techniques to forensically acquire the iPhone, iPad and other iOS devices - Entire chapter focused on Data and Application Security that can assist not only forensic investigators, but also application developers and IT security managers - In-depth analysis of many of the common applications (both default and downloaded), including where specific data is found within the file system
Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language) and owner of viaForensics, an innovative computer and mobile forensic firm. He divides his energies between investigations, research and training about the computer and mobile forensic discipline. He writes computer/mobile forensic how-to guides, is interviewed on radio programs and lectures and trains both corporations and law enforcement agencies. As the foremost expert in Android Forensics, he leads expert level training courses, speaks frequently at conferences and is writing a book on Android forensics.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad, and iOS Devices;4
3;Copyright;5
4;Contents;6
5;Acknowledgments;10
6;Preface;12
7;About the Authors;14
8;About the Technical Editor;16
9;Chapter 1: Overview;18
9.1;Introduction;18
9.1.1;Strategy;19
9.1.2;Development community;19
9.2;iPhone models;21
9.2.1;iPhone hardware;22
9.3;Forensic examination approaches;25
9.3.1;iPhone leveling;27
9.3.2;Acquisition types;29
9.3.3;Forensics with Linux;32
9.4;Summary;49
9.5;References;50
10;Chapter 2: Device Features and Functions;52
10.1;Introduction;52
10.2;Apple device overview;52
10.3;Operating modes;54
10.3.1;Normal mode;54
10.3.2;Recovery mode;54
10.3.3;DFU mode;54
10.3.4;Exiting Recovery/DFU mode;58
10.4;Security;59
10.4.1;Device settings;59
10.4.2;Secure erase;60
10.4.3;App security;61
10.5;iTunes interaction;61
10.5.1;Device synchronization;61
10.5.2;iPhone backups;62
10.5.3;iPhone restore;63
10.5.4;iPhone iOS updates;63
10.5.5;Upgrade;63
10.5.6;Downgrade;64
10.5.7;The App Store;69
10.5.8;MobileMe;69
10.6;Summary;69
10.7;References;70
11;Chapter 3: File system and data storage;72
11.1;Introduction;72
11.2;What data is stored;72
11.3;Where data is stored;73
11.4;How data is stored;76
11.4.1;Internal storage;76
11.4.2;SQLite database files;77
11.4.3;Property lists;79
11.4.4;Network;82
11.5;Memory types;82
11.5.1;RAM;82
11.5.2;NAND Flash;83
11.6;iPhone operating system;87
11.6.1;iOS layers;87
11.7;File system;88
11.7.1;Volumes;91
11.7.2;Journaling;91
11.7.3;iPhone disk partitions;92
11.8;Summary;93
11.9;References;94
12;Chapter 4: iPhone and iPad Data Security;96
12.1;Introduction;96
12.2;Data security and testing;97
12.2.1;Computer crime laws in the United States;97
12.2.2;Data protection in the hands of the administrators;99
12.2.3;Security testing procedure;102
12.3;Application security;110
12.3.1;Corporate or individual mobile app consumers;111
12.3.2;Corporate or individual mobile app developers;113
12.3.3;Application security strategies for developers;114
12.4;Recommendations for device and application security;118
12.5;Summary;120
12.6;References;121
13;Chapter 5: Acquisitions;124
13.1;Introduction;124
13.2;iPhone forensics overview;124
13.2.1;Types of investigations;125
13.2.2;Difference between logical and physical techniques;126
13.2.3;Modification of the target device;126
13.3;Handling evidence;128
13.3.1;Passcode procedures;128
13.3.2;Network isolation;128
13.3.3;Powered-off devices;129
13.4;Imaging an iPhone/iPad;129
13.4.1;Backup acquisition;129
13.4.2;Logical acquisition;136
13.4.3;Physical acquisition;137
13.5;Imaging other apple devices;150
13.5.1;iPad;150
13.5.2;iPod Touch;151
13.5.3;Apple TV;151
13.6;Summary;151
13.7;References;152
14;Chapter 6: Data and Application Analysis;154
14.1;Introduction;154
14.2;Analysis techniques;154
14.2.1;Mount disk image;154
14.2.2;File carving;155
14.2.3;Strings;161
14.2.4;Timeline development and analysis;163
14.2.5;Forensic analysis;170
14.3;iPhone data storage locations;176
14.3.1;Default applications;177
14.3.2;Downloaded apps;184
14.3.3;Other;187
14.4;iPhone application analysis and reference;195
14.4.1;Default applications;195
14.4.2;Third-party (downloaded) applications;218
14.5;Summary;227
14.6;References;227
15;Chapter 7: Commercial tool testing;230
15.1;Introduction;230
15.2;Data population;231
15.3;Analysis methodology;235
15.4;Cellebrite UFED;237
15.4.1;Installation;238
15.4.2;Forensic acquisition;239
15.4.3;Results and reporting;239
15.5;iXAM;245
15.5.1;Installation;246
15.5.2;Forensic acquisition;246
15.5.3;Results and reporting;247
15.6;Oxygen forensic suite 2010;251
15.6.1;Installation;253
15.6.2;Forensic acquisition;253
15.6.3;Results and reporting;254
15.7;XRY;256
15.7.1;Installation;259
15.7.2;Forensic acquisition;259
15.7.3;Results and reporting;259
15.8;Lantern;262
15.8.1;Installation;265
15.8.2;Forensic acquisition;265
15.8.3;Results and reporting;265
15.9;MacLock Pick;268
15.9.1;Installation;270
15.9.2;Forensic acquisition;271
15.9.3;Results and reporting;271
15.10;Mobilyze;272
15.10.1;Installation;274
15.10.2;Forensic acquisition;274
15.10.3;Results and reporting;274
15.11;Zdziarski technique;277
15.11.1;Installation;280
15.11.2;Forensic acquisition;280
15.11.3;Results and reporting;280
15.12;Paraben device seizure;283
15.12.1;Installation;285
15.12.2;Forensic acquisition;285
15.12.3;Results and reporting;286
15.13;MobileSyncBrowser;289
15.13.1;Installation;290
15.13.2;Forensic acquisition;290
15.13.3;Results and reporting;291
15.14;CellDEK;292
15.14.1;Installation;293
15.14.2;Forensic acquisition;295
15.14.3;Results and reporting;295
15.15;Encase Neutrino;296
15.15.1;Installation;298
15.15.2;Forensic acquisition;299
15.15.3;Results and reporting;299
15.16;iPhone Analyzer;302
15.16.1;Installation;304
15.16.2;Forensic acquisition;304
15.16.3;Results and reporting;304
15.17;Summary;306
15.18;Reference;307
16;Appendix A;308
17;Appendix B;310
18;Appendix C;312
19;Index;320
Chapter 2 Device features and functions
Publisher Summary
The iPod, a portable media player, is a popular Apple product that is synchronized with iTunes in order to store music, videos, photos, and more, depending on the model. There are various types of the iPod, including the iPod Classic, iPod Shuffle, iPod Nano, and iPod Touch. These devices are capable of running in various operating modes, including Normal, Recovery, or Device Failsafe Utility (DFU) modes. For Recovery mode, the user or examiner will boot the device into iBoot, bypassing the loading of the operating system. iBoot is Apple's stage 2 bootloader, and is where Recovery mode resides. This operating mode is required to perform certain functions such as activating a device, upgrading or downgrading the iPhone, or sometimes to perform a forensic physical acquisition. DFU mode is also required to initiate various actions on the iPhone, most commonly to perform a physical acquisition. Various iPhone settings allow the user to protect unauthorized access to their device and data. An iPhone user has the option to set a PIN on their device in order to prevent unauthorized access. On certain devices running iOS version 4.0 or higher, hardware encryption is also possible through a feature referred to as “Data Protection.” Chapter points:
• Apple Device Overview • Operating Modes • Security • iTunes Interaction This chapter introduces many of the popular Apple devices running iOS as well as the features unique to these devices. Software updates, device security, and understanding the various operating modes are among these topics. Also covered are some practical applications, describing how to perform system upgrades, downgrades, and boot the devices into different operating modes. Additionally, the significance of iTunes is covered, as well as the functions it provides as an effort to support these iOS devices. Keywords: iPhone, Apple devices, iPhone operating modes, iPhone downgrade, MobileMe, iTunes synchronization Introduction
In order to forensically examine a mobile device, it is important to understand the inner workings of that device. There are various Apple devices capable of storing an individual's personal data. On top of that, each of these models contains unique features, which are important to understand prior to investigating the data within. Being aware of the available devices running iOS as well as the settings and options within them can be a key aspect in an iPhone investigation. The configuration of the iPhone or iPad settings can affect the manner in which the data is acquired. In addition to understanding the physical device, iTunes also plays an important role in an iPhone investigation. This chapter will cover the functions of an iOS device as well as how these devices interact with iTunes to send, receive, and store user data. Apple device overview
While this book focuses mainly on the iPhone and forensic techniques associated with it, it is also important to note that most of these forensic methods may be applied to other Apple devices as well. For this reason, a brief overview of some of the more popular iOS devices will be covered. In April 2010, Apple released the iPad, its version of a tablet computer. Used mainly for audio and video capabilities, the iPad originally arrived running iOS version 3.2.2. In November 2010, version 4.2.1 of the operating system was released. Similar to the iPhone, the iPad offers touch-screen functionality as well as many of the same applications. Apps on the iPad are downloaded in a similar fashion through the iTunes App Store. The iPad can also be synced with iTunes and even has the capability of placing and receiving phone calls using voice over IP through Wi-Fi or the 3G network. Apple TV was originally released on January 9, 2007. The original model contained a 40 GB hard disk drive, which was replaced months later with a newer model storing 160 GB. This device connects with the user's high-definition (HD) television using an HDMI (High-Definition Multimedia Interface) cable and provides the capability to stream audio and video from YouTube, Netflix – a computer running iTunes – or any iOS device. A second version of Apple TV was released in October 2010, which was much less expensive but lacked the hard drive storage. Instead of downloading videos and other files to be stored on the device, with the second-generation Apple TV, everything is streamed over wireless using an A4 processing chip, decreasing the overall size and cost. In addition, 8 GB of Flash storage is also available for caching, to allow seamless play. The iPod, a portable media player, is another popular Apple product that is synchronized with iTunes in order to store music, videos, photos, and more, depending on the model. There are various flavors of the iPod, including the iPod Classic, iPod Shuffle, iPod Nano, and iPod Touch. Each has varying storage space and functions. • iPod Classic: The original iPod was first released in 2001. There have since been six generations of this device, ranging from 5 to 160 GB. The iPod Classic most commonly supports music, videos, TV shows, games, and photos. • iPod Shuffle: This member of the iPod family is much smaller in size and does not have a display. It was originally intended to be a simple, cost-effective way of allowing the user to listen to songs at random or on “shuffle.” The first-generation iPod Shuffle arrived in early 2005, and as of December 2010 the fourth-generation model was available. Without a display screen, the shuffle strictly supports audio files, including music, podcasts, or even audio books. Also incorporated is the “Voiceover” feature, which announces the name of an artist or play list (Apple Inc., n.d.). • iPod Nano: Since 2005, six generations of the iPod Nano have been in development. A slim version of the iPod Classic, the nano supports several audio types and has a small display in which the user can navigate through play lists, albums, and songs. The more recent models have added extra features such as the ability to “shake” the device to shuffle to the next song, an on-board video camera, FM radio, and as of the sixth generation, a touch-screen display (Apple Inc., n.d.). • iPod Touch: The iPod Touch is a combination of a personal data assistant (PDA) and portable media player. There are four generations of this device, with the first released in 2007. The iPod Touch offers greater functionality than the other iPod models, including a camera, HD video recorder, FaceTime, voice control, gaming, and more. It can be compared with the iPhone, but lacking cellular network access (Apple Inc., n.d.). With the release of the Mac OS X Lion in summer 2011, the Mac is even now becoming more “iOS-like” than ever before. A Mac App Store has been released, which will allow easy browsing and downloading of apps, similar to the App Store for the iPhone or iPad. Apps will also be displayed on the desktop, and referred to as the “Launchpad.” Click an app on the Launchpad, and it is opened full screen, minimizing any other open applications or tools. Finally, “Mission Control” takes all the applications running on your Mac and consolidates them into one area for the user to view. This includes any open programs, various Spaces, the Dashboard, and more. Selecting one of these items will minimize Mission Control and launch that particular program (Apple Inc., 2010). Operating modes
The above devices are capable of running in various operating modes, including Normal, Recovery, or Device Failsafe Utility (DFU) modes. These will be referenced often throughout the remaining chapters since certain modes are required in order to perform a particular function on the device. For example, to perform an upgrade or system recovery, the device must be placed in Recovery mode. Normal mode When the device is powered on in a typical fashion, this is known as normal mode. Most activities performed on an iPhone will be run in normal mode, unless otherwise specified. Recovery mode For Recovery mode, the user or examiner will boot the device into iBoot, bypassing the loading of the operating system. iBoot is Apple's stage 2 bootloader, and is where Recovery mode resides. This operating mode is required to perform certain functions such as activating a device, upgrading or downgrading the iPhone, or sometimes to perform a forensic physical acquisition. To enter Recovery mode, power off the device (by holding down the button on the top of the phone until you see “slide to power off” appear on the device). Next, hold down the “Home” button, and then connect the device to a computer via a USB connector while continuing to press the “Home” button. Continue to hold until “Connect to iTunes” appears (as shown in Figure 2.1), and then release.
Figure 2.1 iPhone in Recovery Mode. By connecting the cable, you are giving power to the device. An alternative option would be to first connect the device to a computer, power off the device, and then hold the “Home” button down while at the same time pressing the power button. DFU mode DFU mode is also required to initiate various actions on the iPhone, most commonly to perform a physical acquisition. It is...
