As sales and usage of iPhones increase so does the demand on organizations that conduct examinations on this device. "iPhone and iOS Forensics" takes an in-depth look at methods and processes that analyze the iPhone/iPod in an official legal manner. All of the methods and procedures outlined in the book can be taken into any court room. This book details the iPhone with information data sets that are new and evolving, with official hardware knowledge from Apple itself to help aid investigators. This title helps you learn techniques to forensically acquire the iPhone, iPad and other iOS devices. Entire chapter focused on Data and Application Security that can assist not only forensic investigators, but also application developers and IT security managers. It provides in-depth analysis of many of the common applications (both default and downloaded), including where specific data is found within the file system.
Acknowledgments ix
Preface xi
About the Authors xiii
About the Technical Editor xv
Chapter 1 Overview 1 (34)
Introduction 1 (3)
Strategy 2 (1)
Development community 2 (2)
iPhone Models 4 (4)
iPhone hardware 5 (3)
Forensic Examination Approaches 8 (27)
iPhone leveling 10 (2)
Acquisition types 12 (3)
Forensics with Linux 15 (20)
Chapter 2 Device features and functions 35 (20)
Introduction 35 (1)
Apple Device Overview 35 (2)
Operating Modes 37 (5)
Normal mode 37 (1)
Recovery mode 37 (1)
DFU mode 37 (4)
Exiting Recovery/DFU mode 41 (1)
Security 42 (2)
Device settings 42 (1)
Secure erase 43 (1)
App security 44 (1)
iTunes Interaction 44 (11)
Device Synchronization 44 (1)
iPhone backups 45 (1)
iPhone restore 46 (1)
iPhone iOS updates 46 (1)
Upgrade 46 (1)
Downgrade 47 (5)
The App Store 52 (1)
MobileMe 52 (3)
Chapter 3 File system and data storage 55 (24)
Introduction 55 (1)
What Data is Stored 55 (1)
Where Data is Stored 56 (3)
How Data is Stored 59 (6)
Internal storage 59 (1)
SQLite database files 60 (2)
Property lists 62 (3)
Network 65 (1)
Memory Types 65 (5)
RAM 65 (1)
NAND Flash 66 (4)
iPhone Operating System 70 (1)
iOS layers 70 (1)
File System 71 (8)
Volumes 74 (1)
Journaling 74 (1)
iPhone disk partitions 75 (4)
Chapter 4 iPhone and iPad data security 79 (28)
Introduction 79 (1)
Data Security and Testing 80 (13)
Computer crime laws in the United States 80 (2)
Data protection in the hands of the 82 (3)
administrators
Security testing procedure 85 (8)
Application Security 93 (8)
Corporate or individual mobile app 94 (2)
consumers
Corporate or individual mobile app 96 (1)
developers
Application security strategies for 97 (4)
developers
Recommendations for Device and 101 (6)
Application Security
Chapter 5 Acquisitions 107 (30)
Introduction 107 (1)
iPhone Forensics Overview 107 (4)
Types of investigations 108 (1)
Difference between logical and physical 109 (1)
techniques
Modification of the target device 109 (2)
Handling Evidence 111 (1)
Passcode procedures 111 (1)
Network isolation 111 (1)
Powered-off devices 112 (1)
Imaging an iPhone/iPad 112 (21)
Backup acquisition 112 (7)
Logical acquisition 119 (1)
Physical acquisition 120 (13)
Imaging Other Apple Devices 133 (4)
iPad 133 (1)
iPod Touch 134 (1)
Apple TV 134 (3)
Chapter 6 Data and application analysis 137 (76)
Introduction 137 (1)
Analysis Techniques 137 (22)
Mount disk image 137 (1)
File carving 138 (6)
Strings 144 (2)
Timeline development and analysis 146 (7)
Forensic analysis 153 (6)
iPhone Data Storage Locations 159 (19)
Default applications 160 (7)
Downloaded apps 167 (3)
Other 170 (8)
iPhone Application Analysis and Reference 178 (35)
Default applications 178 (23)
Third-party (downloaded) applications 201 (12)
Chapter 7 Commercial tool testing 213 (78)
Introduction 213 (1)
Data Population 214 (4)
Analysis Methodology 218 (2)
CelleBrite UFED 220 (8)
Installation 221 (1)
Forensic acquisition 222 (1)
Results and reporting 222 (6)
iXAM 228 (6)
Installation 229 (1)
Forensic acquisition 229 (1)
Results and reporting 230 (4)
Oxygen Forensic Suite 2010 234 (5)
Installation 236 (1)
Forensic acquisition 236 (1)
Results and reporting 237 (2)
XRY 239 (6)
Installation 242 (1)
Forensic acquisition 242 (1)
Results and reporting 242 (3)
Lantern 245 (6)
Installation 248 (1)
Forensic acquisition 248 (1)
Results and reporting 248 (3)
MacLock Pick 251 (4)
Installation 253 (1)
Forensic acquisition 254 (1)
Results and reporting 254 (1)
Mobilyze 255 (5)
Installation 257 (1)
Forensic acquisition 257 (1)
Results and reporting 257 (3)
Zdziarski Technique 260 (6)
Installation 263 (1)
Forensic acquisition 263 (1)
Results and reporting 263 (3)
Paraben Device Seizure 266 (6)
Installation 268 (1)
Forensic acquisition 268 (1)
Results and reporting 269 (3)
MobileSyncBrowser 272 (3)
Installation 273 (1)
Forensic acquisition 273 (1)
Results and reporting 274 (1)
CellDEK 275 (4)
Installation 276 (2)
Forensic acquisition 278 (1)
Results and reporting 278 (1)
EnCase Neutrino 279 (6)
Installation 281 (1)
Forensic acquisition 282 (1)
Results and reporting 282 (3)
iPhone Analyzer 285 (6)
Installation 287 (1)
Forensic acquisition 287 (1)
Results and reporting 287 (4)
Appendix A 291 (2)
Appendix B 293 (2)
Appendix C 295 (8)
Index 303
新书报道