iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices

Paperback (Print)
Buy New
Buy New from BN.com
$53.44
Used and New from Other Sellers
Used and New from Other Sellers
from $48.10
Usually ships in 1-2 business days
(Save 31%)
Other sellers (Paperback)
  • All (10) from $48.10   
  • New (8) from $48.60   
  • Used (2) from $48.10   

Overview

As sales and usage of iPhones increase so does the demand on organizations that conduct examinations on this device. iPhone and iOS Forensics takes an in-depth look at the core hardware and software components of an iPhone, file systems and data structures, data security considerations, and a detailed review of forensic acquisition techniques and strategies for the subsequent analysis required. A heavy emphasis on open source tools and step-by-step examples are a primary focus of this book.

Read More Show Less

Editorial Reviews

From the Publisher

"iPhone and iOS Forensics is a must read by all digital forensic examiners, even the most educated person in the iPhone environment will discover something new in this highly valuable book. The author has proven himself many times over to be a valuable resource to the digital community at large, and this book is the culmination of all of that work. I will not conduct another iOS analysis without using this book as my reference!" -Ryan R. Kubasiak, Investigator, Computer Crime Unit and Editor AppleExaminer.com

"Covering iOS file system information, device application and security, acquisition and analysis methods, this book takes one from basic to advanced information and techniques related to the iOS family of devices. Andrew and Katie have put together a valuable resource for security professionals and forensic examiners alike." -Danny Garcia, DG Digital Services, LLC

"This book is an excellent reference for examiners in the field, looking to understand the many different approaches to forensic imaging of an iPhone." -Jonathan Zdziarski, iPhone forensics expert

Read More Show Less

Product Details

  • ISBN-13: 9781597496599
  • Publisher: Elsevier Science
  • Publication date: 6/30/2011
  • Pages: 336
  • Sales rank: 629,436
  • Product dimensions: 7.50 (w) x 9.10 (h) x 0.90 (d)

Meet the Author

Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language) and owner of viaForensics, an innovative computer and mobile forensic firm. He divides his energies between investigations, research and training about the computer and mobile forensic discipline. He writes computer/mobile forensic how-to guides, is interviewed on radio programs and lectures and trains both corporations and law enforcement agencies. As the foremost expert in Android Forensics, he leads expert level training courses, speaks frequently at conferences and is writing a book on Android forensics.

Katie Strzempka is a Technology Consultant with viaForensics, a computer and mobile forensics firm. She performs forensic investigations, security audits and research, and has trained investigators around the world in mobile forensics. Katie is also a co-author for a white paper on iPhone Forensics, an analysis of the various iPhone Forensics commercial tools.

Ms. Strzempka received her Master’s degree from Purdue University in Cyber Forensics and has a B.S. in Computer and Information Technology. Prior to working for viaForensics, Katie worked for 3 years in Information Security for a Fortune 500 company, handling firewall administration and assisting with internal and external network connectivity.

Read More Show Less

Read an Excerpt

iPhone and iOS Forensics

Investigation, Analysis and Mobile Security for Apple iPhone, iPad, and iOS Devices
By Andrew Hoog Katie Strzempka

SYNGRESS

Copyright © 2011 Elsevier, Inc.
All right reserved.

ISBN: 978-1-59749-660-5


Chapter One

Overview

CHAPTER POINTS:

• iPhone Models

• Forensic Examination Approaches

INTRODUCTION

Mobile devices have come a long way over the past few years. For a while, cell phones were simply used for making phone calls. As they continued to mature, the capability to send and receive text messages, create calendar events, and save contacts became readily available. Fast forward to the present day, and mobile devices are now being used extensively and serve many purposes. Around 4.6 billion individuals owned cell phones as of early 2010, and the number was expected to reach 5 billion by the end of the year (CBS, 2010). With this increase in popularity came an enormous demand for mobile forensics.

The iPhone was first released to consumers in June 2007. Ever since the first release, the device has increasingly gained in popularity, partly due to its advanced functionality and usability. With the iPhone, individuals now have the capability to check e-mail, take photos, browse the Internet, and do much more. These activities make the iPhone take the place of personal computers (PCs) and digital cameras. In addition to the standard capabilities that exist in the iPhone, endless applications are also available for download to assist with finances or organization, or simply for entertainment.

In the late 1980s, the Newton platform was the company's main focus. This platform was a personal data assistant (PDA), which never really took off. The project ultimately failed in 1998. One year prior to that, Steve Jobs became the CEO of the company. Before the idea of the iPhone was actually formulated, Jobs decided to have Apple start focusing on the idea of touch-screen development rather than PDAs and tablet PCs. Believing that cellular devices were going to become very popular, the company began developing a mobile device that could display pictures and videos and would ultimately have the capability to sync with iTunes. On November 2006, a patent was granted for the Apple iPhone, and in January 2007 Jobs announced the release of the iPhone at MacWorld (Wired, 2008).

Strategy

Apple's strategy over the past few years has shifted away from traditional computing. New and innovative ideas have been developed, disrupting the existing business model. In the music and video genre, several different applications and devices have been developed including the Apple TV, iTunes, and various iPod devices. The mobile category includes the iPhone, while the class of delivery channel items includes both iTunes for synchronization and downloads and the App Store. Finally, the development of the iPad (and previously the Newton device) falls within the Tablet category.

Many of these newer devices have been consolidated on to the iOS platform, with the exception of the Macintosh workstations, which are running OS X. There has been some debate in the past on whether Mac OS X will transform to iOS or perhaps a platform more similar to iOS. The Mac OS X Lion is to be released in the summer of 2011. This operating system is said to have similar qualities as the iOS devices, with the exception of a touch-screen feature. A Mac App Store was released in January of 2011, which enables Mac users to purchase software straight from their computer, similar to the way applications can be purchased through the iTunes App Store (Apple Inc., 2010).

As of 2009, the iPhone had taken third place in smart phone sales worldwide, which constituted 4.4% of the market share (McGlaun, 2010). During the first quarter of 2010 alone, 8.75 million were sold, which was more than half the number for the same period in 2009. Just prior to the release of the iPhone 4, over 50 million iPhones had been sold, and statistics from Q4 2010 show that Apple controlled 25% of the smart phone market in the United States (Slashdot, 2011). With the extreme popularity of the iPhone and the increasing number of devices sold, this mobile device has become one of the main focal points of many forensic investigations.

Development community

Apart from sales, the iPhone has an active hacking community, which has yielded research and tools that support forensic investigations. Some of these tools and techniques were originally used to assist with forensic imaging and are currently used for testing in order to better understand the device. Cydia is a popular application used for these purposes. It allows users with a modified phone to download and run iPhone or iPad applications that are not available in the App Store. More specifically, applications can be found here that may allow an examiner to better understand the iPhone file system and other data contents, such as Mobile Terminal. Jailbreaking, or modifying an Apple device, is not suggested, as it is not a forensically sound method; however, having the capability to remotely connect to a test device for educational purposes can be an invaluable learning experience for an examiner.

Another technique that is commonly used on the iPhone is referred to as "unlocking." From 2007 to early 2011, AT&T was the only provider that offered service for the iPhone in the United States. In order to function properly, an AT&T SIM (subscriber identity module) card had to be placed into the device to identify itself on the carrier's network. In February 2011, the iPhone 4 became available through another carrier, Verizon. With the device being so exclusive and only available under these two carriers, many iPhone users search for other options. Unlocking an iPhone is a method that allows the device to be used on alternative networks, and various Apple tutorial sites, such as iClarified, provide steps on how to do this. The process typically involves installing an application, running it, and replacing the AT&T SIM card with that of a different carrier. As Verizon is on the CDMA (code division multiple access) network rather than GSM (global system for mobile communications), its version of the iPhone does not come with a SIM card. For this reason, unlocking the iPhone 4 from Verizon's network is impossible using the current methods. Having said that, the Apple user community will undoubtedly develop an alternative method in the future.

The Apple developer site is another resource that can benefit developers, examiners, or individuals interested in the iOS or OS X environments. Once a registered Apple developer, an individual can download Xcode and the iOS software development kit (SDK) to assist in application development. Included in this development suite are an Xcode integrated development environment (IDE), iOS simulator, and additional tools required for iPhone, iPad, and iPod touch application development.

Once the Xcode and iOS SDK are downloaded, the installer must be run in order to use the tools. Once installed, the tools and files shown in Figure 1.1 can be found in the following path: /Developer/Platforms/iPhoneSimulator.platform

One of the most useful tools within this package is the iOS simulator (as shown in Figure 1.2). This program allows the investigator to select an Apple device and version and use the simulator to test this particular model. For this example, the iPhone running firmware version 4.2 was selected. Among the other options were versions 3.2 (for the iPad) and 4.0.2 and 4.1 (for the iPhone). The software is memory intensive, so one can expect the testing to be a little slow. The simulator starts up with just a few general apps, including Photos, Settings, Game Center, Contacts, and Safari. The user is able to go into these apps, use them as though they were a real device, and even perform additional functions including Toggle In-Call Status Bar, Simulate a Memory Warning, Simulate a Hardware Keyboard, and Lock the device. Lacking from the simulator are some of the more common apps, such as SMS, Calendar, Camera, Notes, and the App Store in order to download additional applications.

The main purpose of the simulator is to be used by application developers in conjunction with Xcode. When Xcode is used to develop an iPhone or iPad application, the code can be tested and run using the simulator on various firmware versions. Testing on the simulator will ensure that the application is performing the way it is expected to.

iPHONE MODELS

The original iPhone 2G was released in the United States in June 2007. Simultaneously, iTunes version 7.3 was also released, which would support synchronization with this device. Subsequent models were released in the following years: the 3G in July 2008, 3G(s) in June 2009, and the iPhone 4 in June 2010.

Each device arrives with its own firmware version, which can be found by navigating to Settings > General > About > Version. The purpose of the firmware is to enable certain features, fix bugs or security holes, and assist with the general functioning of the device. Apple will occasionally release new firmware upgrades to resolve some of these issues.

Table 1.1 displays the model number and the initial iOS versions for each device.

In order to identify the device model with the phone powered off, there are a few different things to consider. The first to look for is the model number etched at the back of the casing. Also, the original iPhone had a metal casing, whereas the 3G and 3G(s) had a plastic casing. The 3G(s) has the writings at the back etched in silver to differentiate it from the 3G, which has only the Apple logo in silver. Finally, the iPhone 4 has a unique square design. The corners are less rounded, making it easier to differentiate between the earlier versions. Apple's knowledge base articles can be helpful for this purpose. Details on identifying iPhone models can be found at the following link: http://support.apple.com/kb/HT3939

Table 1.2 shows the specifications and features of each of the models, depending on the storage size (Costello, n.d.).

There were three main differences that separated the 3G from the original iPhone device. One of these features is the addition of the CDMA cellular protocols. W-CDMA is the air interface standard for 3G networks. The intent of adding this protocol was for increased connection speed as well as more efficient support for a greater number of users. The second feature to differentiate the 3G from the 2G is the integrated global positioning system (GPS), which is also found in the 3G(s) and iPhone 4. Finally, the amount of NAND Flash memory increased by a factor of 2 (Semiconductor Insights, n.d.).

iPhone hardware

The iPhone, like most complex electronic devices, is a collection of modules, chips, and other electronic components from many manufacturers. Due to the complex and varied features of the iPhone, the list of hardware is extensive. Table 1.3 consists of a list of many of the components of an iPhone 3G(s), including the manufacturer and model or part number.

The Samsung CPU is an RISC (reduced instruction set computer) processor that runs the core iPhone processes and works in conjunction with the PowerVR co-processor for graphics acceleration. The CPU is underclocked to 412 MHz (from a possible 667 MHz), presumably to extend battery life. Many of the internal components vary depending on the iPhone model. Semiconductor Insights is a significant resource in understanding the inner workings of many different types of devices. Their device library includes many mobile devices, including the iPhone. A report is completed for each device, which includes a description of the product, details on how to disassemble and reassemble the device, tear down photos, hardware components, and much more (Semiconductor Insights, n.d.).

The baseband is another essential component on the iPhone. The baseband manages all the functions that require an antenna, notably all cellular services. Unlocking the device was mentioned earlier. During this process, the baseband is the part of the device that is hacked in order to allow the iPhone to connect to a different cellular network. There are different baseband versions, which is why the unlocking process must constantly be modified. When a new device comes out, such as the iPhone4, it will arrive with a different baseband version. The baseband version can be found under Settings > General > About > Modem Firmware, as shown in Figure 1.3.

The baseband processor has its own RAM and firmware in NOR Flash, separate from the core resources. It functions as a resource to the main CPU. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM.

The images displayed in the next page, courtesy of Semiconductor Insights, were taken after an iPhone 3G(s) was manually dismantled: Figure 1.4 is an image of the top of the device and Figure 1.5 is of the bottom.

(Continues...)



Excerpted from iPhone and iOS Forensics by Andrew Hoog Katie Strzempka Copyright © 2011 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Chapter 1. Overview Chapter 2. Device features and functions Chapter 3. iOS and File System Chapter 4. Data Storage Chapter 5. Acquisitions Chapter 6. Data and Application Analysis Chapter 7. Commercial Tool Testing

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Posted June 5, 2013

    WOW... I love MyDeals247 model - they create competition among t

    WOW... I love MyDeals247 model - they create competition among the sellers real-time.

    0 out of 2 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)