Notifications
Clear all

IPhone Questions

8 Posts
7 Users
0 Likes
571 Views
(@joel08)
Posts: 13
Active Member
Topic starter
 

Hi all, just wanted to ask two questions related to the iphone

1. When an Iphone has been seized, is it best practise to turn it off or leave it on? [Considering issues like remote wiping, keycodes, and additional writes to the phone]

2. Do Iphone backups or updates effect deleted items within memory?

Thanks for the help

 
Posted : 19/06/2010 4:25 am
Beerbaron
(@beerbaron)
Posts: 71
Trusted Member
 

1. The phone could be stored in a Faraday bag

 
Posted : 19/06/2010 6:36 pm
 Doug
(@doug)
Posts: 185
Estimable Member
 

Hi all, just wanted to ask two questions related to the iphone

1. When an Iphone has been seized, is it best practise to turn it off or leave it on? [Considering issues like remote wiping, keycodes, and additional writes to the phone]

2. Do Iphone backups or updates effect deleted items within memory?

Thanks for the help

Joel,

1. This depends entirely on the situation and the case. If you have access to the zdziarski tool set then the passcode is not a problem. You can take a full disk image and remove the passcode from the device.

Best practice would be to put the device in a faraday bag and then examine as soon as possible. Or at the time of seizure you can put the device into airplane mode to remove radio interactions on the device.

2. I cannot say for certain exactly what bytes are written where during an update or backup. I believe that doing a backup might alter time and date stamps on certain files that record backup dates. Again I cannot say for certainty.
An update to the firmware could very well overwrite deleted data.

 
Posted : 23/06/2010 2:00 pm
(@trewmte)
Posts: 1877
Noble Member
 

Joel08

Some alternative but general observations.

The use of faraday bags at seizure is not Best Practise (BP) in every case. No universal BP has been agreed. If the use of faraday bags is noted as BP for a particular group, then so be it. But they (the group) must bear responsibility (law enforcement/private sector) for that BP.

BP is not agreed amongst everyone because there has been no appropriate consultation in all areas and no appropriate Peer Review. The point being made is that some claim using BP is not to substantiate improvement in the persons skills or any significant evidential value, but to use it as a form of exoneration when things c**k up. For instance, this was done because it is said to be BP and I did nothing to see if there was a better way of doing the work. So if data changes on a seized device whilst it is in transit (a) I may not know about it and (b) that that action is OK because it is happening under BP policy - would that be acceptable?

From those officers on the ground, the procedues how to deal with mobiles as I have been told is usually based on what is required at the local Command level. They do not want the paperwork or hassle involved having their time taken trying to prove they didn't alter any data on the handset once it was seized or in transit, before it gets to the examination unit. The approach, as I understand it, is 'switch it OFF' unless absolutely necessary not to do so.

My observations to you would be the less complicated you are, and avoid using dictator-style procedures (but I do not suggest for one moment you would do that Joel08), the better for you - eg switch it OFF for goodness sake (and let me the examiner/expert deal with it, as this is what I am paid to do) could be a place to start.

If you are going to orchestrate and use an inhouse BP 'different horses for different courses' approach perhaps you may wish to consider identifying the different levels of seizure and the proportionality and necessity for varied ways of seizing, taking into account the time, place and under what conditions prevail at the time of seizure. The latter point may well provide a solution and way forward for you to suggest the use of an RF shielded container rather than generate a one-size fits all blanket policy.

Hope this helps.

 
Posted : 23/06/2010 5:23 pm
(@ebwahlberg)
Posts: 34
Eminent Member
 

When considering a faraday bag always take into account the effect on battery life vs. time to examination.
Eric

 
Posted : 26/06/2010 8:54 pm
4Rensics
(@4rensics)
Posts: 255
Reputable Member
 

If its an iPhone 4, just hold your finger over the bottom left corner, this will remove all signal and stop it from being remotely wiped!

/Sorry couldn't resist! )

 
Posted : 27/06/2010 12:28 am
 Doug
(@doug)
Posts: 185
Estimable Member
 

If its an iPhone 4, just hold your finger over the bottom left corner, this will remove all signal and stop it from being remotely wiped!

/Sorry couldn't resist! )

lol

I did wonder how long it would take for this be mentioned!

Love it.

lol

 
Posted : 27/06/2010 3:30 am
(@biedubbeljoe)
Posts: 25
Eminent Member
 

Soon; good practisch will be removing the PCB instead of the HDD..)

 
Posted : 28/06/2010 7:20 am
Share: