±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 2
Overall: 26983
Visitors: 64

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

IPhone Questions

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

IPhone Questions

Post Posted: Fri Jun 18, 2010 5:25 pm

Hi all, just wanted to ask two questions related to the iphone:

1. When an Iphone has been seized, is it best practise to turn it off or leave it on? [Considering issues like remote wiping, keycodes, and additional writes to the phone]

2. Do Iphone backups or updates effect deleted items within memory?

Thanks for the help  

Joel08
Member
 
 
  

Re: IPhone Questions

Post Posted: Sat Jun 19, 2010 7:36 am

1. The phone could be stored in a Faraday bag  

Beerbaron
Senior Member
 
 
  

Re: IPhone Questions

Post Posted: Wed Jun 23, 2010 3:00 am

- Joel08
Hi all, just wanted to ask two questions related to the iphone:

1. When an Iphone has been seized, is it best practise to turn it off or leave it on? [Considering issues like remote wiping, keycodes, and additional writes to the phone]

2. Do Iphone backups or updates effect deleted items within memory?

Thanks for the help


Joel,

1. This depends entirely on the situation and the case. If you have access to the zdziarski tool set then the passcode is not a problem. You can take a full disk image and remove the passcode from the device.

Best practice would be to put the device in a faraday bag and then examine as soon as possible. Or at the time of seizure you can put the device into airplane mode to remove radio interactions on the device.

2. I cannot say for certain exactly what bytes are written where during an update or backup. I believe that doing a backup might alter time and date stamps on certain files that record backup dates. Again I cannot say for certainty.
An update to the firmware could very well overwrite deleted data.  

Doug
Senior Member
 
 
  

Re: IPhone Questions

Post Posted: Wed Jun 23, 2010 6:23 am

Joel08

Some alternative but general observations.

The use of faraday bags at seizure is not Best Practise (BP) in every case. No universal BP has been agreed. If the use of faraday bags is noted as BP for a particular group, then so be it. But they (the group) must bear responsibility (law enforcement/private sector) for that BP.

BP is not agreed amongst everyone because there has been no appropriate consultation in all areas and no appropriate Peer Review. The point being made is that some claim using BP is not to substantiate improvement in the persons skills or any significant evidential value, but to use it as a form of exoneration when things cock up. For instance, this was done because it is said to be BP and I did nothing to see if there was a better way of doing the work. So if data changes on a seized device whilst it is in transit (a) I may not know about it and (b) that that action is OK because it is happening under BP policy - would that be acceptable?

From those officers on the ground, the procedues how to deal with mobiles as I have been told is usually based on what is required at the local Command level. They do not want the paperwork or hassle involved having their time taken trying to prove they didn't alter any data on the handset once it was seized or in transit, before it gets to the examination unit. The approach, as I understand it, is 'switch it OFF' unless absolutely necessary not to do so.

My observations to you would be the less complicated you are, and avoid using dictator-style procedures (but I do not suggest for one moment you would do that Joel08), the better for you - eg switch it OFF for goodness sake (and let me the examiner/expert deal with it, as this is what I am paid to do) could be a place to start.

If you are going to orchestrate and use an inhouse BP 'different horses for different courses' approach perhaps you may wish to consider identifying the different levels of seizure and the proportionality and necessity for varied ways of seizing, taking into account the time, place and under what conditions prevail at the time of seizure. The latter point may well provide a solution and way forward for you to suggest the use of an RF shielded container rather than generate a one-size fits all blanket policy.

Hope this helps.
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup 

trewmte
Senior Member
 
 
  

Re: IPhone Questions

Post Posted: Sat Jun 26, 2010 9:54 am

When considering a faraday bag always take into account the effect on battery life vs. time to examination.
Eric  

EBWahlberg
Member
 
 
  

Re: IPhone Questions

Post Posted: Sat Jun 26, 2010 1:28 pm

If its an iPhone 4, just hold your finger over the bottom left corner, this will remove all signal and stop it from being remotely wiped!


/Sorry couldn't resist! Smile  

4Rensics
Senior Member
 
 
  

Re: IPhone Questions

Post Posted: Sat Jun 26, 2010 4:30 pm

- 4Rensics
If its an iPhone 4, just hold your finger over the bottom left corner, this will remove all signal and stop it from being remotely wiped!


/Sorry couldn't resist! Smile


Laughing

I did wonder how long it would take for this be mentioned!

Love it.

Laughing  

Doug
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next