±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 1 Overall: 35670
New Yesterday: 8 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

iphone forensics book

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Senior Member

iphone forensics book

Post Posted: Nov 28, 08 01:41

Hi all,

I recently read the book "iphone forensics" by Mr. Zdziarsky. In his book he mentions a method for the investigation which includes "jailbreaking" by using a custom payload and integrating it in the operating system. I also watched the webcast on youtube.

I phone has two partitions, one is a system partition and the other is used for user files such as pictures and media. Commercial software offer recovery from the latter. In his book Mr. Zdziarsky manipulates the operating system (installs SSH, BSD, netcat etc.) and images both partitions using dd piped with netcat over wireless connection.

Do you think it's forensically sound? I mean we don't install software on XP to get a forensic image. We even question live forensics. Isn't this method a little bit questionable?


"Simplicity is the ultimate sophistication." 

Senior Member

Re: iphone forensics book

Post Posted: Nov 28, 08 07:15

What justification does the author of the book give for installing an agent onto the iPhone:

1) is it because of necessity, perhaps a suggestion of recovering deleted data or system info etc not accessible by the user?
2) because it is easier to get another device to suck off all the data as it saves time rather than conducting a manual examination where no agent is loaded and the examiner users a video or photographs to demonstrate what is on the phone?
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

Senior Member

Re: iphone forensics book

Post Posted: Nov 28, 08 16:33


It's mainly for accessing system folders and recovering deleted files.
This payload makes it possible to access "jailed" files.

Since iphone forensics is a relatively new area, and we have an iphone case at the moment, i am researching for every option.

I installed macfuse which allows mounting the iphone as a disk but not as hfs+, as macfuse filesystem. But accessing the root partition requires openbsd, ssh and afp. I experimented installing these on my personal phone and was able to acquire an image using dd.

Investigating an iphone is not usual mobile phone analysis, it has a 16GB solid state disk and a compact edition of mac os x leopard. In the book there is also a part that describes the process to remove the automatic keylock password.

I think i'll try to find a forensic solid state disk reader.


"Simplicity is the ultimate sophistication." 


Re: iphone forensics book

Post Posted: Nov 28, 08 20:35

Check out www.sixthlegion.com

they make a software product called "WOLF" that is designed specifically form Iphone forensics. You have to use a Mac for your analysis machine, but it does not jailbreak the phone.

I have not used this software, but am aware of it as an option.



Re: iphone forensics book

Post Posted: Jan 16, 09 00:22

MacLockPick can be used to acquire the information from an iPhone without the need to jailbreak the suspect's iPhone. It's cross platform and works on both Mac and Windows machines. It's also offers a large number of other abilities such for acquiring forensic data from a suspect machine.  

Page 1 of 1