Hi everyone.
please can anyone assist me. i am writing my dissertation on the challenges forensic experts face in Iphone forensics.
you contributions will be greatly appreciated.
Suggest picking up the IOS Forensics Books
This one is released already - http//
There is another one that will be released in a couple months. http//
Support the community!
Hi everyone.
please can anyone assist me. i am writing my dissertation on the challenges forensic experts face in Iphone forensics.you contributions will be greatly appreciated.
What have you found on this to date? I'd be very interested in your research, as I'm sure others would be.
On a separate point, it's a very tough market for forensic graduates at present where a candidate's presentational skills (including spelling and grammar) will be quickly noted - it's a truism that an eye for detail is a basic requirement in forensics. If you're writing a dissertation on iPhones then you really need to make sure you spell your topic correctly!
thanks for bringing my attention to that jonathan. what you should know now is that is just a framework of my topic for people to get an ideal of what i am writing about. it is all about connecting with people and not speaking grammar.
thanks for bringing my attention to that jonathan. what you should know now is that is just a framework of my topic for people to get an ideal of what i am writing about. it is all about connecting with people and not speaking grammar.
Clearly….
Jonathan gives you very good advice and you would be wise to take note.
I also note that you did not respond to his reasonable request that you share what you have discovered to date, so that established members of the forum can respond meaningfully to your OP.
One major note is the trouble examiners face trying to image the iPhone. Every update throws another major curve ball where updated phones sit in the processing queue waiting for tools to catch up. I know this is the way that most software and tools function, but it'd be nice if apple provided just a little help. The current ways are the JZ method, XIAM, UFED, and chip off are the ways most recommended (there may be more).
On a side note, I initially read the title think you meant defence challenges.
If this is the title of your research, you may want to rethink. (sorry)
With regards to some of the hurdles when examining iPhones, you have quite a few. Below are just some.
First of all, there are a number of different levels of acquisition.
Firstly, you have the logical. This is usually obtained by loading an agent, performing a backup or syncing the device. In the iPhones case, it is my understanding that iTunes is utilised to obtain this logical read. The logical read will only scratch the surface of the device.
Secondly, you have a file system dump. A number of tools are able to perform a file system dump which will perform a logical copy of the files within the phones file system. This will give you your database containers in which may contain deleted data however, unless deleted data resides in a container file, no other deleted data will be recoverable.
Thirdly, you have what I call a "logical-physical" read. This is the level of examination Zdziarski method performs. This is reading all blocks/sectors that are currently being addressed and marked as "in use" by the flash translation layer (FTL). This will give you deleted data outside of containers and is considered by most as the best forensic read from these types of devices.
Lastly, you have a true physical read. You are only likely to achieve this type of read by removing the flash IC and reading it directly, bypassing the phones operating system security and FTL. This will give you every block/sector on the flash whether it is marked as "in-use" or "out of use".
The problem with many of the new iPhones is that the contents of the flash is encrypted, but unencrypted on request through the OS. This is how we can obtain an unencrypted "logical-physical" read using the Zdziarski method. However, if you read the chip directly, the data will be encrypted.
Once you have recovered an "image", you need to start the examination of the device. There are many different applications, using different formats to cache or store it's data. Commonly, you will see SQLite, plists and XML. In most cases, we can't simply extract these files and hand them to the investigator, we need to interpret them and present them in a format that can be understood.
iPhone forensics is a huge area. There are so many third party applications which create a digital footprint. The main challenge is ensuring you don't miss any crucial information. For this, we need to ensure we are receiving targeted requests rather than "get everything".
Sorry about the grammar, this was a brain leak.
Mark