Forums
Main Category
General (Technical,...
I-Phone examination...
 
Notifications
Clear all

I-Phone examination: Question of legality & best practice

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by neddy 17 years ago
13 Posts
8 Users
0 Reactions
1,650 Views
RSS
Dunkjt74
 Dunkjt74
(@dunkjt74)
Active Member
Joined: 17 years ago
Posts: 8
Topic starter 08/10/2009 1:43 pm   [#4685]

Hello all.
This is going to be a bit of an open question for everyone, as I want to see if I can get a general consensus of opinion…
If an i-phone is submitted for evidential examination, where the owner/suspect of the device is refusing to supply a PIN etc, what is your opinion with regards to 'jail breaking' that phone or actually writing software to the device in order to gain access knowing that there will be a risk in permanently altering some of the devices operating system, firmware version or similar during the process? Would this be truly legal (with the exception of the most serious cases)?

At the moment, I can't seem to find a definitive answer when it comes to the i-Phone due to the fact that technically, you would be permanently altering some of the devices data. There seems to be a lot of varied opinions out there in the legal world, so it would be interesting to see what the general consensus is.

Regards.

Dunk.



   
Quote
bigjon
 bigjon
(@bigjon)
Estimable Member
Joined: 17 years ago
Posts: 159
09/10/2009 6:35 pm  

dunk,
I have had it on good authority that,password protected iphones have to be flashed (therefore ridding it of all info etc) then op system re put to make the phone as it was when it came from the shop.
so at the mo it would appear there is not a lot you can do with such a phone, even attempting the password incorrectly 5 times wipes the phone completely



   
ReplyQuote
CdtDelta
 CdtDelta
(@cdtdelta)
Estimable Member
Joined: 18 years ago
Posts: 134
09/10/2009 7:18 pm  

I have had it on good authority that,password protected iphones have to be flashed (therefore ridding it of all info etc) then op system re put to make the phone as it was when it came from the shop.

Wait are we talking a passcode on the iPhone? If so, then it does not have to be flashed in order to bypass this.

Jonathan Zdziarski has been producing scripts/tools for imaging iPhones for a while now. If you are LE you can get access to the tools for free.

http//www.zdziarski.com/

Tom



   
ReplyQuote
 jmech
(@jmech)
Eminent Member
Joined: 18 years ago
Posts: 40
09/10/2009 7:19 pm  

I haven't had to examine any Iphones yet (believe it or not…), so I cannot personally vouch for this, but thought I'd share anyway

http//www.iphoneinsecurity.com/

Hope it helps.

Joe



   
ReplyQuote
CdtDelta
 CdtDelta
(@cdtdelta)
Estimable Member
Joined: 18 years ago
Posts: 134
09/10/2009 7:49 pm  

I haven't had to examine any Iphones yet (believe it or not…), so I cannot personally vouch for this, but thought I'd share anyway

http//www.iphoneinsecurity.com/

Hope it helps.

Joe

Yeah that's Zdziarski's other website.

Tom



   
ReplyQuote
Dunkjt74
 Dunkjt74
(@dunkjt74)
Active Member
Joined: 17 years ago
Posts: 8
Topic starter 09/10/2009 8:47 pm  

Hi all.

CdtDelta, yep, it's the handset passcode I'm stuck with.

Basically, it's an 8GB i-Phone, with no SIM. Just a bit concerned about using any of the multitude of suggestions out there regarding methods to access the device, and running the risk of adding data to the handset etc when there has got to be a way to avoid it(?) during the access/extraction process.
It's only the second i-phone I've had to examine, so it's still very much in the "grey areas" of how to extract from 'problematic' devices.
I will certainly have a look at Jonathan Zdziarskis site with view to trying to obtain his software, sounds promising.
To Bigjon and Jmech, thanks too for your input. Much appreciated.

Regards.
Dunk.



   
ReplyQuote
 jmech
(@jmech)
Eminent Member
Joined: 18 years ago
Posts: 40
09/10/2009 9:16 pm  

CdtDelta-we must have been typing at the same time, I didn't see your post when I wrote mine… D

Dunkjt74-here's a link to a little article that you may find useful in reference to mobile forensics…

http//www.mobileforensicsinc.com/files/DG_Doc.pdf



   
ReplyQuote
CdtDelta
 CdtDelta
(@cdtdelta)
Estimable Member
Joined: 18 years ago
Posts: 134
10/10/2009 12:29 am  

I used Zdziarski's scripts before he made them LE only, and they worked REALLY well. Especially since you could image it over USB. But the tools I have now are out of date since they've updated the OS. Pretty much once you have the dd image you can throw anything at it. And the passcode unlock does work.

Note If you are non-LE you can get the tools, but you have to put together a training class for at least 10 people and then you get access (no idea on the costs). That's what Jonathan told me when I asked him about it.

Tom

[grr put can't instead of can….need more coffee]



   
ReplyQuote
pooball
 pooball
(@pooball)
Active Member
Joined: 20 years ago
Posts: 12
15/10/2009 1:57 am  

Another way round the pin code issue is to analyse the iphone back up file itself (providing you have the computer it's been synced to). Using tools like this

http//www.reincubate.com/labs/iphone-backup-extractor-how-extract-files-iphone-backup-windows/#/res/i/labs/iphonebe/3_wizard.png

enables you to bypass the pin issue.

Glen



   
ReplyQuote
 CaptainF
(@captainf)
Trusted Member
Joined: 18 years ago
Posts: 60
15/10/2009 2:19 am  

Dunk,

I have been doing a hell of a lot of iPhone research so can help you.

I think the whole idea about not altering user data is slowly growing old. As investigators we have to make decisions about best evidence and how we obtain it.

Apply the idea of a crime scene in real life… If a murder has taken place and the body is still in situ I would have to enter the scene to retrieve the body and take samples etc. In doing so I would contaminate the scene but this is acceptable to me as the end justifies the means. This is completely different to going into the crime scene and moving the body around or moving a discharged shell casing, these are massive changes which could alter my interpretation of the crime.

I guess what I am trying to say is that by jailbreaking the phone you are indeed changing the device however this doesn't mean that the information contained on it that is of relevance is no longer of use. It is an acceptable change to enable you to recover evidence. As long as you have sound rationale you should be ok.

The tools available at iphoneinsecurity.com are fantastic! I use them all the time and they are very easy to use. I dunno if you are a law enforcement officer or from a private firm but either way if you want any more advice PM me and I will give you my Skype details and we can chat about your specific concerns out of band.



   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: