I guess what I am trying to say is that by jailbreaking the phone you are indeed changing the device however this doesn't mean that the information contained on it that is of relevance is no longer of use. It is an acceptable change to enable you to recover evidence.
The real difficulty with that approach is that it does not demonstrate any real aesthestic appreciation of the forensic enthropy required. That is to say to 'show the levels of complexity of a device' (ie the mobile phone) under examination and what changes actually takes place after the 'jailbreak'.
The problem with evidence at court these days is little is being done to challenge methodology, understanding and/or meaning.
I've got to admit, I think these phones, as well as future designs, are going to prove an increasing challenge. Not only with actually accessing the data, but with simply keeping 'up to speed' with their advancements.
We've gotten hold of a copy of Zdziarskis software, many thanks to him for that. It's just going going to be a matter of getting used to these tools and very possibly having to 'hybridise' how each phone is dealt with according to firmwares etc.
CaptainF, I may just be taking you up on your offer in the not too distant future. Much appreciated, thank you.
Regards.
Dunk.
Taken from
Another important point to note is the difference between Zdziarski’s methods and popular jailbreaking methods, and the forensic superiority of the former over the latter. The term jailbreaking refers to a hacking process by which the iPhone firmware is overwritten in order to install third party application bundles or perform baseband unlocking. The jailbreaking process makes many modifications to the user data partition (as well as the baseband radio) to accomplish this, making it forensically unsound. Zdziarski’s procedures, on the other hand, are more custom-tailored to forensic recovery and only operate on the read-only system partition. Unlike jailbreaking, they do not install any additional software or modify the user data partition in any way.
However, the iPhone uses the HFS/X file system (fifth generation HFS) and as such many forensic tools do not yet recognize the file system. A work around is to modify the dd image at 0×0400 and change the HX to H+. This will allow any forensic tool that understands HSF+ to process the image.
Following this methodology allows one to examine a raw image of an iPhone user data partition in EnCase v6. Getting the image involves using the Zdziarski Technique without altering any data from the user data partition. This seems to be best practice at the moment.