Hi douglasbrush,
Thanks for the quick response. The website is very helpful.
I picked one up a couple of months back now. It has the same backup through iTunes routine and databases as the iphone. It just gets a unique folder for the backup. Haven't tried looking at the in detail backup though.
It makes a great web access device (except for those flash sites) and takes the place of my laptop a lot of the time for that purpose. I bought Documents to Go for it so that covers pretty much my note taking / spreadsheet needs. I use Dragon on it for dictation from time to time. You also can't argue with 10 hours battery life.
I for one don't understand the camera thing people go on about, unless it is facing the user for video conferencing it would be kind of pointless, why not use a real (purpose built) camera?
Hello,
An iPad has been submitted to us for exmaination in a criminal case. As I understand, unless the iPad has been jailbroken, it is not possible to retrieve emails from it. The question I have is if we jailbreak the unit (with some form of recording of it being done), are we "changing" the evidence we have in our possession?
I've used XRY to collect the data from it with success but I'm thinking further down the line where it may be necessary to image the unit and use FTK, EnCase or similar to examine it. I tried using a Linux based program (Raptor) but as with the Windows unit, it only saw it as a camera.
If the investigating Officers want a more detailed exam (including the emails), I would be grateful for any help you can give.
Hello,
An iPad has been submitted to us for exmaination in a criminal case. As I understand, unless the iPad has been jailbroken, it is not possible to retrieve emails from it. The question I have is if we jailbreak the unit (with some form of recording of it being done), are we "changing" the evidence we have in our possession?
I've used XRY to collect the data from it with success but I'm thinking further down the line where it may be necessary to image the unit and use FTK, EnCase or similar to examine it. I tried using a Linux based program (Raptor) but as with the Windows unit, it only saw it as a camera.
If the investigating Officers want a more detailed exam (including the emails), I would be grateful for any help you can give.
And yet another example of a common problem faced by digital forensic investigators. What happens if we change the data?
Well, nothing really. Any time you acquire any evidence, regardless of whether or not you use a write blocker, you change something on that evidence. It can't be helped but we accept that as part of the job.
As long as you record everything that you do AND YOU KNOW WHAT YOU'RE DOING you should be fine. But you should make sure that you know exactly what you're doing before proceeding.
The question is, do you not analyse it out of fear and risk not finding any evidence when it might be there, or do you risk changing data with the possibility that their is no evidence stored thereon? Tough call, but if you don't do it, you'll never know.
Remember that in some physical forensic sciences, the testing process consumes the entire sample. Therefore it's understood that in forensics there may be circumstances where the processing and observation is going to change the source, and what is important is that the examiner has a thorough knowledge of the effects of the process and is able to explain the changes, and justify the methodology.
You're not going to completely avoid obtaining evidence just because the acquisition process makes changes to the source.
Now whether you have coverage for "breaking" the device if it is rendered less operable by your actions, that's an issue I can't answer not knowing the specific laws in the UK. I know that the law back in Qld allowed us to destroy things in order to conduct a search where it was reasonable (i.e. I think you hid drugs in the wall, let me go get my sledgehammer) which may conceptually cover you if you have a similar law.
I like your analyses Patrick.
Hello,
An iPad has been submitted to us for exmaination in a criminal case. As I understand, unless the iPad has been jailbroken, it is not possible to retrieve emails from it. The question I have is if we jailbreak the unit (with some form of recording of it being done), are we "changing" the evidence we have in our possession?
I've used XRY to collect the data from it with success but I'm thinking further down the line where it may be necessary to image the unit and use FTK, EnCase or similar to examine it. I tried using a Linux based program (Raptor) but as with the Windows unit, it only saw it as a camera.
If the investigating Officers want a more detailed exam (including the emails), I would be grateful for any help you can give.
I havent used an iPad or every analysed one but if it is anything like the iPod Touch and iPhone, imaging cannot be done using standard methods as the device will not present itself as a mass storage device.
I wonder if the iphoneinsecurity.com method for imaging an iPhone could be adapted for imaging an iPad? Failing that if it is absolutely necessary that you get an image you could always jailbreak and image over dd using an adhoc wifi network. You are going to make changes but if you have no other option then it is acceptable.