Hi guys,
Does anyone have any experience in investigating an Image file from an iPhone, if so I do need some assistance with it. I need to know what specific search queries in finding the data on the image. Can someone please p.m me if they can be of help.
Much Obliged
Sizzler
Um…need a wee bit more info. How was the data captured -
in EnCase via Neutrino?
If your image is a raw dd file, search the image for HX and record the offset given. Edit the search hits that standout as partition or volume headers to H+ (if your image is of the physical disk, there will be three HX's of relevance, edit the first and last). Add the modified image to EnCase as a raw disk image (EnCase should use 512bytes per sector by default), then in disk view go to the sector that each H+ is located (remember to divide the raw files offset by 512 to compensate for Encase), move two sectors before the sector containing the H+ and right click 'add partition' selecting HFSPLUS as the filesystem.
EnCase should then load the partition and filesystem for you to examine.