Smartphone Forensics: Part 5
So far this series has covered forensics for the iPhone, Blackberry, and Motorola smartphones. I was just about ready to wrap-up this series when I suddenly realized that iPods and similar devices are now also increasingly the focus of forensics investigations. Accordingly, this posting covers forensics for iPods.
One of the most important initial considerations regarding forensics investigations with iPods is that these devices are often physically connected to computers. Whenever so, the iPod becomes a mounted device on the computer. You can determine whether or not an iPod is mounted on another computer by looking at the iPod’s screen. If “Do Not Disconnect” is displayed, the iPod is mounted, and it thus has to be unmounted before it is physically disconnected from the computer. To do this on Macintosh computers, drag the iPod icon to the trash bin on the Mac desktop. To do this on Windows computers, click the “Unplug or eject hardware” icon that is displayed in the task bar in the lower right hand part of the display. If the iPod is not unmounted before being physically disconnected from a computer, the iPod’s hard drive can be damaged.
Before an investigator starts umounting the iPod being analyzed, it is important to record the name of the iPod, which should appear on the desktop of the computer system on which the iPod is mounted. Knowing this name will guide the investigator to the choice of the right tool(s) to use when the forensics dump and subsequent forensics analysis are being done.
Another thing that a forensics investigator must do when dealing with an iPod is to find out if the device is formatted for the Macintosh file system (HFS+) or the Windows file system (NTFS-5). On the iPod go to Settings -> About > and then scroll down to Format: Windows. Now look at the bottom of the display. If the iPod is formatted for Windows, a short message to that effect will be displayed. If there is no such message, the iPod is almost certainly HFS+ formatted.
One thing that is nice about working with iPods in forensics investigations is that it does not matter whether the iPod is off or on. Regardless of the state of the iPod, you will be able to make a forensics dump of the data, although turning this device off minimizes the likelihood of data being modified during the data transfer process. You will have several options in making this dump:
• You can turn the iPod off and take the iPod apart, detaching the hard drive for the purpose of analysis. Forensics purists will almost certainly prefer this option, because all things considered, connecting to a detached hard drive is least likely to result in data modification and/or incomplete data capture. You can now physically connect the iPod to the machine on which a forensics tool has been installed and then use the tool to do a data dump. Alternatively, you can use the dd command on a Unix or Linux system or a Windows system on which cygwin has been installed.
• You can leave the iPod physically attached to the computer that has mounted the iPod. You can then run a forensics tool or use the dd command to dump the iPod’s data to that computer.
• You can physically connect the computer to which the iPod is physically attached to another computer to dump the iPod’s data to the other computer. Access to the data is this case is through the mounted volume on the computer to which the iPod is attached. Alternatively, you can set up an ssh or other secure remote connection between the computer to which the iPod is attached and the other computer.
Finally, iPods have a Restore function that Apple claims overwrites old data when this function is run. A paper, “iPod Forensics” by Christopher Marsico and Marcus Rogers in the fall 2005 issue of the International Journal of Digital Evidence, reports empirical tests that show Apple’s claim to be incorrect. Marsico and Rogers were able to forensically recover iPod data that were supposedly erased as the result of a Restore. Assuming that Marsico and Rogers are correct (and they very much appear to be), forensics investigators thus need to be aware that potential ways of recovering iPod data that appear to be deleted exist.
In many ways, forensics analysis for iPods is simpler than with other mobile devices. This news should come as welcome relief, especially if you have read my previous postings in this series.