File000150

Module XXXVII – iPod and iPhone
Forensics

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Students Charged: iPod Used as
Criminal Tool
Source: http://www.mobilemag.com/content/print.php?content=11780

EC-Council
News: Sparking iPod Ignites
Investigation in Japan
Source: http://www.macnewsworld.com/story/62089.html?wlc=1221297637

EC-Council
News: iPhone Tantalizes,
Frustrates Forensics Experts
Source: http://www.wired.com

EC-Council
Module Objective
• iPod
• iPhone Overview
• iPhone OS Overview
• iPhone Disk Partitions
• Apple HFS+ and FAT32
• iPod and iPhone Forensics
• Write Blocking
• Write Blocking in Different OS
• Recover IPSW File
• Forensic information from the windows registry
• Timeline Generation
• Tools
This module will familiarize you with:

EC-Council
Module Flow
iPod
iPhone Overview
iPhone OS Overview
iPhone Disk Partitions
Apple HFS+ and FAT32
iPod and iPhone
Forensics
Write Blocking
Write Blocking in
Different OS
Recover IPSW File
Forensic information
from the windows
registry
Timeline Generation
Tools

EC-Council
iPod
iPod is a portable digital audio and video player offering a huge
storage capacity
• It is an iPod with Wi-Fi and a Multi-
Touch interface
• It features Safari browser and wireless
access to the iTunes Store and
YouTube
• It has iPhone OS as operating system
iPod Touch:

EC-Council
iPhone Overview
The iPhone is an Internet-connected multimedia Smartphone designed and marketed
by Apple Inc. with a multi-touch screen and a minimal hardware interface
• Phone
• Mail
• Safari
• iPod
• SMS
• Maps with GPS
• iTunes
• App Store
• Calendar
• YouTube
• Photos + Camera
• Stocks, Weather, Notes
• Calculator
Features:

EC-Council
What a Criminal Can Do with an
iPod
• Calendar entries may contain dates of crime or
other events that are related to crime
• Contact information of conspirators or victims
along with photos or other documentation are
transferred and stored on iPod
• iPod devices can be used to spread viruses and
child pornography
A criminal uses the iPod and all
its features in a variety of ways:

EC-Council
What a Criminal Can Do with an
iPhone
Send the viruses and Trojans to other users
Use for distributing child pornography images and videos
Data theft
Store and transmit personal and corporate information
Send threatening or offensive SMS and MMS
Attackers who aware of the SIM properties can manipulate it
Clone the SIM data for illicit use
Remove the Service Provider Lock (SP-Lock), limit the MS to a single network
Spamming

EC-Council
iPhone OS Overview
iPhone OS is the operating system developed
by Apple Inc. for iPhone and iPod touch
It is derived from Mac OS X and uses the
Darwin foundation
iPhone OS has four abstraction layers:
• The core OS layer
• The core services layer
• The media layer
• The cocoa touch layer
It takes less than half a GB of the device's total
memory storage
iPhone OS
Cocoa Touch
Media
Core
Services
Core OS

EC-Council
iPhone Disk Partitions
iPhone’s solid state NAND flash memory
is configured with two disk partitions by
default
• 300MB in size
• It contains iPhone OS and all of the
preloaded applications
• It is mounted as read-only by default
Root Partition:
• It contains the user’s data such as music,
photos etc.
• It is mounted as /private/var on the iPhone
User Partition:

EC-Council
Apple HFS+ and FAT32
iPod uses the Apple HFS+ file system when the device is
run with an Apple system and uses the FAT32 file
system when used with a Windows PC
When conducting forensics analysis of the iPod, it is
important to know which type of system the iPod has
been synchronized with
Knowledge of the format used, makes it easier to match
the iPod device to the host that it has been
synchronized with

EC-Council
Application Formats
Feature Application Format
Contact information vCard
Calendar entries vCalendar
Audio
AAC, Protected AAC, MP3, MP3 VBR, Audible (formats
2, 3, and 4), Apple Lossless, AIFF, and WAV
Video H.264 video, .m4v, .mp4, MPEG-4 video, and .mov

EC-Council
iPod and iPhone Forensics
iPod and iPhone Forensics refers to the recovery of digital
evidence from a iPod and iPhone under forensically sound
conditions using accepted methods
It includes recovery and analysis of data
It helps in tracing and prosecuting criminals where iPod and
iPhones are used as a mean for committing the crime
It also helps in other criminal cases to extract contact details
and conversation or other form of communication logs
Data stored in iPod and iPhones provide insight of the cases

EC-Council
Evidence Stored on iPod and
iPhone
Text messages
Calendar events
Photos and videos
Caches
Logs of recent activity
Map and satellite imagery
Personal alarms
Notes
Music
Email
Web browsing activity
Passwords and personal credentials
Fragments of typed communication
Voicemail
Call history
Contacts
Information pertaining to
interoperability with other devices
Items of personal interest

EC-Council
Forensic Prerequisites
• Mac OS X and Windows machine with enough disk space
• iPod/iPhone USB dock connector
Hardware
• SSH connection tools such as OpenSSH, PuTTY, SecureCRT, OpenSSH
for Windows, and TeraTerm Pro Web for windows and Nifty Telnet SSH
and SSH in Mac OS X for Mac OS
• Secure Copy or SCP utilities such as WinSCP, PenguiNet for Windows,
OpenSSH, SecPanel and Midnight Commander for Unix-like systems and
Fugu and Cyberduck for Mac OS X
• Latest versions of iTunes software
Software
• A working Wi-Fi access point
• 3G and EDGE Internet access
Others

EC-Council
Collecting iPod/iPhone Connected with
Mac
If an iPod/iPhone is connected to a computer at the
scene, check whether the device is mounted
Determine whether a device is mounted by looking at
the screen of the iPod/iPhone
Unmount the device before disconnecting it from the
computer by dragging the icon of the iPod/iPhone to
the trashcan on the Macintosh desktop

EC-Council
Collecting iPod/iPhone Connected with
Windows
Note the name of the iPod/iPhone on desktop before unmounting it
If iPod/iPhone is connected to Windows machine, unmount it by
clicking “Unplug or eject hardware” icon on the task bar
Disconnect or unplug the computer, because the iPod/iPhone disk could
be damaged if it is not disconnected properly

EC-Council
Disable Automatic Syncing
It prevents cross contamination of iPod/iPhone data
Check the box labeled "Disable automatic
syncing for all iPhones and iPods"
Click the Syncing tab
Select Preferences from the iTunes menu
Open iTunes on the desktop machine

EC-Council
Write Blocking
Write blocking is a technique used in computer
forensics in order to maintain the integrity of data
storage devices
While investigating the contents of iPod and
iPhone, it is necessary to investigate the device
without altering it
Use software writer blocker such as PDBLOCK and
hardware write blockers such as WiebeTech
Forensic SATADock to prevent the information
from alteration

EC-Council
Write Blocking in Different OS
• Change the registry key
HKEY_LOCAL_MACHINESystemCurrentControls
etControlStorageDevicePolicies to the hex value of
0x00000001 and restart the computer
Windows:
• Modify the source code for the components of OS and
recompile its operating system to prevent write
access to the iPod/iPhone
• Change the OS configuration
Linux:
• It is based upon the UNIX concepts, so change the OS
configuration as in the Linux
Macintosh:

EC-Council
Image the Evidence
Imaging is the process of creating an exact copy of
contents of a digital device
It prevents the original evidence from accidental
modification
Use imaging tools such as EnCase to create the
exact image of the iPod/iPhone
Verify the source and image using hashing
technique

EC-Council
View the iPod System Partition
View the iPod system partition using hex
editor
iPod system partition consists of the
following information:
• iPod OS
• Images used in the operation of the device
• Games and other applications used in the
device

EC-Council
View the Data Partition
Data partition of the iPod stores the important information necessary
for investigation
The information includes:
• Calendar entries
• Contact entries
• Note entries
• Hidden iPod_Control directory
• iTunes configuration information
• Music stored on the iPod
View this partition information using Forensic Toolkit, Encase, a hex
editor, and various Linux and Macintosh analysis commands

EC-Council
Break Passcode to Access the
Locked iPhone
• From the keypad, press the Emergency Call button
• Type *#301# followed by the green [phone] button
• Delete the previous entry by hitting the delete key six times
• Type the number 0 followed by the green [phone] button
• Answer the call by pressing the green [phone] button
• End the call by pressing the red [phone] button
• Press the [Decline] button
• In the Contacts tab, press the [+] button at the top to create a new contact
• In the Add new URL tab, Enter prefs: and press the [save] button
• Touch the No Name contact entry
• Click the home page prefs: button
• Click the General tab in setting menu
• Click the Passcode Lock tab
• Click the Turn Passcode Off tab
• Return to the General tab by clicking on [cancel]
• Click Auto-Lock and reset it to Never

EC-Council
Acquire the DeviceInfo File
• First data item recorded in the
file denotes the iPod name
• Second data item denotes the
username logged into the
computer at the time
• Third data item denotes
computer name to which iPod
is linked
Information in the
file includes:
The file iPod_ControliTunesDeviceInfo on the iPod contains the important forensics
information
iPod keeps a persistent record of the computer with which it is initialized in DeviceInfo file
iTunes create this file when the iPod is setup within iTunes and linked with the computer
on which iTunes is running

EC-Council
Acquire SysInfo File
The file iPod_ControlDeviceSysInfo on the
iPod contains the important forensics
information
• iPod model number
• iPod serial number
• iPod serial number presents to the computer,
listed under the identification of FirewireGuid
• This identifier identifies the connection of the
iPod to a Windows computer and recorded in the
Windowssetupapi.log file
Information includes:

EC-Council
SysInfo File (cont’d)

EC-Council
Recover IPSW File
.IPSW is iPod and iPhone Software Update
file format
.ipsw file contains the data about software
restores and minor updates in the
iPod/iPhone
It is stored in the following location in the
iPhone:
• Library/iTunes/iPhone Software Updates
.ipsw file gives information of the running,
installed and uninstalled application

EC-Council
Check the Internet Connection
Status
E on screen shows slower Edge network
3G icon shows the faster but limited-
area third-generation network
Radiating signal bars show Wi-Fi
connectivity

EC-Council
View Firmware Version
• Select Home button → Settings → General →
About
• Check the entry for Version
In iPhone
With the iPod/iPhone connected to iTunes, click on the iPod in the left column of
iTunes window → go to the Summary tab

EC-Council
Recover Network Information
Network information can be recovered using
Devinfo application in the iPhone
Devinfo application includes the following
information:
• Network interfaces including VPN, GPRS/EDGE/3G,
WiFi
• TCP/UDP connections
• Routing table
• Running processes
• System info, memory, and disk usage

EC-Council
Recovering Data from SIM Card
• Service-related information such as unique identifiers for the (U)SIM, the Integrated
Circuit Card Identification (ICCID), the subscriber, and the International Mobile
Subscriber Identity (IMSI)
• Phonebook and call information such as Abbreviated Dialing Numbers (ADN) and
Last Numbers Dialed (LND)
• Messaging information including SMS, EMS, and multimedia messages
• Location information, including Location Area Information (LAI) for voice
communications and Routing Area Information (RAI) for data communications
SIM contains important information related to the
forensics investigation:
• SIM Analyzer
• SIMCon
• SIM Card Data Recovery Software
SIM card data can be recovered using the following tools:

EC-Council
Acquire the User Account Information
iPod keeps a persistent record of the computer with
which it is initialized in DeviceInfo file
User and computer names are saved in DeviceInfo
file
The username is directly underneath the iPod‘s
name and the computer’s name is underneath the
username in the DeviceInfo file
If the username stored on the iPod is same as the
username of Mac computer , then iPod is linked to
suspect’s computer and suspect’s account

EC-Council
View the Calendar and Contact Entries
Calendar and Contact Entries are found on iPod by
doing string search
The standard vCard and vCalendar formats store the
entries on hard drive in plain text
Calendar entry is stored with file header
“BEGIN:VCALENDAR”
The contact entry is stored with file header
“BEGIN:VCARD”
File headers note the beginning of each vCalendar or
vCard entry and remains even if a file is deleted

EC-Council
Recovering Photos
iTunes is used to manage the content of the iPhone
Steps for recovering photos:
• Connect the laptop with the iPhone
• Run iTunes
• Click the Photos tab
• Adjust the setting
• Specify the folder to which photos should be synced
Photos can be directly downloaded using Cellebrite
UME 36 Pro

EC-Council
Recovering Address Book
Entries
Check the address book entries, which are
stored in the following database in the iPhone:
• Library_AddressBook_AddressBook.sqlitedb
• Library_AddressBook_AddressBookImages.sqlite
db
Retrieve the databases using iTunes
Use the tools such as Cellebrite UME 36 Pro
and WOLF to recover address book entries
after connecting it with the iPhone

EC-Council
Recovering Calendar Events
Check the calendar events stored in the
following database in the iPhone:
• Library_Calendar_Calendar.sqlitedb
Retrieve this database using iTunes
Use the tool Cellebrite UME 36 Pro to
recover calendar events after connecting
it with the iPhone

EC-Council
Recovering Call Logs
Call logs are stored in the following database in the
iPhone:
• Library_CallHistory_call_history.db
They include :
• Dialed Numbers
• Received Numbers
• Missed Calls
They can be recovered using the tool WOLF

EC-Council
Recovering Map Tile Images
Map tile images are stored in the following
database of the iPhone:
• Library_Maps_Bookmarks.plist
• Library_Maps_History.plist
Use Cellebrite UME 36 Pro to directly recover
map tile images after connecting it with the
iPhone

EC-Council
Recovering Cookies
Cookies are stored in the following
database in the iPhone:
• Library_Cookies_Cookies.plist
It can be downloaded to a computer during
an iTunes sync process

EC-Council
Recovering Cached and Deleted
Email
Email is stored in the following database of
the iPhone:
• Library_Mail_Accounts.plist
• Library_Mail_AutoFetchEnabled
It can be downloaded to a computer during
an iTunes sync process

EC-Council
Recover Deleted Files
Deleted files on the iPod are moved to “.Trashes501”
folder
These deleted files in the “.Trashes501” are viewed
using the file viewer which recognizes the hidden files or
forensics tools
Once the trash is emptied, the files are deleted, but can
still be found by using the deleted file recovery process
of the forensic tool in the “.Trashes501” folder

EC-Council
Forensic Information from the
Windows Registry
• Key created while connecting iPod/iPhone to the windows
computer
• Last time when registry keys were changed
• Serial number of the iPod/iPhone
System registry file consists of:
Windows registry in the computer to which iPod is connected, contains
significant information for the iPod/iPhone forensics

EC-Council
Windows Registry (cont’d)

EC-Council
Windows: setupapi.log
Computer to which the iPod is connected consists of setupapi.log file
This setupapi.log file records all the driver installation after the
system is booted
It records all the events when iPod is connected to the Windows
system

EC-Council
setupapi.log (cont’d)

EC-Council
Recovering SMS Messages
SMS can be recovered using the tool
Tansee iPhone Transfer SMS
SMS is stored in the following file in the
iPhone:
• Library_SMS_sms.db

EC-Council
Other Files Which Are Downloaded to the
Computer During the iTunes Sync Process
Library_Keyboard_dynamic-text.dat
Library_LockBackground.jpg
Library_Notes_notes.db
Library_Preferences_.GlobalPreferences.plist
Library_Preferences_SBShutdownCookie
Library_Preferences_SystemConfiguration_com.apple.AutoWake.plist
Library_Preferences_SystemConfiguration_com.apple.network.identification.plist
Library_Preferences_SystemConfiguration_com.apple.wifi.plist
Library_Preferences_SystemConfiguration_preferences.plist
Library_Preferences_com.apple.AppSupport.plist
Library_Preferences_com.apple.BTServer.plist

EC-Council
(cont’d)
Library_Preferences_com.apple.Maps.plist
Library_Preferences_com.apple.MobileSMS.plist
Library_Preferences_com.apple.PeoplePicker.plist
Library_Preferences_com.apple.Preferences.plist
Library_Preferences_com.apple.WebFoundation.plist
Library_Preferences_com.apple.calculator.plist
Library_Preferences_com.apple.celestial.plist
Library_Preferences_com.apple.commcenter.plist
Library_Preferences_com.apple.mobilecal.alarmengine.plist
Library_Preferences_com.apple.mobilecal.plist

EC-Council
(cont’d)
Library_Preferences_com.apple.mobileipod.plist
Library_Preferences_com.apple.mobilemail.plist
Library_Preferences_com.apple.mobilenotes.plist
Library_Preferences_com.apple.mobilephone.plist
Library_Preferences_com.apple.mobilephone.speeddial.plist
Library_Preferences_com.apple.mobilesafari.plist
Library_Preferences_com.apple.mobileslideshow.plist
Library_Preferences_com.apple.mobiletimer.plist
Library_Preferences_com.apple.mobilevpn.plist

EC-Council
(cont’d)
Library_Preferences_com.apple.preferences.network.plist
Library_Preferences_com.apple.preferences.sounds.plist
Library_Preferences_com.apple.springboard.plist
Library_Preferences_com.apple.stocks.plist
Library_Preferences_com.apple.weather.plist
Library_Preferences_com.apple.youtube.plist
Library_Preferences_csidata
Library_Safari_Bookmarks.plist
Library_Safari_History.plist

EC-Council
Analyze the Information
Find out username and computer used by examining the
iPod_ControliTunesDeviceInfo file
Detect and recover the hidden information
Use the steganalysis tools such as Stegdetect to extract the hidden information
If the data is encrypted, use cryptanalysis tools such as Crank and Jipher to reveal the
encrypted information
If the information is password protected, use the password cracking tools such as Cain
and Abel and hydra
If the data is in audio or video format, use different audio/video players
Check the time of different activities over the iPod
Check what exactly happened, what event occurred, who was involved, and how it
occurred

EC-Council
Analyze the Information (cont’d)
Identify the individuals who created, modified, or accessed a file
Determine when events occurred by analyzing call logs, the date/time and content of
messages and email
Create the timeline of the events
Recover the hidden information
If the entries such as SMS, contacts, emails, etc. are encrypted then use cryptanalysis
tools such as crank
Use password cracking tools such as Hydra to read the password protected information
Try to find out the geographical location of the attacker

EC-Council
Timeline Generation
iPod generates timestamp for each file, timestamp is the
time of different activities performed on the iPod files
Investigator should create the timeline schedule for
analysis
• iPod_ControlDeviceSysInfo modified time
• iPod_ControliTunesiTunesControl creation time
• iPod_ControliTunesDeviceInfo (and others) modified time
• iPod when connected to the computer and initialized
• Creation time for all music files
• Modification time of all music files
Timeline should be created depending on:

EC-Council
Timeline Generation: File Status After
Initializing the iPod with iTunes and
Before Closing iTunes

EC-Council
Timeline Generation: File Status After Connecting
iPod to the Computer for Second Time, Copying
Music, and Closing iTunes

EC-Council
Time Issues
iPod consists of the internal clock
Forensics investigator has to understand how time is reflected in the data
being analyzed
• Set the time and date on the iPod different from the
computer connected to it
• Connect the iPod to the computer and copy some music
to the iPod using iTunes; note down created, accessed,
and modified times of the files
• Disconnect the iPod from the computer
• Check the time on the internal clock of the iPod
• Play the songs on the iPod
• Reconnect the iPod to the computer
• Recheck the file created, accessed, and modified times
Internal clock of the iPod is tested
with the following steps:

EC-Council
Jailbreaking in iPod Touch and iPhone

EC-Council
Jailbreaking
Jailbreaking allows the installation of third-party
applications on iPod Touch and iPhone

EC-Council
AppSnapp
http://jailbreakme.com/
• Patches Springboard to load third party apps
• Activates non-AT&T iPhones automatically, while leaving already activated phones
alone
• Fixes YouTube on non-AT&T iPhones automatically, while leaving already activated
phones alone
• Installs Installer.app v3.0 on the iPhone/iPod Touch with Community Sources
preinstalled
• Fixes Apple's TIFF bug, making your device MORE secure than it was without
AppSnapp
• Enables afc2 protocol and adds special commands to allow killing springboard,
lockdowns, etc from iPhone
Features:
AppSnapp is a jailbreaking tool that allow the installation of non-sanctioned third-party
applications in the iPod Touch/iPhone running the 1.1.1 firmware
It jailbreaks the iPod Touch/iPhone and then pushes Installer.app to the device, which
contains a catalog of native applications that can be installed directly over a WiFi or EDGE
connection

EC-Council
AppSnapp: Screenshot

EC-Council
Tool for Jailbreaking: iFuntastic
http://ifuntastic.com/
iFuntastic is an iPod Touch hacking and
modification tool
It has full file browser feature, which simply
browses the iPod Touch's internal file system, and
edit UI images

EC-Council
iFuntastic: Screenshot 1

EC-Council
iFuntastic: Screenshot 2

EC-Council
Pwnage: Tool to Unlock iPod Touch
http://wikee.iphwn.org/
Pwnage is the tool used to unlock the locked iPod Touch

EC-Council
Erica Utilities for iPod Touch
http://ericasadun.com/
Erica helps investigator to extract different forensics
information about the iPod touch
Features:
• Query your iPod or iPhone for device attributes including
platform name, processor, etc
• Search the App Store from the command line.
• Enter a simple query phrase

EC-Council
Tools

EC-Council
EnCase
http://www.encase.co.za/
EnCase is the most efficient and user-friendly tool for
recovering data from HFS+ file system
It displays the file structure of HFS+ formatted
device, including hidden folders
It automatically displays deleted files
Find File script is used to recover deleted files
including images and Word documents

EC-Council
EnCase: Screenshot

EC-Council
DiskInternals Music Recovery
DiskInternals Music Recovery is an effective solution for recovering
media files which have been deleted or corrupted
Even if the storage device was formatted and all information was
erased, or if the information is corrupted, the media files can be
recovered by using DiskInternals Music Recovery
With DiskInternals Music Recovery, one will be able to restore almost
any music as it supports a number of media formats, including mp3,
wma, asf, wav, ogg, wv, ra, rm, vqf, mid, and voc
The program also works with all file systems.; and supports
Windows, Mac OS, Linux, and other disk types

EC-Council
DiskInternals Music Recovery:
Screenshot

EC-Council
Recover My iPod: Tool
http://www.recovermyipod.com/
Specifically designed for iPod data recovery, Recover My iPod will bring
back music, video and photos from an iPod drive; recovers deleted or
lost files from your iPod

EC-Council
iPod Data Recovery Software
http://www.datadoctor.in/
iPod data recovery software recovers files
from Apple iPods
• Recover deleted songs, music, files, pictures,
videos, mp3, mp4 and other files from the
iPod digital music player
• Support all major Apple iPods including
iPod Mini, iPod Nano, iPod Shuffle and iPod
first to iPod next generation audio video
models
• Retrieve files and folders when updated and
restored using iTunes software
Features:

EC-Council
iPod Data Recovery Software:
Screenshot

EC-Council
iPod Copy Manager
iPod Copy Manager is an iPod backup & recovery software
By using iPod Copy Manager, songs, videos, and DVD movies can be
copied easily from iPod to computer
You can backup all the iPod videos and music

EC-Council
iPod Copy Manager: Screenshot

EC-Council
Stellar Phoenix iPod Recovery
http://www.stellarinfo.com/
Stellar Phoenix iPod Recovery software recovers music files, graphics, videos,
documents and other contents which have been corrupted, damaged or deleted from
the iPod
It recovers information from an iPod when it creates the following problems:
• “The iPod ** cannot be updated, the required folder cannot be found"
• "Disk is locked"
• "iTunes folder cannot be found"
• "Firmware update failure"
• "There was an error in the iTunes Store. Please try again later."
• "Unable to Check for Purchased Music because an error occurred (-5000 error)."
• "Can't lock iPod. Please check if any other applications are using iPod and try again."
• "Error 1428"
• "Error 1417"
• "Error 60"
• "Error 200”

EC-Council
Stellar Phoenix iPod Recovery:
Screenshot

EC-Council
Tool: Aceso
http://www.radio-tactics.com/
Aceso is the forensic tool which download data stored in mobile
phone SIM/USIM cards, handsets and memory cards
Features
• Handset Access Card creation
• Blocks network access for all SIM and USIM cards
• Prevents overwrite of existing data
• SIM/USIM Acquisition
• Dual mode also supported
• Handset Acquisition
• 421 Supported Handsets including Blackberry, Symbian and iPhone
• Data types supported: contacts, SMS, MMS, call registers, calendar, file system
• Memory Card Acquisition
• Raw bit-for-bit image
• File system

EC-Council
Tool: Cellebrite UME 36 Pro
http://www.cellebrite.com
Cellebrite UME 36 Pro is the forensic tool
which transfer all forms of memory content
as a backup
It support wide range of mobile phones,
smart phones and PDAs including iPhone
The content which Cellebrite can transfer
are as following:
• Pictures
• Videos
• Ringtones
• SMS
• Phonebook contacts data

EC-Council
Tool: Wolf
http://sixthlegion.com
Wolf is the application which retrieved the content stored in
iPhone
It extract the content without jailbreaking
The content which it can extract are as follows:
• Handset Info
• Contacts
• Call Logs
• Messages
• Internet Info & History
• Photos
• Music / Videos

EC-Council
Wolf: Screenshot

EC-Council
Tool: Device Seizure
http://www.paraben-forensics.com
Text messages and images can be found in a
physical data dump of a phone
Device Seizure can acquire the following data:
• SMS History (Text Messages)
• Deleted SMS (Text Messages)
• Phonebook
• Call History Received Calls
• Dialed Numbers
• Missed calls
• Call Dates & Durations
• Datebook
• Scheduler
• Calendar
• To-Do List
• File system

EC-Council
Tool: PhoneView
http://www.ecamm.com/
PhoneView provides easy access to iTunes media,
photos, notes, SMS messages, call history and contacts
Features:
• File Storage Made Easy: makes it simple to transfer files
between Mac and iPhone
• Powerful Notes Access: it add, view and edit iPhone's
Notes on Mac desktop
• Export SMS Messages and Recent Calls: this information
can be viewed in text editor or spreadsheet

EC-Council
Tool: iPhone Drive
http://www.findmysoft.com/
iPhoneDrive is a Mac OS X application which allow
use of iPhone for file storage
Its drag and drop feature makes it easy to move
files back and forth between the Mac and iPhone
Features:
• It stores any type of data
• Copy files and folders to and from the iPhone
• Back up important data

EC-Council
iPhone Drive: Screenshot

EC-Council
Tool: Tansee iPhone Transfer SMS
http://pocket.qweas.com/
Tansee iPhone Transfer SMS is the
tool which copies the SMS from the
iPhone to the computer
Features:
• Backup SMS in iPhone to computer
• View and manage old iPhone SMS in
the computer
• View SMS in text file format or ants
file format on computer
• Password protection support for ants
file

EC-Council
Tool: SIM Analyzer
http://cpa.datalifter.com/
SIM Analyzer is a cell phone forensics tool, that recovers the contents from
SIM card of different cell phones
It recovers:
• Last Number Dialed, Abbreviated Dialing Numbers
• Active and Deleted text (SMS) messages
• All the general files found in the Telecom group as defined in the GSM 11.11v6
standards

EC-Council
Tool: SIMCon – SIM Card Recovery
http://www.simcon.no/
SIMCon is a program that allows the user to securely image all files on a
GSM/3G SIM card to a computer file with the SIMCon forensic SIM card
reader
Features:
• Read all available files on a SIM card and store in an archive file
• Analyze and interpret content of files including text messages and stored numbers
• Recover deleted text messages stored on the card but not readable on phones
• Manage PIN and PUK codes
• Compatible with SIM and USIM cards
• Print report that can be used as evidence based on user selection of items
• Secure file archive using MD5 and SHA1 hash values
• Export items to files that can be imported in popular spreadsheet programs

EC-Council
SIMCon: Screenshot

EC-Council
Tool: SIM Card Data Recovery
Software
http://www.datadoctor.in
SIM Card Data Recovery Software recovers accidentally deleted data
from mobile phone SIM card
Features:
• Retrieve all deleted contact numbers (phone numbers), unreadable
messages, corrupt phone book directory
• Undelete both viewed and unread inbox text SMSes, outbox messages;
and draft, save, and favorite, text messages; and sent items that have been
deleted from SIM card memory
• Provides full details about a SIM card, like its provider and ICC–ID

EC-Council
SIM Card Data Recovery
Software: Screenshot

EC-Council
Summary
The iPod has gathered interest from the criminal community as a tool
to store information relating to their crimes
Contact information of conspirators or victims along with photos or
other documentation are transferred and stored on iPod
iPod should be stored in a static-free bag and marked as evidence

EC-Council

File000150

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (8)

Ähnlich wie File000150

Ähnlich wie File000150 (20)

Mehr von Desmond Devendran

Mehr von Desmond Devendran (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

File000150