«  
  »
February 6th, 2009 by ahoog

iPhone Forensic White Paper

Our free (as in beer) iPhone Forensics white paper is now available for download.

Want updates?

If you would like an email when the paper is updated (3 new products in the testing already), please use the form below.

Register for updates regarding mobile security and forensics using this form. To register for other topics please visit our main contact us page.

Overview

The white paper reveals the vast amount of personal information stored on Apple’s iPhone and reviews techniques and software for retrieving this information.   Consumers and corporations have a legitimate concern over confidential information and its unauthorized release or use.  This paper educates readers on what information is stored and reviews six specific products and techniques for recovering it.  The products are:

  • Device Seizure – Paraben
  • Mac Lock Pick – SubRosaSoft
  • MDBackupExtract – BlackBag Tech
  • UFED – Cellebrite
  • WOLF – Sixth Legion
  • Zdziarski’s technique

The report provides detailed information and screen shots for the installation steps, acquisition process, reporting process and determines accuracy of the results for each tool.

February 6th, 2009 | Category: iPhone Forensics

13 comments to iPhone Forensic White Paper

  • Linda Davis
    March 2, 2009 at 10:17 am

    Saw your white paper regarding iPhone data recovery. Thought you might be interested to know that the Logicube CellDEK now captures from iPhones. Please see more information on our website at http://www.logicubeforensics.com

  • Jeff
    March 3, 2009 at 2:46 pm

    Why do we have to register to view a “free” whitepaper?

  • ahoog
    March 3, 2009 at 3:19 pm

    Jeff,

    Fair question, thank you for asking. First and foremost, the paper does not cost anything so it remains free. There are several reasons I ask people to register (and hundreds already have):

    1. Allow me to alert people when an update to the paper is available (including corrections, new products added, etc.). An update is already in progress.

    2. Allow me to gauge interest in the paper to decide if future efforts (i.e. Android forensics white paper) are worthwhile.

    3. Encourage participation in forums to help people solve problems and advance the field.

    4. Afford the possibility that I might assist people from my efforts (i.e. generate business).

    If you have tackled something like this before, you will know that it takes an enormous amount of effort. This paper took the better part of 3 months (in the evenings, early mornings and weekends) to complete. So, by not charging for the paper but requiring registration, I am able to still share the knowledge I gained with everyone and possibly benefit from the exposure.

    If you feel this is unfair, I welcome further discussion. Thank you.

    -Andrew

  • Jim
    March 5, 2009 at 12:42 pm

    Linda,
    Don’t forget to mention that the Logicube CellDEK, which we do have in our lab, does NOT extract email. Even email stored on the phone that you can see!! Not a total solution to iPhone forensics.

  • Interested in iPhone Forensics? Got 101 Pages for Ya! - iPhone Newswire
    March 5, 2009 at 3:33 pm

    [...] have a deep curiosity about iPhone forensics, and are looking for 101 pages on it, Andrew Hoog of Chicago E-Discovery has you [...]

  • Interested in iPhone Forensics? Got 101 Pages for Ya! | Daily iPhone
    March 5, 2009 at 7:30 pm

    [...] have a deep curiosity about iPhone forensics, and are looking for 101 pages on it, Andrew Hoog of Chicago E-Discovery has you [...]

  • BR549
    March 5, 2009 at 9:45 pm

    So what reliable software is out there that will wipe the iphone clean? I take it a restore doesn’t do that? Something that wipes the different categories? Like sms, email and deleted phone log?

    Anyone?

  • Interested in iPhone Forensics? Got 101 Pages for Ya! | iPhone, The Blog
    March 5, 2009 at 9:54 pm

    [...] have a deep curiosity about iPhone forensics, and are looking for 101 pages on it, Andrew Hoog of Chicago E-Discovery has you [...]

  • Interested in iPhone Forensics? Got 101 Pages for Ya! | My Apple iPhone
    March 6, 2009 at 1:41 am

    [...] have a deep curiosity about iPhone forensics, and are looking for 101 pages on it, Andrew Hoog of Chicago E-Discovery has you [...]

  • ahoog
    March 6, 2009 at 5:48 am

    BR549,

    Since 2.0 firmware, Apple has a secure erase built in under Settings -> General -> Reset -> Erase All Content and Settings.

    I have not performed a secure erase and then forensically analyzed the iPhone to validate it worked but I suspect it does the trick. I’ll try to test that soon and update this comment. Thanks.

    Andrew Hoog
    Chicago Electronic Discovery
    (w) 773-539-7909 (f) (312) 268-7281
    http://chicago-ediscovery.com

  • People Over Process » Links for March 9th
    March 9, 2009 at 7:01 pm

    [...] iPhone Forensic White Paper – Chicago Electronic Discovery101 pages pulling apart and analyzing the iPhone. [...]

  • Interested in iPhone Forensics? Got 101 Pages for Ya! — iPhone Tricks, Tips and Hacks
    March 9, 2009 at 9:40 pm

    [...] have a deep curiosity about iPhone forensics, and are looking for 101 pages on it, Andrew Hoog of Chicago E-Discovery has you covered: The white paper reveals the vast amount of personal information stored on [...]

  • Sachin Sathe
    March 23, 2009 at 11:52 pm

    Andrew,
    Firstaly i congradulate you for your paper realise,
    and also thanks for this wonderful paper which
    help us for investigation purpose..
    also sad about our product not participate in that…early i send you the our updated version..
    thanks

Leave a Reply