Main Page

From Computer Forensics FAQ

COMPUTER FORENSICS FAQ

VISIT ComputerSecurityFaq.com for the answers to your Computer Security FAQ's.

Computer and Digital Forensics FAQ

---->Contributors must be registered and logged on.

Computer Forensic Resources

• RegRipper
• HFS Partition Recovery
• CyberSpeak
• George Starcher

Computer Security Resources

• Computer Security FAQ's

File Extension Info

• Large File Extention Association List

iPhone Forensics

• iPhone Forensics Techniques
• The difference between syncing an iPhone and backing it -- syncing makes sure files on your computer and iPhone are in sync and does backup some key information. However, a backup will make copies of SMS, Call Logs, application data, etc. For a forensic analyst, the backup information can be very important, especially if you do not have access to the iPhone directly.

Backup data location iTunes backups of the iPhone (and iPod, iTouch, etc.) are stored in the following directories:

   * Windows XP:  C:\Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
   * Windows Vista: C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
   * Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/

Backup folder files Inside the backup folder, you will fine 3 plist files (plaintext, not binary encoded) and many .mdbackup files

   * Status.plist – status of last sync
   * Manifest,plist – list of all files backed up, modification time and hash signature
   * Info.plist – information about the iPhone
   * *.mdbackup – the name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file

The Info.plist has detailed information about the iPhone (name, ICCID, IMEI, phone number, firmware version, iTunes file and version info, etc.) and can thus tie a physical device to the backup directory. The Manifest.plist is important as it ensures data integrity between the backup files and the iPhone. Using this information, an examiner can manually construct important information during an investigation. Commercial forensic products that analyze iPhone backup directory Of course, time is precious and manually decoding this information is better left to forensic tools. A good examiner will understand the process, the information and, if needed, should be able to perform these steps manually. However, using a tool you trust is a great way to access the information quickly. Here is a alphabetical list (likely incomplete but I will update) of forensic tools which state they analyze the iPhone backup directory:

Analyzing TrueCrypt Volumes

• If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.

Attacks

• The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster.

• TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).

Hidden volumes

• Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.

• When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.

• Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer container to detect presence of a hidden container.

Hidden Operating Systems

• Hidden operating system is a system that is installed in a hidden TrueCrypt volume.

• It is possible to detect network-enabled hidden operating systems by matching downloaded content (from a network dump) with data on a possible decoy system.

• Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN) and TCP timestamps.

External Links

• TrueCrypt Version Information
• TrueCrypt Version Info

__________________________________________________________________________________________

• Doug Morris
• Mad Chicago