[ISN] IPhone Tantalizes, Frustrates Forensics Experts

From: InfoSec News (alerts@private)
Date: Thu Aug 23 2007 - 00:34:41 PDT


http://www.wired.com/gadgets/wireless/news/2007/08/iphone_forensics

By Cathy B. Almeida
08.23.07

Technophiles may love the iPhone, but you criminals? Watch out. The 
iPhone may reveal more about your misdeeds than you realize.

Derrick Donnelly, chief technology officer of Blackbag Technologies, a 
Silicon Valley-based company specializing in Apple forensic solutions, 
is tempted by the rich array of potential evidence an iPhone might 
contain.

Will its data favor the defense or the prosecution? "There is more 
information in there than your average cell phone," explains Donnelly. 
"The ease of use lends itself to more use … and more use creates more 
artifacts."

The iPhone's web, e-mail and phone functionality -- combined with its 4- 
or 8-GB storage capacity -- means it can serve as a window into the 
personality, lifestyle, social circle and actions of the user. "Even 
though there might not be a smoking gun right in there," explains 
Donnelly, "a lot of these smaller pieces could add up to a bigger piece 
that could lead you to further evidence."

But not every forensics expert is convinced. "The iPhone is evil," says 
Amber Schroader, CEO of Utah-based Paraben, a leader in 
digital-forensics software development. "It's Mac OS X, and it's a 
completely closed system."

In other words, it's not easy for a forensics team to guarantee that the 
data extracted from an iPhone has not been tampered with. The result is 
that juries may find reasonable doubt in how that data was extracted.

The digital-forensics industry is dominated by PC experts, mirroring the 
larger percentage of PC users in the marketplace. Mac forensic analysis 
is considered a highly specialized service. "To know the iPhone is to 
know the Mac or vice versa," explains Donnelly. "Because it's a 
different file system and a different operating system, right off the 
bat the things you're usually looking for are not in the same places and 
they are in a very, very different format."

But even Mac experts like Donnelly are struggling with how to get the 
data off the iPhone's closed system without altering the data by turning 
on the device. Currently, the iPhone is not compatible with existing 
forensic software and data-extraction systems. Forensic experts may be 
left with old-school techniques like photographing data as it is 
displayed on the screen itself -- as if it were a yellow-taped crime 
scene.

Finding a laptop or desktop computer on the scene could help 
significantly. "You might not be able to get the information off the 
iPhone," says Donnelly, "but you may be able to get other devices that 
the iPhone was connected to." If the user had uploaded their phone's 
data, analysts may find copies on the linked computer.

The vast amount of personal data the iPhone can store and personal 
habits it can track means it has the potential to say a lot about the 
user. But the first challenge may be getting this closed-mouthed phone 
to talk.



____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Thu Aug 23 2007 - 00:48:34 PDT