Book Review of iPhone and iOS Forensic: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices

Hoog, A., and Strzempka, K. (2011).  iPhone and iOS Forensic: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices. Syngress, Elsevier, xv + 310 pages; ISBN-10: 1597496596; ISBN-13: 978-1597496599, $69.95Reviewed by Simson Garfinkel, Naval Postgraduate SchoolIn April 2011 news outlets around the world revealed shocking news about Apple’s iPhone: for reasons that were not apparently clear, every iPhone contained a small SQLite database that logged where and when the user had been whenever the phone was turned on, and those records went back for pretty much as long as the user had owned their phone. Apple eventually declared that the data cache was the result of a bug and issued a software update to prune the database (it had previously grown without limit). Privacy activists rejoiced that their beloved iPhones were once again trustworthy. But forensics examiners just shook their heads: many had known about the iPhone’s tracking capabilities for more than a year and had kept quiet. They had made good use of that data. Apple’s pro-privacy patch was actually a setback for law enforcement.(see PDF for full review)</p

Book Review: IPhone and IOS Forensic: Investigation, Analysis and Mobile Security for Apple IPhone, IPad and IOS Devices

In April 2011 news outlets around the world revealed shocking news about Apple’s iPhone: for reasons that were not apparently clear, every iPhone contained a small SQLite database that logged where and when the user had been whenever the phone was turned on, and those records went back for pretty much as long as the user had owned their phone. Apple eventually declared that the data cache was the result of a bug and issued a software update to prune the database (it had previously grown without limit). Privacy activists rejoiced that their beloved iPhones were once again trustworthy. But forensics examiners just shook their heads: many had known about the iPhone’s tracking capabilities for more than a year and had kept quiet. They had made good use of that data. Apple’s pro-privacy patch was actually a setback for law enforcement

Column: File Cabinet Forensics

Researchers can spend their time reverse engineering, performing reverse analysis, or making substantive contributions to digital forensics science. Although work in all of these areas is important, it is the scientific breakthroughs that are the most critical for addressing the challenges that we face. Reverse Engineering is the traditional bread-and-butter of digital forensics research. Companies like Microsoft and Apple deliver computational artifacts (operating systems, applications and phones) to the commercial market. These artifacts are bought and used by billions. Some have evil intent, and (if society is lucky), the computers end up in the hands of law enforcement. Unfortunately the original vendors rarely provide digital forensics tools that make their systems amenable to analysis by law enforcement. Hence the need for reverse engineering

Column: Every Last Byte

Inheritance powder is the name that was given to poisons, especially arsenic, that were commonly used in the 17th and early 18th centuries to hasten the death of the elderly. For most of the 17th century, arsenic was deadly but undetectable, making it nearly impossible to prove that someone had been poisoned. The first arsenic test produced a gas—hardly something that a scientist could show to a judge. Faced with a growing epidemic of poisonings, doctors and chemists spent decades searching for something bette

Carving contiguous and fragmented files with fast object validation

http://dx.doi.org/10.1016/j.dlin.2007.06.017"File carving" reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings -- "object" -- from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files

Providing cryptographic security and evidentiary chain-of-custody with the advanced forensic format, library, and tools

This paper presents improvements in the Advanced Forensics Format Library version 3 that provide for digital signatures and other cryptographic protections for digital evidence, allowing an investigator to establish a reliable chain-of-custody for electronic evidence from the crime scene to the court room. No other system for handling and storing electronic evidence currently provides such capabilities. This paper discusses implementation details, user level commands, and the AFFLIB programmer's API.Approved for public release; distribution is unlimited

Digital Forensics Overview

Digital Evaluation and Exploitation (DEEP): Research in "trusted" systems and exploitation

IRBs and Security Research: Myths, Facts and Mission Creep

Having decided to focus attention on the “weak link” of human fallibility, a growing number of security researchers are discovering the US Government’s regulations that govern human subject research. This paper discusses those regulations, their application to research on security and usability, and presents strategies for negotiating the Institutional Review Board (IRB) approval process. It argues that a strict interpretation of regulations has the potential to stymie security research

Understanding Database Reconstruction Attacks on Public Data

In 2020 the U.S. Census Bureau will conduct the Constitutionally mandated decennial Census of Population and Housing. Because a census involves collecting large amounts of private data under the promise of confidentiality, traditionally statistics are published only at high levels of aggregation. Published statistical tables are vulnerable to DRAs (database reconstruction attacks), in which the underlying microdata is recovered merely by finding a set of microdata that is consistent with the published statistical tabulations. A DRA can be performed by using the tables to create a set of mathematical constraints and then solving the resulting set of simultaneous equations. This article shows how such an attack can be addressed by adding noise to the published tabulations, so that the reconstruction no longer results in the original data

Column: Factors Affecting Data Decay

In nuclear physics, the phrase decay rate is used to denote the rate that atoms and other particles spontaneously decompose. Uranium-235 famously decays into a variety of daughter isotopes including Thorium and Neptunium, which themselves decay to others. Decay rates are widely observed and wildly different depending on many factors, both internal and external. U-235 has a half-life of 703,800,000 years, for example, while free neutrons have a half-life of 611 seconds and neutrons in an atomic nucleus are stable