File000150

Module XXXVII – iPod and iPhone Forensics

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Students Charged: iPod Used as Criminal Tool

Source: http://www.mobilemag.com/content/print.php?content=11780



News: Sparking iPod Ignites Investigation in Japan

Source: http://www.macnewsworld.com/story/62089.html?wlc=1221297637



News: iPhone Tantalizes, Frustrates Forensics Experts

Source: http://www.wired.com



Module Objective

• iPod• iPhone Overview• iPhone OS Overview• iPhone Disk Partitions• Apple HFS+ and FAT32• iPod and iPhone Forensics• Write Blocking• Write Blocking in Different OS• Recover IPSW File• Forensic information from the windows registry• Timeline Generation• Tools

This module will familiarize you with:



Module Flow

iPod

iPhone Overview

iPhone OS Overview

iPhone Disk Partitions

Apple HFS+ and FAT32

iPod and iPhone Forensics

Write Blocking

Write Blocking in Different OS

Recover IPSW File

Forensic information from the windows

registry

Timeline Generation

Tools



iPod

iPod is a portable digital audio and video player offering a huge storage capacity

• It is an iPod with Wi-Fi and a Multi-Touch interface

• It features Safari browser and wireless access to the iTunes Store and YouTube

• It has iPhone OS as operating system

iPod Touch:



iPhone Overview

The iPhone is an Internet-connected multimedia Smartphone designed and marketed by Apple Inc. with a multi-touch screen and a minimal hardware interface

• Phone• Mail• Safari• iPod• SMS• Maps with GPS• iTunes• App Store• Calendar• YouTube• Photos + Camera• Stocks, Weather, Notes• Calculator

Features:



What a Criminal Can Do with an iPod

• Calendar entries may contain dates of crime or other events that are related to crime

• Contact information of conspirators or victims along with photos or other documentation are transferred and stored on iPod

• iPod devices can be used to spread viruses and child pornography

A criminal uses the iPod and all its features in a variety of ways:



What a Criminal Can Do with an iPhone

Send the viruses and Trojans to other users

Use for distributing child pornography images and videos

Data theft

Store and transmit personal and corporate information

Send threatening or offensive SMS and MMS

Attackers who aware of the SIM properties can manipulate it

Clone the SIM data for illicit use

Remove the Service Provider Lock (SP-Lock), limit the MS to a single network

Spamming



iPhone OS Overview

iPhone OS is the operating system developed by Apple Inc. for iPhone and iPod touch

It is derived from Mac OS X and uses the Darwin foundation

iPhone OS has four abstraction layers:

• The core OS layer• The core services layer • The media layer• The cocoa touch layer

It takes less than half a GB of the device's total memory storage

iPhone OS

Cocoa Touch

Media

Core Services

Core OS



iPhone Disk Partitions

iPhone’s solid state NAND flash memory is configured with two disk partitions by default

• 300MB in size• It contains iPhone OS and all of the

preloaded applications• It is mounted as read-only by default

Root Partition:

• It contains the user’s data such as music, photos etc.

• It is mounted as /private/var on the iPhone

User Partition:



Apple HFS+ and FAT32

iPod uses the Apple HFS+ file system when the device is run with an Apple system and uses the FAT32 file system when used with a Windows PC

When conducting forensics analysis of the iPod, it is important to know which type of system the iPod has been synchronized with

Knowledge of the format used, makes it easier to match the iPod device to the host that it has been synchronized with



Application Formats

Feature Application Format

Contact information vCard

Calendar entries vCalendar

AudioAAC, Protected AAC, MP3, MP3 VBR, Audible (formats 2, 3, and 4), Apple Lossless, AIFF, and WAV

Video H.264 video, .m4v, .mp4, MPEG-4 video, and .mov



iPod and iPhone Forensics

iPod and iPhone Forensics refers to the recovery of digital evidence from a iPod and iPhone under forensically sound conditions using accepted methods

It includes recovery and analysis of data

It helps in tracing and prosecuting criminals where iPod and iPhones are used as a mean for committing the crime

It also helps in other criminal cases to extract contact details and conversation or other form of communication logs

Data stored in iPod and iPhones provide insight of the cases



Evidence Stored on iPod and iPhone

Text messages

Calendar events

Photos and videos

Caches

Logs of recent activity

Map and satellite imagery

Personal alarms

Notes

Music

Email

Web browsing activity

Passwords and personal credentials

Fragments of typed communication

Voicemail

Call history

Contacts

Information pertaining to interoperability with other devices

Items of personal interest



Forensic Prerequisites

• Mac OS X and Windows machine with enough disk space• iPod/iPhone USB dock connector

Hardware

• SSH connection tools such as OpenSSH, PuTTY, SecureCRT, OpenSSH for Windows, and TeraTerm Pro Web for windows and Nifty Telnet SSH and SSH in Mac OS X for Mac OS

• Secure Copy or SCP utilities such as WinSCP, PenguiNet for Windows, OpenSSH, SecPanel and Midnight Commander for Unix-like systems and Fugu and Cyberduck for Mac OS X

• Latest versions of iTunes software

Software

• A working Wi-Fi access point• 3G and EDGE Internet access

Others



Collecting iPod/iPhone Connected with Mac

If an iPod/iPhone is connected to a computer at the scene, check whether the device is mounted

Determine whether a device is mounted by looking at the screen of the iPod/iPhone

Unmount the device before disconnecting it from the computer by dragging the icon of the iPod/iPhone to the trashcan on the Macintosh desktop



Collecting iPod/iPhone Connected with Windows

Note the name of the iPod/iPhone on desktop before unmounting it

If iPod/iPhone is connected to Windows machine, unmount it by clicking “Unplug or eject hardware” icon on the task bar

Disconnect or unplug the computer, because the iPod/iPhone disk could be damaged if it is not disconnected properly



Disable Automatic Syncing

It prevents cross contamination of iPod/iPhone data

Check the box labeled "Disable automatic syncing for all iPhones and iPods"

Click the Syncing tab

Select Preferences from the iTunes menu

Open iTunes on the desktop machine



Write Blocking

Write blocking is a technique used in computer forensics in order to maintain the integrity of data storage devices

While investigating the contents of iPod and iPhone, it is necessary to investigate the device without altering it

Use software writer blocker such as PDBLOCK and hardware write blockers such as WiebeTechForensic SATADock to prevent the information from alteration



Write Blocking in Different OS

• Change the registry key HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies to the hex value of 0x00000001 and restart the computer

Windows:

• Modify the source code for the components of OS and recompile its operating system to prevent write access to the iPod/iPhone

• Change the OS configuration

Linux:

• It is based upon the UNIX concepts, so change the OS configuration as in the LinuxMacintosh:



Image the Evidence

Imaging is the process of creating an exact copy of contents of a digital device

It prevents the original evidence from accidental modification

Use imaging tools such as EnCase to create the exact image of the iPod/iPhone

Verify the source and image using hashing technique



View the iPod System Partition

View the iPod system partition using hex editor

iPod system partition consists of the following information:

• iPod OS• Images used in the operation of the device• Games and other applications used in the

device



View the Data Partition

Data partition of the iPod stores the important information necessary for investigation

The information includes:

• Calendar entries• Contact entries• Note entries• Hidden iPod_Control directory

• iTunes configuration information• Music stored on the iPod

View this partition information using Forensic Toolkit, Encase, a hex editor, and various Linux and Macintosh analysis commands



Break Passcode to Access the Locked iPhone

• From the keypad, press the Emergency Call button

• Type *#301# followed by the green [phone] button

• Delete the previous entry by hitting the delete key six times

• Type the number 0 followed by the green [phone] button

• Answer the call by pressing the green [phone] button

• End the call by pressing the red [phone] button

• Press the [Decline] button

• In the Contacts tab, press the [+] button at the top to create a new contact

• In the Add new URL tab, Enter prefs: and press the [save] button

• Touch the No Name contact entry

• Click the home page prefs: button

• Click the General tab in setting menu

• Click the Passcode Lock tab

• Click the Turn Passcode Off tab

• Return to the General tab by clicking on [cancel]

• Click Auto-Lock and reset it to Never



Acquire the DeviceInfo File

• First data item recorded in the file denotes the iPod name

• Second data item denotes the username logged into the computer at the time

• Third data item denotes computer name to which iPod is linked

Information in the file includes:

The file \iPod_Control\iTunes\DeviceInfo on the iPod contains the important forensics information

iPod keeps a persistent record of the computer with which it is initialized in DeviceInfo file

iTunes create this file when the iPod is setup within iTunes and linked with the computer on which iTunes is running



Acquire SysInfo File

The file \iPod_Control\Device\SysInfo on the iPod contains the important forensics information

• iPod model number• iPod serial number• iPod serial number presents to the computer,

listed under the identification of FirewireGuid• This identifier identifies the connection of the

iPod to a Windows computer and recorded in the \Windows\setupapi.log file

Information includes:



SysInfo File (cont’d)



Recover IPSW File

.IPSW is iPod and iPhone Software Update file format

.ipsw file contains the data about software restores and minor updates in the iPod/iPhone

It is stored in the following location in the iPhone:

• Library/iTunes/iPhone Software Updates

.ipsw file gives information of the running, installed and uninstalled application



Check the Internet Connection Status

E on screen shows slower Edge network

3G icon shows the faster but limited-area third-generation network

Radiating signal bars show Wi-Fi connectivity



View Firmware Version

• Select Home button → Settings → General →About

• Check the entry for Version

In iPhone

With the iPod/iPhone connected to iTunes, click on the iPod in the left column of iTunes window → go to the Summary tab



Recover Network Information

Network information can be recovered using Devinfo application in the iPhone

Devinfo application includes the following information:

• Network interfaces including VPN, GPRS/EDGE/3G, WiFi

• TCP/UDP connections• Routing table• Running processes• System info, memory, and disk usage



Recovering Data from SIM Card

• Service-related information such as unique identifiers for the (U)SIM, the Integrated Circuit Card Identification (ICCID), the subscriber, and the International Mobile Subscriber Identity (IMSI)

• Phonebook and call information such as Abbreviated Dialing Numbers (ADN) and Last Numbers Dialed (LND)

• Messaging information including SMS, EMS, and multimedia messages• Location information, including Location Area Information (LAI) for voice

communications and Routing Area Information (RAI) for data communications

SIM contains important information related to the forensics investigation:

• SIM Analyzer• SIMCon• SIM Card Data Recovery Software

SIM card data can be recovered using the following tools:



Acquire the User Account Information

iPod keeps a persistent record of the computer with which it is initialized in DeviceInfo file

User and computer names are saved in DeviceInfofile

The username is directly underneath the iPod‘s name and the computer’s name is underneath the username in the DeviceInfo file

If the username stored on the iPod is same as the username of Mac computer , then iPod is linked to suspect’s computer and suspect’s account



View the Calendar and Contact Entries

Calendar and Contact Entries are found on iPod by doing string search

The standard vCard and vCalendar formats store the entries on hard drive in plain text

Calendar entry is stored with file header “BEGIN:VCALENDAR”

The contact entry is stored with file header “BEGIN:VCARD”

File headers note the beginning of each vCalendar or vCard entry and remains even if a file is deleted



Recovering Photos

iTunes is used to manage the content of the iPhone

Steps for recovering photos:

• Connect the laptop with the iPhone• Run iTunes • Click the Photos tab• Adjust the setting• Specify the folder to which photos should be synced

Photos can be directly downloaded using Cellebrite UME 36 Pro



Recovering Address Book Entries

Check the address book entries, which are stored in the following database in the iPhone:

• Library_AddressBook_AddressBook.sqlitedb • Library_AddressBook_AddressBookImages.sqlite

db

Retrieve the databases using iTunes

Use the tools such as Cellebrite UME 36 Pro and WOLF to recover address book entries after connecting it with the iPhone



Recovering Calendar Events

Check the calendar events stored in the following database in the iPhone:

• Library_Calendar_Calendar.sqlitedb

Retrieve this database using iTunes

Use the tool Cellebrite UME 36 Pro to recover calendar events after connecting it with the iPhone



Recovering Call Logs

Call logs are stored in the following database in the iPhone:

• Library_CallHistory_call_history.db

They include :

• Dialed Numbers• Received Numbers• Missed Calls

They can be recovered using the tool WOLF



Recovering Map Tile Images

Map tile images are stored in the following database of the iPhone:

• Library_Maps_Bookmarks.plist • Library_Maps_History.plist

Use Cellebrite UME 36 Pro to directly recover map tile images after connecting it with the iPhone



Recovering Cookies

Cookies are stored in the following database in the iPhone:

• Library_Cookies_Cookies.plist

It can be downloaded to a computer during an iTunes sync process



Recovering Cached and Deleted Email

Email is stored in the following database of the iPhone:

• Library_Mail_Accounts.plist • Library_Mail_AutoFetchEnabled

It can be downloaded to a computer during an iTunes sync process



Recover Deleted Files

Deleted files on the iPod are moved to “.Trashes\501” folder

These deleted files in the “.Trashes\501” are viewed using the file viewer which recognizes the hidden files or forensics tools

Once the trash is emptied, the files are deleted, but can still be found by using the deleted file recovery process of the forensic tool in the “.Trashes\501” folder



Forensic Information from the Windows Registry

• Key created while connecting iPod/iPhone to the windows computer

• Last time when registry keys were changed• Serial number of the iPod/iPhone

System registry file consists of:

Windows registry in the computer to which iPod is connected, contains significant information for the iPod/iPhone forensics



Forensic Information from the Windows Registry (cont’d)



Forensic Information from the Windows: setupapi.log

Computer to which the iPod is connected consists of setupapi.log file

This setupapi.log file records all the driver installation after the system is booted

It records all the events when iPod is connected to the Windows system



setupapi.log (cont’d)



Recovering SMS Messages

SMS can be recovered using the tool Tansee iPhone Transfer SMS

SMS is stored in the following file in the iPhone:

• Library_SMS_sms.db



Other Files Which Are Downloaded to the Computer During the iTunes Sync Process

Library_Keyboard_dynamic-text.dat

Library_LockBackground.jpg

Library_Notes_notes.db

Library_Preferences_.GlobalPreferences.plist

Library_Preferences_SBShutdownCookie

Library_Preferences_SystemConfiguration_com.apple.AutoWake.plist

Library_Preferences_SystemConfiguration_com.apple.network.identification.plist

Library_Preferences_SystemConfiguration_com.apple.wifi.plist

Library_Preferences_SystemConfiguration_preferences.plist

Library_Preferences_com.apple.AppSupport.plist

Library_Preferences_com.apple.BTServer.plist



Other Files Which Are Downloaded to the Computer During the iTunes Sync Process(cont’d)

Library_Preferences_com.apple.Maps.plist

Library_Preferences_com.apple.MobileSMS.plist

Library_Preferences_com.apple.PeoplePicker.plist

Library_Preferences_com.apple.Preferences.plist

Library_Preferences_com.apple.WebFoundation.plist

Library_Preferences_com.apple.calculator.plist

Library_Preferences_com.apple.celestial.plist

Library_Preferences_com.apple.commcenter.plist

Library_Preferences_com.apple.mobilecal.alarmengine.plist

Library_Preferences_com.apple.mobilecal.plist




Library_Preferences_com.apple.mobileipod.plist

Library_Preferences_com.apple.mobilemail.plist

Library_Preferences_com.apple.mobilenotes.plist

Library_Preferences_com.apple.mobilephone.plist

Library_Preferences_com.apple.mobilephone.speeddial.plist

Library_Preferences_com.apple.mobilesafari.plist

Library_Preferences_com.apple.mobileslideshow.plist

Library_Preferences_com.apple.mobiletimer.plist

Library_Preferences_com.apple.mobilevpn.plist




Library_Preferences_com.apple.preferences.network.plist

Library_Preferences_com.apple.preferences.sounds.plist

Library_Preferences_com.apple.springboard.plist

Library_Preferences_com.apple.stocks.plist

Library_Preferences_com.apple.weather.plist

Library_Preferences_com.apple.youtube.plist

Library_Preferences_csidata

Library_Safari_Bookmarks.plist

Library_Safari_History.plist



Analyze the Information

Find out username and computer used by examining the \iPod_Control\iTunes\DeviceInfo file

Detect and recover the hidden information

Use the steganalysis tools such as Stegdetect to extract the hidden information

If the data is encrypted, use cryptanalysis tools such as Crank and Jipher to reveal the encrypted information

If the information is password protected, use the password cracking tools such as Cain and Abel and hydra

If the data is in audio or video format, use different audio/video players

Check the time of different activities over the iPod

Check what exactly happened, what event occurred, who was involved, and how it occurred



Analyze the Information (cont’d)

Identify the individuals who created, modified, or accessed a file

Determine when events occurred by analyzing call logs, the date/time and content of messages and email

Create the timeline of the events

Recover the hidden information

If the entries such as SMS, contacts, emails, etc. are encrypted then use cryptanalysis tools such as crank

Use password cracking tools such as Hydra to read the password protected information

Try to find out the geographical location of the attacker



Timeline Generation

iPod generates timestamp for each file, timestamp is the time of different activities performed on the iPod files

Investigator should create the timeline schedule for analysis

• \iPod_Control\Device\SysInfo modified time• \iPod_Control\iTunes\iTunesControl creation time• \iPod_Control\iTunes\DeviceInfo (and others) modified time• iPod when connected to the computer and initialized• Creation time for all music files• Modification time of all music files

Timeline should be created depending on:



Timeline Generation: File Status After Initializing the iPod with iTunes and Before Closing iTunes



Timeline Generation: File Status After Connecting iPod to the Computer for Second Time, Copying Music, and Closing iTunes



Time Issues

iPod consists of the internal clock

Forensics investigator has to understand how time is reflected in the data being analyzed

• Set the time and date on the iPod different from the computer connected to it

• Connect the iPod to the computer and copy some music to the iPod using iTunes; note down created, accessed, and modified times of the files

• Disconnect the iPod from the computer• Check the time on the internal clock of the iPod• Play the songs on the iPod• Reconnect the iPod to the computer• Recheck the file created, accessed, and modified times

Internal clock of the iPod is tested with the following steps:



Jailbreaking in iPod Touch and iPhone



Jailbreaking

Jailbreaking allows the installation of third-party applications on iPod Touch and iPhone



AppSnapphttp://jailbreakme.com/

• Patches Springboard to load third party apps• Activates non-AT&T iPhones automatically, while leaving already activated phones

alone• Fixes YouTube on non-AT&T iPhones automatically, while leaving already activated

phones alone• Installs Installer.app v3.0 on the iPhone/iPod Touch with Community Sources

preinstalled• Fixes Apple's TIFF bug, making your device MORE secure than it was without

AppSnapp• Enables afc2 protocol and adds special commands to allow killing springboard,

lockdowns, etc from iPhone

Features:

AppSnapp is a jailbreaking tool that allow the installation of non-sanctioned third-party applications in the iPod Touch/iPhone running the 1.1.1 firmware

It jailbreaks the iPod Touch/iPhone and then pushes Installer.app to the device, which contains a catalog of native applications that can be installed directly over a WiFi or EDGE connection



AppSnapp: Screenshot



Tool for Jailbreaking: iFuntastichttp://ifuntastic.com/

iFuntastic is an iPod Touch hacking and modification tool

It has full file browser feature, which simply browses the iPod Touch's internal file system, and edit UI images



iFuntastic: Screenshot 1



iFuntastic: Screenshot 2



Pwnage: Tool to Unlock iPod Touchhttp://wikee.iphwn.org/

Pwnage is the tool used to unlock the locked iPod Touch



Erica Utilities for iPod Touchhttp://ericasadun.com/

Erica helps investigator to extract different forensics information about the iPod touch

Features:

• Query your iPod or iPhone for device attributes including platform name, processor, etc

• Search the App Store from the command line.• Enter a simple query phrase



Tools



EnCasehttp://www.encase.co.za/

EnCase is the most efficient and user-friendly tool for recovering data from HFS+ file system

It displays the file structure of HFS+ formatted device, including hidden folders

It automatically displays deleted files

Find File script is used to recover deleted files including images and Word documents



EnCase: Screenshot



DiskInternals Music Recovery

DiskInternals Music Recovery is an effective solution for recovering media files which have been deleted or corrupted

Even if the storage device was formatted and all information was erased, or if the information is corrupted, the media files can be recovered by using DiskInternals Music Recovery

With DiskInternals Music Recovery, one will be able to restore almost any music as it supports a number of media formats, including mp3, wma, asf, wav, ogg, wv, ra, rm, vqf, mid, and voc

The program also works with all file systems.; and supports Windows, Mac OS, Linux, and other disk types



DiskInternals Music Recovery: Screenshot



Recover My iPod: Toolhttp://www.recovermyipod.com/

Specifically designed for iPod data recovery, Recover My iPod will bring back music, video and photos from an iPod drive; recovers deleted or lost files from your iPod



iPod Data Recovery Softwarehttp://www.datadoctor.in/

iPod data recovery software recovers files from Apple iPods

• Recover deleted songs, music, files, pictures, videos, mp3, mp4 and other files from the iPod digital music player

• Support all major Apple iPods including iPod Mini, iPod Nano, iPod Shuffle and iPod first to iPod next generation audio video models

• Retrieve files and folders when updated and restored using iTunes software

Features:



iPod Data Recovery Software: Screenshot



iPod Copy Manager

iPod Copy Manager is an iPod backup & recovery software

By using iPod Copy Manager, songs, videos, and DVD movies can be copied easily from iPod to computer

You can backup all the iPod videos and music



iPod Copy Manager: Screenshot



Stellar Phoenix iPod Recoveryhttp://www.stellarinfo.com/

Stellar Phoenix iPod Recovery software recovers music files, graphics, videos, documents and other contents which have been corrupted, damaged or deleted from the iPod

It recovers information from an iPod when it creates the following problems:

• “The iPod ** cannot be updated, the required folder cannot be found"• "Disk is locked"• "iTunes folder cannot be found"• "Firmware update failure"• "There was an error in the iTunes Store. Please try again later."• "Unable to Check for Purchased Music because an error occurred (-5000 error)." • "Can't lock iPod. Please check if any other applications are using iPod and try again."• "Error 1428"• "Error 1417"• "Error 60"• "Error 200”



Stellar Phoenix iPod Recovery: Screenshot



Tool: Acesohttp://www.radio-tactics.com/

Aceso is the forensic tool which download data stored in mobile phone SIM/USIM cards, handsets and memory cards

Features

• Handset Access Card creation • Blocks network access for all SIM and USIM cards• Prevents overwrite of existing data

• SIM/USIM Acquisition • Dual mode also supported

• Handset Acquisition • 421 Supported Handsets including Blackberry, Symbian and iPhone• Data types supported: contacts, SMS, MMS, call registers, calendar, file system

• Memory Card Acquisition • Raw bit-for-bit image• File system



Tool: Cellebrite UME 36 Prohttp://www.cellebrite.com

Cellebrite UME 36 Pro is the forensic tool which transfer all forms of memory content as a backup

It support wide range of mobile phones, smart phones and PDAs including iPhone

The content which Cellebrite can transfer are as following:

• Pictures• Videos• Ringtones• SMS• Phonebook contacts data



Tool: Wolfhttp://sixthlegion.com

Wolf is the application which retrieved the content stored in iPhone

It extract the content without jailbreaking

The content which it can extract are as follows:

• Handset Info • Contacts • Call Logs• Messages • Internet Info & History • Photos • Music / Videos



Wolf: Screenshot



Tool: Device Seizurehttp://www.paraben-forensics.com

Text messages and images can be found in a physical data dump of a phone

Device Seizure can acquire the following data:

• SMS History (Text Messages) • Deleted SMS (Text Messages) • Phonebook• Call History Received Calls

• Dialed Numbers • Missed calls • Call Dates & Durations

• Datebook • Scheduler • Calendar • To-Do List • File system



Tool: PhoneViewhttp://www.ecamm.com/

PhoneView provides easy access to iTunes media, photos, notes, SMS messages, call history and contacts

Features:

• File Storage Made Easy: makes it simple to transfer files between Mac and iPhone

• Powerful Notes Access: it add, view and edit iPhone's Notes on Mac desktop

• Export SMS Messages and Recent Calls: this information can be viewed in text editor or spreadsheet



Tool: iPhone Drivehttp://www.findmysoft.com/

iPhoneDrive is a Mac OS X application which allow use of iPhone for file storage

Its drag and drop feature makes it easy to move files back and forth between the Mac and iPhone

Features:

• It stores any type of data• Copy files and folders to and from the iPhone• Back up important data



iPhone Drive: Screenshot



Tool: Tansee iPhone Transfer SMShttp://pocket.qweas.com/

Tansee iPhone Transfer SMS is the tool which copies the SMS from the iPhone to the computer

Features:

• Backup SMS in iPhone to computer• View and manage old iPhone SMS in

the computer• View SMS in text file format or ants

file format on computer • Password protection support for ants

file



Tool: SIM Analyzerhttp://cpa.datalifter.com/

SIM Analyzer is a cell phone forensics tool, that recovers the contents from SIM card of different cell phones

It recovers:

• Last Number Dialed, Abbreviated Dialing Numbers• Active and Deleted text (SMS) messages• All the general files found in the Telecom group as defined in the GSM 11.11v6

standards



Tool: SIMCon – SIM Card Recoveryhttp://www.simcon.no/

SIMCon is a program that allows the user to securely image all files on a GSM/3G SIM card to a computer file with the SIMCon forensic SIM card reader

Features:

• Read all available files on a SIM card and store in an archive file• Analyze and interpret content of files including text messages and stored numbers• Recover deleted text messages stored on the card but not readable on phones• Manage PIN and PUK codes• Compatible with SIM and USIM cards • Print report that can be used as evidence based on user selection of items• Secure file archive using MD5 and SHA1 hash values• Export items to files that can be imported in popular spreadsheet programs



SIMCon: Screenshot



Tool: SIM Card Data Recovery Softwarehttp://www.datadoctor.in

SIM Card Data Recovery Software recovers accidentally deleted data from mobile phone SIM card

Features:

• Retrieve all deleted contact numbers (phone numbers), unreadable messages, corrupt phone book directory

• Undelete both viewed and unread inbox text SMSes, outbox messages; and draft, save, and favorite, text messages; and sent items that have been deleted from SIM card memory

• Provides full details about a SIM card, like its provider and ICC–ID



SIM Card Data Recovery Software: Screenshot



Summary

The iPod has gathered interest from the criminal community as a tool to store information relating to their crimes

Contact information of conspirators or victims along with photos or other documentation are transferred and stored on iPod

iPod should be stored in a static-free bag and marked as evidence

File000150

Technology

Transcript of File000150