Channel Strategies for the CIOBy Kevin Cardwell and Craig Wright
Service provider takeaway: This section of the chapter excerpt from Syngress Publishing's Alternate Data Storage Forensics, continues to explore the methodology of conducting forensic analysis on an iPod using Linux.
Download the .pdf of the chapter here.
The following procedure may be used to mount the iPod under Linux (Ubuntu used for this
example):
1. Disable auto-mounting of removable media devices by selecting the "System" menu from the top of
the screen, then "Preferences", then "Removable Drives and Media".
2. When the following window opens up click to remove the check marks by ach item then select
"OK".
3. Locate the iPod within the Linux device tree as follows:
a. Right click in a clear area of the Linux desktop to open up a menu and select "Open New
Terminal",
b. Enter "is/dev/sd*" to list of all the SCSI drives on the system.
c. Connect the iPod to the computer.
d. Wait 20 seconds for the computer to recognize the iPod.
e. Retype "is/dev/sd*" to get an updated list of all SCSI drives on the system and note the new
listings which belong to the iPod.
4. Depending on the application you can now mount the iPod in read only mode.
Note" The apple file system is required to be loaded into the Linux kernel in order to mount an
iPod initialized using a Mac.
User Accounts
When an iPod has been setup using iTunes, a file iPod_ControliTunesDevicelnfo is created which
contains user name and computer information. This information may be used to identify the user and
computer which initialized the iPod. If this file contains the word "IPOD" then the software was
restored to the iPod without having been connected to iTunes.
Deleted Files
The iPod deletes file pointers rather than actually erasing the file. Coupled with the iPod's
sequential file writing technique that starts from the beginning of the drive adds data to the end
before returning to the beginning, recovery on an iPod can be a simple process.
iPod Time Issues
The manner in which the device records time is one of the most crucial aspects of any digital
forensic analysis. To be able to link the deletion, access or alteration of the file to a
particular user is necessary to be able to determine the time when the event occurred. The iPod has
an internal clock but unfortunately the standard embedded operating system does not update file
times.
On iPodLinux however, the system clock updates file access times. It is important to remember this differentiation in times. The native iPod operating system will record the time is associated with the computer it is connecting to. Where an alternative operating system such as iPodLinux is involved, however, the time will be set through the iPod's internal clock.
Registry Key Containing the iPod's USB/Firewire Serial Number
The file" iPod_ControlDeviceSyslnfo file is created on the iPod when system software is restored or
the iPod is initialized. This file contains valuable data about the iPod. Another significant file
iPod_ControliTunesDevicelnfo is created after iTunes has linked the iPod with a computer. The name
of the user and computer involved in linking the iPod and iTunes will be stored in this file.
Where iTunes is running on Windows, a record will be created in both the registry and setupapi.log file with a reference to the USB / Firewire serial number presented in the Syslnfo file on the iPod.
iPod Tools
In addition to the standard drive imaging tools, several products specifically designed for use
with the iPod had been produced. Two of the more common tools include "Music Recovery" from
Disklnternals and "Recover My iPod" by GetData.
Disklnternals Music Recovery
"Music Recovery" from Disklnternals is designed to recover any type of music files from a hard
drive, iPod, USB-flash drive or CD/DVD. It is available in shareware format from:
http'//www.diskinternals.com/music-recovery/. Music Recovery comes with an integrated media player
to preview the files prior to recovery. Disklnternals provides native support for the iPod but does
not run on Mac or Linux.
The software works to recover lost files and data from damaged disks, inaccessible drives and
also works with corrupt or damaged partition tables. Although Music Recovery only runs on Windows
hosts, it has support for several file systems including:
• NTFS 4 & 5,
• Linux Ext2 & Ext3,
• MacOs &Apple HFS,
• Iso9660, and
• UDE
Recover My iPod
"Recover My iPod" allows the user to recover lost or deleted music, video and photos including
.m4a, .mp3, .mov, quicktime and jpeg file formats. The product is available from GetData at
http'//www.recovermyipod.com/.The software supports all versions of the iPod including the iPod,
iPod shuffle, iPod Mini and iPod Nano.
The product recovers data after an iPod Reset or Restore. It is important to remember that Recover My iPod will not run on a MAC.
This software will recover data and files from iPod even when a "Drive Not Formatted" message appears or if the iPod is not recognized by the computer. In this case it is necessary to connect to the "Physical Drive". Although not as effective as a hardware write blocker, "Recover My iPod" mounts the iPod drive in read only format.
Recover My Files" is a more complete recovery tool from GetData. This tool allows for the searching of Computer drives and also iPods. Both products support a "deep scan" and "fast search" mode.
PDA, BlackBerry and iPod
Forensic Analysis
Introduction
PDA Investigative
Tips
Introduction
to the BlackBerry
iPod
Forensics
iPod
Investigation
The iPod and Linux
Summary
About the book
Alternate Data Storage Forensics explores forensic investigative analysis methods when dealing with alternate storage options. The book presents cutting-edge investigative methods from cyber-sleuths professionals. Purchase the book from Syngress Publishing.
Reprinted with permission from Syngress Publishing from Alternate Data Storage Forensics by Amber Schroader and Tyler Cohen (Syngress, 2007)
This was first published in July 2008
Join the conversationComment
Share
Comments
Results
Contribute to the conversation