iPod Investigation

Read about how to properly manage the data retreived from an iPod for use during an investigation.

By Kevin Cardwell and Craig Wright

Service provider takeaway: This section of the chapter excerpt from Syngress Publishing's Alternate Data Storage Forensics continues to explore the methodology of using an iPod to conduct forensic investigation analysis.

Download the .pdf of the chapter here.

When an iPod is found at a crime scene, the first respondent should wait for the advice of a forensic specialist. This is essential to ensure that the site of the evidence is documented correctly. Either explicitly document the location of the iPod and anything around it or preferably photograph the site. Leave the device in its current state until it is thoroughly investigated. It is possible that the point could be booby trapped with a delete command or wipe function. This is particularly relevant when the device has been configured with iPodLinux. There are tools under iPodLinux that can be set to wipe the hard drive of the iPod if it is disconnected from the charger or computer without a special code being entered.

Note the state of the iPod. If it is connected to another system, check whether it is mounted. If it is, the screen of the iPod will display message saying "Do Not Disconnect". In this case it is necessary to unmount the device prior to disconnecting the computer. On a Mac this may be achieved by dragging the icon of the iPod to the trash can on the Mac desk top. Note the name of the iPod as it is displayed on the desktop before unmounting it.

Simply disconnecting or on plugging the computer could damage disk sectors on the iPod. For this reason this should be avoided. If the iPod is connected to a Windows machine, it may be mounted by clicking the "Unplug or eject hardware" icon generally located on the task bar on the bottom right of the screen. On a Windows machine the chances of the corruption resulting from disconnecting the iPod are less than on a Mac.

When collecting the iPod specify the connections and cabling as well as all the details of machine connected to (if it was connected). Ensure that this information is kept with the device. The iPod should be stored like a hard drive. This is it should be stored in an antistatic bag in an environment where both temperature and humidity are controlled. It should also not be exposed to excessive vibration. Never store the iPod near a magnetic source such as a speaker. It is important to maintain a strong chain of custody throughout the process.

The iPod is unlike some other embedded devices in that it does not need to be connected to a power supply while in storage. If the battery drains over time, the information will not be lost from the hard drive. With hard drive models, it may be more effective to extract the hard drive from the iPod for processing. This will allow the use of an external hardware write blocker. The difficulty is that imaging the hard drive correctly requires both a high level of technical skill and specialized hardware.

An iPod stores the name of the computer which it initialized with on the drive. This information may be used to link the device to other computers and consequently suspects.

Although it is recommended that the iPod is imaged before doing any other tests, it is possible to determine the format of" the drive from the iPod itself. This is achieved by selecting: "Settings >", "About >". If the iPod is formatted for a Windows system scrolling down in the "About" display will state "Format" Windows" towards the lower section of" the screen. If" this is not displayed, it is likely that the device has been formatted using the HFS+ format and that the iPod was initially connected to a Mac.

Timeline Generation
The iPod is designed to only be linked to one system at a time. As a result, a series of likely connection times to a system can be established. The identified times associated with connection events may also be discovered on the linked system. The times will reflect the system time or" the linked system (not that as displayed on the iPod).

Time entries of primary concern to the forensic analyst may be found in the following files:

  • iPod_ControlDeviceSyslnfo - the modified time of the file records when the iPod was last restored.
  • iPod ControliTunesiTunesControl- the creation time of the file records when the iPod was initialized using iTunes.
  • iPod ControliTunesDevicelnfo .9 the modified time of the file records when the iPod was last connected to iTunes.
  • All music files located under iPod ControlMusic - the creation times of the files records when these files were copied from the linked system to the iPod. The modification times for these files provides further evidence linking the iPod and the Windows system and helps to create a timeline of actions/activity.

These times provide evidence of connection times to the linked system. If the Windows host is available, it may be possible to correlate these times to events on this computer as well.

Lab Analysis
When analyzing the iPod, it is important to be familiar with the tools used in the analysis. A variety of tools such as Access Data's Forensic tool kit (FTK), the Sleuthkit/Autopsy browser, Blackbag Technologies' Macintosh forensic software (MFS) or Encase forensic edition are more than adequate for this task., it must be noted, however, that the tool must be matched to the device. For instance, Blackbag MFS is designed exclusively for the Mac environment and the Sleuthkit/Autopsy browser requires specialist consideration to work with the Apple file system.

It is also necessary to ensure that the necessary connectors are in place. Depending on the type of" iPod, either FireWire or USB connections may be required. Ideally the forensic analyst will disassemble the iPod and remove the hard drive for analysis. Disassembly allows for the use of a hardware write blocker.

It is generally considered best practice to disassemble the device. By activating the device it is possible to either alter the drive thus damaging the evidence or to set off a booby trap. It is not difficult to configure a wipe program to run on the system boot-up using iPodLinux. Such a tool could destroy valuable evidence before the forensic investigator could get to it.

Remove Device from Packaging
When receiving an iPod for forensic imaging is important to document every step. First, remove the iPod from the packaging. Carefully note with the state of the machine, the model and the interfaces. Photograph and document everything to ensure the chain of custody records are complete.

Depending on the actions that the investigator intends to take there are two possible

1. Work on the iPod as is (not recommended for hard drive models), or
2. Disassemble the device and extract the hard drive.

It is always possible to reassemble the device after the drive has been imaged. For this reason it is better to duplicate the hard drive first. This is a little more difficult in the non-hard drive models such as the iPod nano. In this case it may be more practical to copy the device assembled.

When working on assembled device (including when the device has already been imaged and reassembled) the following steps are recommended:

1. Ensure that the battery is charged. Leave the iPod on the charger until the battery is fully charged
2. Turn on the iPod,
3. Note any device settings and document these,
4. Based on whether the iPod has been connected to a Windows or Mac host, the subsequent stages will differ.

The iPod restore process
The iPod restore process does not clear the hard drive of the iPod. Using a restore process copies new data to the iPod which makes it appear as if it was erased and reloaded. However, only the file pointers are erased. Unless data was specifically overwritten by the restore process it will still be available for recovery. The Microsoft restore process is detailed in the following stages:
1. An unformatted, corrupted, or Mac HFS+ formatted iPod is connected to the Windows computer and Windows automatically loads the drivers.
2. The iPod Updater software loads then prompts the user to format the iPod.

On selecting "Restore" the following occurs:
a. New Partition tables are written to the iPod hard drive
b. A replacement System Partition is created on the iPod and loaded with required data
c. A new Data Partition and File Allocation Table for the FAT32 Data
Partition is created
d. iPod Control and iPod ControlDevice directories are created on the iPod hard drive
e. The iPod_ControlDevicePreferences file is created containing binary data
f. The iPod_ControlDeviceSyslnfo file is created. This file contains technical data about the iPod in text format. 3. When the iPod is connected to the Power Adapter the operating memory is reloaded.
4. The iPod is now re-connected to the host system and either iTunes automatically loads, or it is manually run.
5. The iTunes iPod Setup Assistant will prompt the user allowing them to set the name on the iPod. If a name is set and "Next" is selected then the name will be entered in the Devicelnfo file. If the cancel is selected, the iPod Setup Assistant will then set the device name to the default, "IPOD". The file will thus contain either the name entered by the user or "IPOD". If the name is stored it is recorded with the username and computer name used in configuring the iPod within iTunes. The following procedure then occurs: a. The iPod_ControliTunes directory is made and the files Devicelnfo, iTunesControl, iTunesEQPresets, iTunesPrefs, and winPrefs are produced in this directory.
b. The iPod_ControlMusic directory is created with subdirectories named sequentially from F(!0 through to F49.

These entries are reflected in the Windowssetupapi.log file on the Windows host used to configure the iPod with a second entry from the iPodService.exe program which also records the USB serial number of the iPod. The creation time of the iPod ControliTunesDevicelnfo on the iPod reflects the time value in the Windowssetupapi.log file on the Windows host used to configure the iPod.

The iPod and Windows
It is possible to set iPod to read-only mode within Windows XP (SP2) by changing the registry key: HKEY_LOCAL_MACHINESystemCurrentControlset ControlStorageDevicePolicies. Setting this key to the hex value of 0x00000001 and restarting the computer will stop write access to any USB storage devices effectively rendering them as read only. Setting the value to 0x00000000 and restarting the computer enables write access (Andersen & Abella 2004).

The Registry
The Windows registry contains significant amounts of information to the forensic analyst. Of primary concern in investigating iPods are"
1. The keys created by the connection of the iPod to the Windows computer, and
2. The last write times indicating the last time the registry keys were changed.

An iPod creates a series of registry keys when it is connected to the Windows computer. These can be found under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR in the registry. Located under USBSTOR will be found a key that identifies a disk device presenting the vendor identifier "Apple", the product identifier "iPod", and a revision code. This information can be used to match the host computer and iPod being investigated. The last write time for this key indicates the first time that the iPod connected to the Windows host. Under this in the registry is a further key corresponding to the serial number of the iPod USB connection, followed by "&0". This value will match the value of FirewireGuid on the iPod contained in the iPod_ControlDeviceSyslnfo file. The last write time associated with this key is the last time that the iPod connected to the Windows host.

The Windows file, setupapi.log (in the Windows installation directory) records all driver installations that after the system has booted. On the first time that an iPod is connected to a Windows system, the connection event will be recorded in this file. The information in this file will match with the last write times of a series of registry keys related to the iPod.

This file is also useful in reconstructing the sequence of connection events the iPod and the host system. This is as this file lists the driver installations. If iTunes is also installed, each occasion that an iPod connection occurs after boot will be recorded. If however iTunes is not installed, than only the driver installation will be recorded. Also, if the iPod has been connect to the host prior to its being booted, the drivers will load during boot-up and will not be recorded even if iTunes is installed. In any event, this file provides a means to reconstruct events that have occurred on the host and also associated a particular iPod with a particular computer at a given time.

PDA, BlackBerry and iPod Forensic Analysis
  PDA Investigative Tips
  Introduction to the BlackBerry
  iPod Forensics
  iPod investigation
  The iPod and Linux

About the book

Alternate Data Storage Forensics explores forensic investigative analysis methods when dealing with alternate storage options. The book presents cutting-edge investigative methods from cyber-sleuths professionals. Purchase the book from Syngress Publishing.

Reprinted with permission from Syngress Publishing from Alternate Data Storage Forensics by Amber Schroader and Tyler Cohen (Syngress, 2007)

Dig Deeper on Managed storage services

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

A lot of informations on ipod, it's impressive !!!
Good work!