A Novel Method of iDevice(iPhone,iPad,iPod) Forensics without Jailbreaking Babar Iqbal MCP, MCTS www.YoungestMCP.com Dubai, UAE babar@babariqbal.com Asif Iqbal CISSP, CISM, CFE Business360, Zayed University Dubai, UAE asif@babariqbal.com Hanan Al Obaidli CISSP(A) Electrical and Computer Engineering Department University of Sharjah Sharjah, UAE Abstract—with boom in mobility technology sector, a new generation of computing devices such as iPhone/iPad/iPod have emerged and immersed itself in the lives of millions and millions of people. With its widespread its fair to say that the use of these devices has created a new source of digital evidence and a need for a fast and trusted method to image and analyze the data has emerged. In this paper we will discuss a novel method that we have developed to create an image of the iDevice (iPhone, iPad, iPod) in a secure and fast manner within 30 minutes or less without jailbreaking compared to the fastest current method which takes up to 20 hours. Keywords- Forensics; cybercrime; iPad; iPhone; iPod; Apple; digital investigation I. INTRODUCTION We are living in a fast growing world where technology has immersed itself in every aspect of our culture and lives. It had changed the way we fulfill our work, spend our time and express ourselves. As a result the need to mobilize these technologies became an essential requirement in order to optimize our productivity and fulfill our duties. The evolution from PCs to laptops and now to smart phones and tablets is the result of how technology became a cornerstone in the lives of human beings. These portable devices are being used by millions of people for their personal and organizational purposes. These compact devices are useful in managing information, such as contact details and appointments, corresponding electronically, and conveying electronic documents. Over time, they accumulate a sizeable amount of information about the owner [1], such as emails, usernames, passwords, Wireless access points, location information stored by the device and pictures, which can be used as evidence in a court of law. In our paper we discuss one of the widely spread portable devices which are the iDevices 1 (iPhone, iPad and iPod). In January 2007 the first iPhone was released which was called iPhone 2G and by the end of 2007, 1,389,000 units of this device were sold worldwide [2]. After words the iPhone 3G came to the market in June 2008 followed by the 3Gs iPhone 1 Throughout the paper we will refer to iPhone, iPad and iPod devices with the word iDevices in June 2009. The number of 3G iPhone unit sold reached 11,625,000 by the end of 2008 and by the end of 2009 the number of iPhone units sold reached 20,731,000. After words on June 21, 2010, Steve Jobs announced at the Worldwide Developers Conference the introduction of the new iPhone 4 and at the end of 2010 39,989,000 iPhone units were sold worldwide [3]. In the same year the Apple iPad was announced in January, 2010 and by the end of this year Apple sold 7.64 million iPad worldwide [4] [5]. These two devices have entered the lives of millions and the phenomenal spread is continuing to grow as for the year 2011 72.3 million iPhones were sold and 32.39 million iPad units were sold worldwide [6], [7], [8], [9]. These two devices have impacted the lives of millions and produced a new source of evidence as the result of its worldwide use. II. PRIOR WORK Since the introduction of iPod/iPhone/iPad devices in the market, methods have been developed to acquire the data stored on them. These methods can be divided into three methods which are: (1) Viewing iTunes Sync on a host computer, (2) Jailbreaking the iDevice, (3) Disassembling the iDevice [10]. The first method which is viewing iTunes Sync on a host computer is considered the easiest method, as it can be used to make a logical copy of the iDevice data. Several tools have been designed to accomplish this task such as mdhelper which is a free command-line utility that will work on iDevices below iOS4 to acquire, parse, and display archived data. The binary was created by Erica Sadun and can be downloaded at http://ericasadun.com/ftp/Macintosh. The issue with this utility is that it does not keep the MAC times intact of the backups acquired. This utility can also be used on existing backups found on Mac or Windows computer evidence [11]. However this method provides several problems such as: (1) The device needs to be correctly paired with the iTunes software in order to sync, (2) This method cannot retrieve any deleted files or folders, (3) if you cannot locate the host system, you will not get all the data off of the iPhone. For example, if a suspect has put in binary data like movies or music on their system, you will not get these artifacts due to the Digital Rights Management (DRM) features [11]. 2012 International Conference on Innovations in Information Technology (IIT) 978-1-4673-1101-4/12/$31.00 ©2012 IEEE 238