I received an iPhone yesterday that was suspected to be stolen. Proving the suspicion was another matter. The was found to have data (photos, mostly) only related to the suspected thief, but the investigator noted that the phones statistics had been reset and suspected the original owners data was deleted. He brought me the phone for examination to prove his hunch. The phone was not reported stolen anywhere that we could find.
My first thought was the SIM card. Problem was, the phone had no service, and the SIM card only revealed the assigned phone number and carrier. While that might lead to the owner, it would be a while after the drafting and execution of a search warrant. In fact, it could have been weeks before that got us anywhere.
I obtained some basic phone data with the libimobiledevice-utils package. I quickly learned that the iPhone 3G was running the 4.3.1 iOS. I also quickly discovered that the libimobiledevice package (v1.04) in Debian Testing was not going to help me too much because of a bug. Luckily, it was a known bug, and compiling the latestest stable package (v1.06 at this writing) from libimobiledevice.org fixed me right up.
The iPhone tools I use are not yet equipped to obtain the user partition of iOS 4.3 or higher. They cannot image unallocated space in iOS 4 in any event. I have successfully used idevicebackup (one of the libimobiledevice-utils) to backup and iphone and exam the sms, contacts, and other databases, but I could not successfully complete this task because the iPhone refused the backup request (I later did this in Windows with iTunes, however).
So, there I was without full user partition access, no means to recover deleted files, and that was suspected, and no backup of application databases that might lead to owner identification. I could see photos, and music, and nothing more when I mounted the phone with ifuse. The photos had already been ruled out as a possible source of original owner information. That left the music.
I knew from previous research that songs and videos purchased through iTunes contain the real name and iTunes username of the purchaser. The username is most often the user's email address, in my experience. The data is stored in the 'name' and 'apID' atoms of the mpeg-4 format. You can learn more about atoms and the format specifications at the AtomicParsley website.
I used the find command to locate the .m4p (music) and .m4v (video) files that are indicative of media purchased through iTunes. Of the more that 3k of music files, I found about 50 that were .m4p format and contained three different but related usernames (same last name). Not surprisingly, the names did not match the suspected thief. Each username had an associated email address, but a I was able to cross reference the names with other records and find a burglary victim.
So, while we are used to the performing artists singing their songs, forensic computer examiners need to keep in mind that iTunes songs sing themselves, providing purchaser real name and username/email address!
Subscribe to: Posts (Atom)
Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...
The Google Chrome cache represents a challenge to forensic investigators. If the extent of your examination has been to open t...
CCL Forensics did the mobile forensics world a great service when it released several python scripts for cracking Android gesture, pin, an...
I received a Motorola Droid 2 for analysis. Processing the 16gb SD card was trivial as it is removable and subject to traditional imaging t...