This appendix includes details about the procedures and results described in this book that a court may require from law enforcement witnesses, prosecutors, and defendants.
When any computer is turned on, files are read and
written. iPhone examiners need only be concerned with what is written,
as the iPhone’s filesystem is mounted with the
noatime option, even if the option is not
specified in /etc/fstab. This option prevents access
times from being updated when a file is read or its metadata (such as
its name) is changed on the device. Therefore, the access time shown on
a file should reflect either its creation or the last time some change
was made to the content, allowing you to concentrate on only the files
that have been actually changed.
In the likely event that you don’t possess special equipment to physically dump the iPhone’s memory chip, the device must be powered on and booted into its operating system to recover data. Furthermore, the forensic tools described in this book require that the device be rebooted after the toolkit payload is installed.
Just like a desktop operating system, the iPhone’s Leopard operating system performs minor writes to certain files upon booting. The purpose of most writes is to replace or reset existing configuration files, and writes generally don’t add any new data to the filesystem. Some writes, however, append a very minor amount of data to files. Overall, the ...