Appendix A. Disclosures and Source Code
This appendix includes details about the procedures and results described in this book that a court may require from law enforcement witnesses, prosecutors, and defendants.
Power-On Device Modifications (Disclosure)
When any computer is turned on, files are read and
written. iPhone examiners need only be concerned with what is written,
as the iPhone’s filesystem is mounted with the noatime
option, even if the option is not
specified in /etc/fstab. This option prevents access
times from being updated when a file is read or its metadata (such as
its name) is changed on the device. Therefore, the access time shown on
a file should reflect either its creation or the last time some change
was made to the content, allowing you to concentrate on only the files
that have been actually changed.
In the likely event that you don’t possess special equipment to physically dump the iPhone’s memory chip, the device must be powered on and booted into its operating system to recover data. Furthermore, the forensic tools described in this book require that the device be rebooted after the toolkit payload is installed.
Just like a desktop operating system, the iPhone’s Leopard operating system performs minor writes to certain files upon booting. The purpose of most writes is to replace or reset existing configuration files, and writes generally don’t add any new data to the filesystem. Some writes, however, append a very minor amount of data to files. Overall, the ...
Get iPhone Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.