Skip to Main Content
iPhone Forensics
book

iPhone Forensics

by Jonathan Zdziarski
September 2008
Intermediate to advanced content levelIntermediate to advanced
140 pages
3h 31m
English
O'Reilly Media, Inc.
Content preview from iPhone Forensics

Data Carving Using Foremost/Scalpel

To recover deleted files, you need a data-carving tool. Data carving is the process of extracting structured data from unstructured data. Until mounted as a filesystem, the raw partition recovered from the iPhone looks like one big file to the computer, and contains both live and deleted data. A data-carving tool can scan the disk image for traces of desired files, such as images, voicemail, and other files. It then carves these smaller files out of the image for further analysis. Foremost and Scalpel are both data-carving tools.

Foremost is a free forensics tool developed by Special Agents Kris Kendall and Jesse Kornblum of the U.S. Air Force Office of Special Investigations. Foremost can be freely downloaded from http://foremost.sourceforge.net and compiled/installed on most desktop operating systems. Mac OS systems may either build from sources or install using MacPorts (http://www.macports.org):

$ sudo port install foremost

Scalpel is a tool based on Foremost and performs much faster analysis using an identical configuration file. Scalpel is available at http://www.digitalforensicssolutions.com/Scalpel/. Windows binaries for Scalpel are included in the distribution. Scalpel can be compiled and installed on a Mac desktop using the following commands (if the version number has changed, simply substitute the current version in the following file and directory names):

$ tar -zxvf scalpel-1.60.tar.gz
$ cd scalpel-1.60
$ make bsd
$ sudo mkdir -p /usr/local/bin ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

iPhone and iOS Forensics

iPhone and iOS Forensics

Andrew Hoog, Katie Strzempka

Publisher Resources

ISBN: 9780596153588Supplemental ContentErrata Page