Chapter 5. Electronic Discovery
In the previous chapter, you learned how to recover the raw media partition from the iPhone and use data-carving tools to pull out potentially deleted images, email messages, and other useful files. This chapter will help you make sense of what you’ve recovered, and guide you through working with live data on the filesystem.
Data carving is very useful for recovering files that the suspect had intentionally deleted or forgotten about. The disk image can also be mounted as a live disk, allowing access to the live (not deleted) data on the iPhone. This allows you to examine the live filesystem and determine the data’s filenames so that you know exactly what data is where.
Note
Instructions for working with the live filesystem commonly refer to the /mobile directory. If the iPhone is running firmware version 1.1.2 or earlier, these files are instead stored in /root. Be sure to make the necessary changes to your method to accommodate any changes in file location.
Converting Timestamps
Many of the timestamps found on the iPhone are presented in Unix timestamp format. To convert these to actual dates and times, use an online Unix timestamp converter, such as the ones found at http://www.4webhelp.net/us/timestamp.php and http://www.onlineconversion.com/unix_time.htm.
From the command line, a simple Perl script can be executed on Mac desktops:
$ perl -e 'require "ctime.pl"; print ctime(1200000000) . "\n";' Thu Jan 10 16:20:00 2008
Mounting the Disk Image
When you ...
Get iPhone Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
