Chapter 6. Desktop Trace

Recovering evidence from an iPhone can be an important step in building evidence for a case, but you can also find a wealth of information on any desktop machines that have been previously synced with the device. In a criminal investigation, a search warrant can be obtained to seize desktop equipment belonging to the suspect. In a corporate investigation, company-owned desktop or notebook machines can usually be examined.

The evidence found on a desktop or notebook computer can provide information about the trusted pairing relationship to the iPhone. The computer can also store backup copies of various data files, which are useful if the iPhone has been damaged or destroyed. This information can be used both as evidence and to further prove a relationship between the desktop and mobile device. If the suspect is trying to claim that the iPhone in evidence doesn’t belong to him, this is a great way to disprove it.

This book doesn’t cover desktop forensics, but assumes that the reader is familiar with desktop procedures. Most of the information gathered on the desktop can be found on the live filesystem, unless it has been deleted. Nonetheless, you should have a firm understanding of the procedures necessary to preserve evidence on the desktop, or the information you obtain may not be admissible. For more information about desktop forensics, check out File System Forensic Analysis by Brian Carrier (Addison-Wesley Professional).

A desktop trace should be gathered ...

Get iPhone Forensics now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.