For the last few years, MacOSXForensics.com has been a continuing reference source for my Mac-based forensic investigations. The website has now changed names, and moved to The Apple Examiner Website. The site is very nicely laid out, easy to understand and contains information on the newest of Apple technology. I see a new area on iPhone/IPad/IPod.
I've been analyzing some iPhones lately, and instead of focusing on the (logical) information parsed out by Cellebrite and XRY, I've been throwing the images into FTK and EnCase. FTK does a very good job parsing out the PLISTS for examination. If you're more partial to EnCase, there is a PLIST parser on the Guidance Website (created 03/2010 by Simon Key) which can be downloaded from here (you'll likely need an account to log into the Support Portal.) Once these PLISTS have been parsed out, you cannot imagine the information forensically available within an iPhone. I'm doing up some screenshots of how to bring the Physical Image into FTK and EnCase to preview it (you have to change a byte). Of course, I maintain the original, and flip the byte on a copy.
Check out Ryan and Dave's website. If you're interested in Mac Forensics, you HAVE to bookmark this one.
No comments:
Post a Comment