What to Do When You’ve Seized an Apple Product: Bronze Sponsor BlackBag Talks Mac and iPhone Forensics

BlackBag Technologies HTCIA Conference Bronze SponsorAny technology’s popularity increases the likelihood that it will be used for illicit purposes. Apple’s mobile devices – the iPhone, iPad and various iPod iterations – are no different. However, because the way they store data is structured differently from other mobile devices, investigators need specialized training to learn how to deal with them.

Enter BlackBag Technologies, specialists in Apple Macintosh forensic tools. We talked with Drew Fahey, director of forensics, Paul Jordan, vice president of corporate development, and Derrick Donnelly, chief technology officer, about the labs they’re offering in Atlanta: “iPhone Analysis: What’s Really in that Backup File, Anyway?” and “Mac Analysis for the Windows Forensic Examiner.”

HTCIA: What level of investigative experience are your classes geared for?

DF: While the classes are available and accessible to all levels of experience, they are ideally suited for experienced Windows forensic examiners who are looking to understand the Mac platform and apply their experience within a new technical context.

HTCIA: What tools and processes will you be covering?

DF: These labs will focus on forensically handling iPhones and iPads. Adoption rates and market penetration of both devices are at levels unseen for previous Mac based software and hardware. As a result these devices are turning up in numerous investigative scenarios and acquisition and analysis requires a different approach then historically applied to simpler cell phones.

PJ: Forensically analyzing an iPhone or iPad is more like traditional computer forensics because these devices’ operating systems and storage capacities are more like a Mac’s than like a cell phone’s. The latest devices run basically a lighter version of OS X. They capture traditional phone data such as call history and SMS, but also capture huge amounts of media, documents, email and other rich data.

DF: Classes will also cover the challenges / opportunities of creating a lawfully sanctioned image as well as how to develop a forced backup file. Instructors will talk to the unique data structures of these devices and show analysis simulations.

HTCIA: Can you talk about the scenarios you’ll be taking students through?

DF: We will be running the students through an intellectual property theft case involving three individuals. All three used iPhones and Mac laptops to commit a theft. We will walk the students through the initial discovery all the way to the arrest.

HTCIA: Your background: how did you get into Mac / iPhone forensics? What do you enjoy most about forensics, and teaching?

DF: I was forced into it 😉 Seriously though, I have been conducting computer forensics for 15 years and over that time I have seen Macs continue to become more prevalent. Using a Mac every day for the last four years it made sense to jump right in and focus on Mac forensics. iPhone forensics was a natural progression as it is just an offshoot of Mac OS X.

The best part about teaching forensics is watching the reaction of students as they learn something new.

HTCIA: What do you like to see from your lab attendees?

DF: Active participation. Looking to discuss real cases and address actual field challenges faced by examiners. Come prepared to share scenarios and learn ways to improve future technique.

HTCIA: How is Mac forensics different from Windows forensics? Why are there so few tools for HFS/HFS+?

DF: Historically the market for Macs has been much smaller and therefore the opportunity to create tools for a large market has not existed. That is slowly changing with record levels of corporate adoption for the iPhone and iPad.

DD: Many companies are buying iPhones or partially paying for employee iPhones. Employees might be getting company e-mail on the iPhones and many companies are starting to use iPads. We have received many calls in the past 6 months of companies needing to do full forensics or e-discovery on company iPhone/iPads, or personal systems where employees have consented to data collections.

SMS, MMS, Twitter, Facebook, MySpace, social networks, e-mail can contain a lot of data that might have evidentary value in civil or criminal cases especially when a group of employees might be communicating via SMS on a specific project.

Also many companies are starting to allow their employees to choose their favorite platform for work (Windows, Mac, Linux, etc…) and Macs can now dual boot with Windows and Mac OS X installed on the same system. People are now starting to do two analysis investigations because both OSs are installed on the same system.

HTCIA: The iPhone is so new that reference to a “history” of forensic processes is kind of funny. 🙂 Talk a little about its evolution?

DF: Like anything else, you have to start somewhere. The iPhone is now in its fourth year and the understanding of the data which exists on iOS devices like the iPhone are still being learned. With each new iteration of the devices and software forensics tools need to adapt.

This is not unlike typical forensics software which have to adept to newer operating systems and programs. The difference is the rate at which iPhone forensics changes.

PJ: Apple’s pace of innovation seems to have set a new standard in the technology industry. They continue to push new devices and features, which creates challenges for investigators who cannot rely on older forensic tools to handle these devices.

It will always take time to react, but we hope that our deep expertise in Mac systems allows us to quickly build tools to properly equip law enforcement to work with these new devices.

Questions for the BlackBag team? Please leave us a comment!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: