iPhone Forensics Workshop

December 3-4
Dallas/Ft. Worth Area - Meeting room/hotel to be announced soon.
8:30am - 4:30pm EST


The Workshop

Recovering Evidence, Personal Data, and Corporate Assets

Attendees will receive a copy of iPhone Forensics and a USB keychain drive containing the tools and payloads used in the workshop, in which you'll be able to follow along or participate hands-on, learning:

• What kind of evidence is stored on the iPhone
• How to prepare a desktop environment for iPhone forensics
• Breaking v1.x and v2.x passcode-protected iPhones to gain access to the device
• Performing field-recovery of basic suspect data, such as that backed up using commercial tools
• Building a custom recovery toolkit for the iPhone
• Interrupting the iPhone 3G's "secure wipe" process
• Data recovery of a v1.x and v2.x iPhone user disk partition, checksuming, preserving and recovering the entire raw image
• Recovering deleted voicemail, images, email, and other personal data using data carving techniques
• Recovering geotags and timestamps from camera photos
• Electronic discovery of Google map lookups, typing cache, browser history, wifi history, application data and other data stored on the live file system
• Reassembling maps from the Google map tile cache and estimating routes
• Extracting contact information, SMS messages, and other data from the iPhone's database
• Collecting desktop trace and establishing trusted relationships to owners' desktops
• Building an examination checklist and different recovery strategies based on case needs

Using the tools and know-how provided in this workshop, you'll work hands-on to recover stored and deleted information on the iPhone, including:

• Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication
• Screenshots preserved from the last state of an application, taken whenever the home button is pressed or an application is exited
• Deleted images from the suspect's synced photo library, camera roll, and downloaded browser objects
• Deleted address book entries, contacts, calendar events, and other personal data
• Exhaustive call history, beyond that displayed
• Map tile images from the iPhone's Google Maps application, lookups and longitude/latitude coordinates of previous map searches, and coordinates of the last GPS fix
• Browser history and deleted browser objects, which identify the websites a user has visited
• Cached and deleted email messages, SMS messages, and other communication with corresponding time stamps
• Live and deleted voicemail recordings stored on the device
• Pairing records establishing trusted relationships between the device and one or more desktop computers

In addition, Jonathan will walk you through common corporate and crime scene scenarios and describe the kind of data that will prove most useful in your investigation. A Q/A session will conclude the conference as time permits. Classroom assistants will be available to help during all classes.

Coffee and a light lunch fare will be served. Be sure to bring a Mac or Windows laptop (Mac preferred) and an iPhone if you would like to follow along. Do not bring live evidence.

Attendees are welcome to follow along with the demonstrations or actively participate with their own devices and laptops. While the techniques covered
support many different firmware versions, certain specific versions will be demonstrated to keep the class moving. The following combindations will be
covered in the workshop:

1. Passcode Breaking:
   a.  A first-generation iPhone running firmware v1.1.4 on Windows
   b.  A first-generation iPhone running firmware v1.1.4 on Mac
   c.  An iPhone 3G running firmware v2.1 on Mac
2. Forensic Recovery:
   a. A first-generation iPhone running firmware v1.1.4 on Windows
   b. An iPhone 3G running firmware v2.1 on Mac

Homework for active participants on the first day will be to recover the full disk image from their device. For those following along, a sample disk
image will be provided for them to work with.

While the workshop covers techniques on both Mac and Windows, we strongly recommend you consider using a Mac for this workshop. The Mac's native
compatibility with the HFS+ file system makes working with firmware and disk images much easier, and a few tools designed to streamline the rebuilding
of data (such as Google maps and filesystem backups) are Mac-specific.

Coffee and a light lunch fare will be served. Be sure to bring a Mac or Windows laptop (Mac preferred) and an iPhone if you would like to follow along. Do not bring live evidence.

Verified Law Enforement Officers, please send email to workshops AT oreilly dot com to obtain a discount rate and code.