My good friend Shafik Punja asked “Remember how you showed me to take a Lantern case file and bring it into Encase?” I responded that I did remember showing him how to do it. Shafik he asked me to place this blog so that others can benefit from this as well. So here it is using a case folder using the new Lantern 2. This will also work using FTK. Unfortunately I do not have FTK running in my VM, so this method can also work the same way. For this demonstration I am using Parallels. Just like it better now, but again, if you have VMware Fusion, this will work also.
1. Acquire an iDevice using Lantern.
2. Start you Windows virtual machine
3. Depending on your VM software, set up file sharing
4. Copy the Lantern case file (the icon that looks like a briefcase) and bring it into Windows. As you see in the following figure, the case file looks like a file folder. The Lantern case file in 2.0 is an Apple/Mac package. Basically a folder. Windows 7 sees this package as a folder.
5. Open You windows base forensic tool, in this demonstration open Encase and create a case.
6. Then just drag and drop the Lantern folder into Encase as seen below,
7. Then you can run whatever process you care to do at this time. It is just that simple!
For older Lantern version 1 case files. It is essential a Zip file. Just unzip the files and bring them into Encase or FTK using the same method as described above. If you have any questions drop me an email. firstname.lastname@example.org
Here is a short PDF on imaging the MacBook Air wth WinFE+FTK Imager
Imaging a MacBook Air
A lot of noise has been given to the tracking of the iPhone. One good thing came out of it. LE researchers have been able to keep it quiet for over a year. My research into My book “iOS Forensic Analysis” covered not only consolidated.db but how to visualize the data with just using Google Maps and Google Earth. Crude, but it worked. This research I put into the development of Katana Forensic’s Lantern v2.0.
So now that it is out, how does one protect themselves,
1. Use a numerical or strong password on your phone.
2. Encrypt your Backup within itunes,
3. Get a free iTunes account to remotely lock and wipe your device,
“Locate your iPhone on a map.
People misplace things all the time. Fortunately, if you lose your iPhone, Find My iPhone can help. It’s a feature that’s part of MobileMe, but now it’s also free on every iPhone 4 with iOS 4.2 or later.* Enable Find My iPhone in Settings. Then if you misplace your iPhone, you can sign in to me.com from any computer web browser or using the Find My iPhone app on another iPhone, iPad, or iPod touch to display its approximate location on a map.”
-From Apple’s website describing this service
4. Use File Vault to Encrypt your user volume, this would protect all your data not just the iTunes Backup.
5. In the upcoming operating system, Lion will allow for full disk encryption.
6. Don’t jailbreak your device.
The best security is to keep the iPhone’s original operating system intact. There have been know issues that have come from users that have broken the device and have been attacked by Hackers.
If one utilizes the measures that Apple provides to protect the public, it seems hard that they would “Spy” on them. They don’t and this was asked and answered a year ago. This is what happens when “Researchers” take an issue too far without looking at the facts at hand. We like how our new smartphones work. We also realize that we are giving up something in order to acquire these new technologies that we look and say, “WOW”.
So we can take the time to protect ourselves, or go back to the dumb phones that only placed calls. That is the reality of our society. I like my iPhone and do use a passcode, encrypt my backups, and have a Mobile Me account. Most people don’t know about this but hope this helps in getting you protected.
Researchers at Katana Forensics had looked at Geolocation data for quite some time. Early Last year Katana assisted Law Enforcement Agencies with cases to include a Homicide. The request among others was for Geolocation data and having it mapped. These findings have been published numerous times and revealed at conferences within the United States. Lantern version 2.0 was released in January 2011 which did more than the english free tool could do and much more. So was it really news or not? Looks like for once, Forensic Experts beat out “Security Researchers”
Just finished writing an article on Imaging the MacBook Air for Digital Forensics Magazine!! Hope it helps those that were pondering this issue.
The MacBook Air was introduced in 2008 and was the thinnest and lightest Mac ever made. It didn’t have much of a following until 2010 when the New Mac Book Air was announced. Sales of this generation was a good sign for Apple and the life cycle of this model.
Back in 2009 I developed methods to image the Apple Air. The older Airs, had both Serial ATA and SSD drived with 64GB and larger. future generations were typically the same but had larger hard drives. The latest generation has SATA DIMM drives, a first of it’s kind.
There were 3 basic ways to image the Air.
1. Remove the drive from the Air and image using adapters and normal free imaging tools
2. To use a Linux boot disk like SPADA 4. This method was helpful because it removed the necessity to have a USB hub. All that was needed, was to Load SPADA into ram, connect an external drive, and image.
3. was to install OS X 10.5 to an external hard disk, make sure disk arbitration was turned off, and the image using command line binaries like dcfldd or dc3dd. Now we can use this method again but using OS X 10.6 on the new SATA DIMM drives on the new Mac Airs.
I will later detail all these methods so that all examiners will have the knowledge to image any Air that they encounter and using free methods. The external Hard drive will necessitate the purchasing of OS X.
Come back and see how to handle these devices!!!!