http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/01/03/BA5N1H3G12.DTL#ixzz1A1UYXWB8 This along with another opinion from two seperate Federal Courts will move it’s way to the US Supreme Court to decide this once and for all.
My Publisher, Apress will be at CES 2011!! If your in Vegas, look them up!
Recently an article was written about iPhone Forensics and the use of the Easy Button tool. This article showed how to use the Easy Button, and Windows based tools to complete an iPhone exam. Reading made me start to add up the number tools used to complete the exam. Then I added all the costs associated with this method. Lastly I looked at the time consumed (14 Hours+). The price tag so high, it was frightening. The time involved was Ouch!
But, we all are not Mac guys, and they have to stay in the Windows cocoon. A thought, yes in the windows world it’s always more complicated than it has to be. So you can do it the Windows way for over $10,000 and if you have a lot of time on your hands, or for under $1200.00 and about an hour, you get a Mac and all the tools you need to complete an exam on the iPhone. Oh, you get to keep the Mac!
Windows Side Costs
Cellebrite UFED Physical Analyzer Pro – $8000
Windows Machine for FTK -$ 1800 (low end machine)
FTK 3.1 – $2995
NetAnalysis – $234.00
Total Cost of ownership – $13,059 (not including any SMS Fees)
Mac Side Costs
Mac Mini with 4GB of RAM – $799
Lantern – $399 (LE)
XCode Tools – Free
Sqlite Database Browser – Free
Total cost of ownership – $1,198
No you can splurge and get some other awesome and exspensive tools like,
OmniOutliner – $39.00 (Free if you ever had Tiger)
Froq – $65.00 – Awesome SQLite tool
Navicat Lite – Free – Another SQlite tool
“I have successfully used Lantern to analyze iphone 4 and 3gs artifacts. Lantern parsed so much and so fast, that the analysis was only supplemented with sql viewing tools such as Navcat Lite (free) and Froq ($$) for third party applications, and the native plist app that comes with xcode tools. Additionally Omni Outliner (Standard and Pro versions – $$) is the best tool I have found that will open a plist file and allow you to export it into a very clean html file, which renders the contents just as if you were looking at the plist from a Mac plist editor.” – Shafik Punja – Calgary Police Service
What is vendor neutral training? It simply means that a training organization does not promote, recommend, or select one forensic tool over another. In the Forensic Training space, there are vendor training, public, and private training organizations. Vendor training are those that are provided by commercial entities such as Guidance Software, Access Data, Blackbag Technologies, MSAB, Paraben, etc. There are government training academies like FLETC NCFI, and DCITA. These organizations take great pains in being vendor neutral. Private training companies for the most part are vendor neutral. Some are under the guise of vendor neutrality, but are now beholding to larger masters. Other Great training is provided by SEARCH.ORG
In the times of slimming budgets and growing work loads, time and money are enemies of administrations. So, when you make your decision on which training, to either go to, look at the organizations with a little more scrutiny than you may have done before. Look at those that can give you the biggest bang for your buck and good quality vendor neutral training. Some organizations are great in limiting the vendor commercial aspect of training and more on the processes of forensics. Those are ones that should be taken more into consideration.
When we talk about Mobile Forensics and the the use of the term “File System”. First let us look at the definition of file system. A file system (often also written as filesystem) is a method of storing and organizing computer files and their data. Essentially, it organizes these files into a database for the storage, organization, manipulation, and retrieval by the computer’s operating system.*
Examples of File Systems,
The difinition of Directory stucture is, In computing, a directory structure is the way an operating system’s file system and its files are displayed to the user. Files are typically displayed in a Hierarchical tree structure.**
Example of a directory structure,
The use or misuse of these terms is becoming a problem in regards to mobile forensics. Some people who train others in this field use these terms without knowing the consequence of improperly using them. This can be catastrophic in court when challenged on just the definition of the term and then how it is applied in regards to the examination.
Forensic tool developers also misuse the term “File System”. The tools don’t recreate the file system from logical extraction, but they do however get the directory structure. But a physical dump can get the “file system” and when recreated, then one can articulate that they can get the file system and then recreate the directory structure.
*http://en.wikipedia.org/wiki/Main_Page – Wikipedia page on File System
**http://en.wikipedia.org/wiki/Directory_structure – Wikipedia page on Directory structure