iPhone proving challenging for forensics

August 24, 2007

With a storage capacity of up to 8GB (minus 700 MB that is used by the operating system), the iPhone provides plenty of space for storing e-mails, pictures, videos, as well as a trail of web surfing habits that could be of interest to an investigator.

However the iPhone's operating system is based on a slimmed-down version of OS X, which complicates things a bit. The digital-forensics industry is currently dominated by "Wintel" experts, due to the larger percentage of Windows users in the marketplace. Police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. In essence, Mac forensic analysis is considered a highly specialized service. "If you're a bad guy and you want to frustrate law enforcement, use a Mac", says Dave Thomas, former chief of computer intrusion investigations at FBI headquarters.1,2

"To know the iPhone is to know the Mac or vice versa," explains Derrick Donnelly, chief technology officer of Blackbag Technologies, a Silicon Valley-based company specializing in Apple forensic solutions. "Because it's a different file system and a different operating system, right off the bat the things you're usually looking for are not in the same places and they are in a very, very different format."2

So is the iPhone a criminal's ultimate device for obscuring digital evidence? Perhaps not. In the past, law enforcement personnel in America would often end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none. This may remain true with the iPhone as well.1




1. "A Visit from the FBI", SecurityFocus, January 21, 2004

2. "IPhone Tantalizes, Frustrates Forensics Experts", Wired, August 23, 2007

3. "Apple - iPhone - Internet in your pocket", Apple, August 24, 2007