A novel method of iDevice (iPhone, iPad, iPod) forensics without ...

Download PDF
2 downloads 0 Views 167KB Size Report
Comment
Forensics without Jailbreaking. Babar Iqbal MCP, MCTS www.YoungestMCP.com. Dubai, UAE babar@babariqbal.com. Asif Iqbal CISSP, CISM, CFE.
2012 International Conference on Innovations in Information Technology (IIT)

A Novel Method of iDevice(iPhone,iPad,iPod) Forensics without Jailbreaking Babar Iqbal MCP, MCTS

Asif Iqbal CISSP, CISM, CFE

Hanan Al Obaidli CISSP(A)

www.YoungestMCP.com Dubai, UAE babar@babariqbal.com

Business360, Zayed University Dubai, UAE asif@babariqbal.com

Electrical and Computer Engineering Department University of Sharjah Sharjah, UAE

in June 2009. The number of 3G iPhone unit sold reached 11,625,000 by the end of 2008 and by the end of 2009 the number of iPhone units sold reached 20,731,000. After words on June 21, 2010, Steve Jobs announced at the Worldwide Developers Conference the introduction of the new iPhone 4 and at the end of 2010 39,989,000 iPhone units were sold worldwide [3]. In the same year the Apple iPad was announced in January, 2010 and by the end of this year Apple sold 7.64 million iPad worldwide [4] [5]. These two devices have entered the lives of millions and the phenomenal spread is continuing to grow as for the year 2011 72.3 million iPhones were sold and 32.39 million iPad units were sold worldwide [6], [7], [8], [9]. These two devices have impacted the lives of millions and produced a new source of evidence as the result of its worldwide use.

Abstract—with boom in mobility technology sector, a new generation of computing devices such as iPhone/iPad/iPod have emerged and immersed itself in the lives of millions and millions of people. With its widespread its fair to say that the use of these devices has created a new source of digital evidence and a need for a fast and trusted method to image and analyze the data has emerged. In this paper we will discuss a novel method that we have developed to create an image of the iDevice (iPhone, iPad, iPod) in a secure and fast manner within 30 minutes or less without jailbreaking compared to the fastest current method which takes up to 20 hours. Keywords- Forensics; cybercrime; iPad; iPhone; iPod; Apple; digital investigation

I.

INTRODUCTION

We are living in a fast growing world where technology has immersed itself in every aspect of our culture and lives. It had changed the way we fulfill our work, spend our time and express ourselves. As a result the need to mobilize these technologies became an essential requirement in order to optimize our productivity and fulfill our duties. The evolution from PCs to laptops and now to smart phones and tablets is the result of how technology became a cornerstone in the lives of human beings. These portable devices are being used by millions of people for their personal and organizational purposes. These compact devices are useful in managing information, such as contact details and appointments, corresponding electronically, and conveying electronic documents. Over time, they accumulate a sizeable amount of information about the owner [1], such as emails, usernames, passwords, Wireless access points, location information stored by the device and pictures, which can be used as evidence in a court of law.

II.

In our paper we discuss one of the widely spread portable devices which are the iDevices1 (iPhone, iPad and iPod). In January 2007 the first iPhone was released which was called iPhone 2G and by the end of 2007, 1,389,000 units of this device were sold worldwide [2]. After words the iPhone 3G came to the market in June 2008 followed by the 3Gs iPhone

However this method provides several problems such as: (1) The device needs to be correctly paired with the iTunes software in order to sync, (2) This method cannot retrieve any deleted files or folders, (3) if you cannot locate the host system, you will not get all the data off of the iPhone. For example, if a suspect has put in binary data like movies or music on their system, you will not get these artifacts due to the Digital Rights Management (DRM) features [11].

1

Throughout the paper we will refer to iPhone, iPad and iPod devices with the word iDevices

978-1-4673-1101-4/12/$31.00 ©2012 IEEE

PRIOR WORK

Since the introduction of iPod/iPhone/iPad devices in the market, methods have been developed to acquire the data stored on them. These methods can be divided into three methods which are: (1) Viewing iTunes Sync on a host computer, (2) Jailbreaking the iDevice, (3) Disassembling the iDevice [10]. The first method which is viewing iTunes Sync on a host computer is considered the easiest method, as it can be used to make a logical copy of the iDevice data. Several tools have been designed to accomplish this task such as mdhelper which is a free command-line utility that will work on iDevices below iOS4 to acquire, parse, and display archived data. The binary was created by Erica Sadun and can be downloaded at http://ericasadun.com/ftp/Macintosh. The issue with this utility is that it does not keep the MAC times intact of the backups acquired. This utility can also be used on existing backups found on Mac or Windows computer evidence [11].

238

The second method is jailbreaking the iDevice. This method was developed in order to overcome the access restriction set up by Apple so that only application approved by them can be installed and executed, which makes it extremely difficult to acquire any type of meaningful forensics data.

phone number), ICCID and IMSI, text messages (SMS), including SIM deleted messages, photos and images, videos, audio files and recordings, SIM location information: TMSI, MCC, MNC, LAC [14]. These vendors have developed uncommon techniques to get a dump of the solid state storage drive. This is often accomplished by using exploits against more or less known bugs in specific iOS versions in order to execute arbitrary unapproved code, which is actually the same jailbreakers do in order to free their devices. However, these vendors do not need to install a complete set of tools on the device. Instead, they tend to upload a tiny, small-footprint software agent which ideally will take control of the system, dump the solid state storage drive through the serial port (dock connector), and will then reboot the device without copying any data to the iPad internal storage [13].

Jailbreaking the iDevice, is the process of installing a custom firmware that provides a root access to the device, in order to install third-party applications that aren’t available through official channels such as the App store. This method was proposed by Zdziarski [12] where the iDevice will be jailbroken and common UNIX tools are installed in order to get a bit-for-bit-copy logical image of the data partition which will be transferred across a Wi-Fi connection. With this method, the suspect’s contacts and photos must be synced or they will be lost when the firmware is upgraded. Another problem with this technique is that all applications installed through the iTunes application will have to be reinstalled. After reinstallation, some original configuration data may be missing. As this technique involves altering firmware, defense attorneys may attack this approach to acquiring an image. Zdziarski [12] also noted that the iDevice can communicate across several different mediums, including the serial port, 802.11 Wi-Fi, and Bluetooth. Due to the limitations of Bluetooth on the iDevice, the two preferred methods are via the serial port and Wi-Fi.

The last method is disassembling the iPhone, In order to do that; you will need to be a bit mechanically inclined. You will actually have to unsolder the flash Read-Only-Memory (ROM) chips from the iPhone and extract the data with a NAND dump. Keep in mind that this method may also damage or destroy the iPhone. Some agencies try to avoid these techniques because, if equipment is damaged, there may not be a possibility of recovering any data, and they will have to pay the suspect for a replacement phone [11]. In our paper we will provide a method that is designed to acquire data from iDevices in a fast and secure manner. This method requires less than 30 minutes for the acquisition process while insuring that little or no footprint are left on the device because of the acquisition process, which is a critical requirement for the integrity of the acquired evidence in order to be accepted in a court of law.

Another method was developed by Luis Gomez-Miralles [13] which is similar to Zdziarski [12] but with the improvement of taking advantage of the camera connection kit to take the image which has reduced the imaging time, but their method requires jailbreaking the device. This introduces several dilemmas to the forensic investigation process and the time needed to investigate the evidence. Along with the time required to image the device there is added time included in the jailbreaking process, as it requires at least 15 minutes to jailbreak the device and another 15 minutes to reverse the steps introduced by jailbreaking the device without considering the time required to install extra tools used in the imaging process and the time required to perform the imaging itself.

III.

IDEVICE ACQUISITION PROCESS

In any forensics investigation the first step done is the acquisition of the evidence in order to be able to analyze it. This process is done through imaging the device to get a bit by bit copy of the data stored on it, without tampering with the integrity of these data. The iDevices are no different than any other digital device in this matter, hence an imaging process needs to be developed to insure the integrity of the data imaged. In this paper we present a method developed in order to image iDevices in a fast approach while insuring that the data are not tampered with. Our developed method requires the preparation of the investigator Forensics Workstation and the iDevice. The imaging process depends on the understanding of the iDevice boot process.

Along with this dilemma another issue is introduced with the use of jailbreaking method. As jailbreaking the iDevice will make the integrity of the gathered evidence questionable hence this makes its acceptance questionable to a court of law and in some cases it may not be accepted as it defies an important principle in digital forensics which is ensuring the integrity of the evidence.

A. iDevices boot process There are different modes for the boot process which are (1) Normal boot process, (2) Recovery mode, (3) DFU mode.

There are also several tools developed by forensics vendors that are used to acquire data from iDevices such as Lantern which is developed by Katana Forensics and it is a Mac OS X application, this tool can acquire the logical portion of all iDevices, including iPhones (all generations), iPod touch (all generations), and iPad [10]. Another tool is UFED Physical Analyzer, which extracts Logical data types in a strictly ‘read-only’ process from phone and SIM memory such as on-board password extraction, call logs (received, dialed, and missed) including SIM deleted call history, phone book entries, phone details (IMEI / ESN,

1) Normal Boot Process In a normal boot process the “Bootrom” which is a permanent code written on the read only memory (ROM) of the Microcontroller, that allows the device to boot and initialize all the peripherals IOs and some hardware components will run and check the signature of “LLB” (Low Level Bootloader) and executes it if the signature is matched. After executing “LLB”, it will check the signature

239

of iBoot which is Apple stage 2 bootloader for all iDevices, before handing over to the iBoot which in turn checks the kernel signature and executes it. The kernel is signed in order to not allow any unsigned code to be executed.

After putting the device in the DFU mode and it is successfully detected by the forensics tool, the patched iBss and kernel in the forensics workstation is sent to the device and executed using a vulnerability in “Bootrom”, this done in order to allow the execution of unsigned code. Also the ramdisk that contains the required utilities for imaging is sent to the iDevice.

2) Recovery Mode When the iDevice is set to the “Recovery Mode” the “BootRom” is executed which checks the “iBoot” signature and if it is matched, it will execute it. After words Apple’s signed “kernel” and “Ramdisk” is sent to the device by iTunes and then the restore process is initiated. In any part of the “Recovery Mode” process no unsigned code can be executed.

In the iDevice the received patched kernel and iBss is booted on the device, then the SSH over a USB Demon is started and the device storage is mounted as read only to avoid the contamination of the evidence. Subsequently the forensics workstation connects to the SSH over USB and initiate remote imaging of the device using SSH over USB. The Device keystore is also copied in order to be bruteforced to decrypt the image.

3) DFU Mode In the DFU (Device Firmware Upgrade) Mode the “Bootrom” is loaded and then the “iBSS” which is a striped down version of iBoot is sent to the iDevice, the “Bootrom” checks the “iBSS” signature and then executes it. After words Apple’s signed kernel and restore disk is sent to the device and executed by “iBSS” after signature check, when all of this is done the restore process is initiated. In any part of the “DFU Mode” process no unsigned code can be executed.

The process that we have designed for imaging the iDevice will take less than 30 minutes, which is faster than the current easiest way to obtain a forensic image that may take up to 20 hours. IV.

ANALYSIS OF IDEVICES

Considering the vast spread of iDevices such as iPod/iPhone/iPad and that they provide the luxury of having cut end computing devices that are portable, hence moving the work arena from the closed offices to the everyday life of its users. This means that these devices will contain a wealth of information beyond the typical evidence found in traditional computing devices. For that reason we need to study these devices and explore the possibilities of having established methods to acquire and analysis the data stored on them.

B. Imaging Process The only method of getting a bit by bit image of the iDevice as noted by Ryan R. Kubasiak [11] is through jailbreaking the iDevice, which he also stated that it is not considered as a sound forensics imaging method. Our method for imaging the iDevices does not require jailbreaking it as the required steps for the imaging are done on the RAM of the device hence the device storage is not alternated in any way as nothing is installed on it.

The process of acquiring the data from the iDevice is the first step to forensically investigate the device, but in order for us to gather evidence it is important to understand what will be on the acquired image. Understanding the file system of iDevices is essential in order to locate the needed data which later can be considered as evidence if it is related to the case.

After explaining the boot process of the iDevices we will explain the developed imaging process. Our imaging process requires the preparation of the investigator Forensics workstation and the iDevice. The preparation process is divided between the investigator Forensics workstation and the iDevice, and the process need to be followed in the same order described to image the device.

A. File system iOS comprises the operating system and technologies that are used to run applications natively on devices, such as iPad, iPhone, and iPod touch. Although it shares a common heritage and many underlying technologies with Mac OS X, iOS was designed to meet the needs of a mobile environment, where users’ needs are slightly different [15]. All Apple mobile devices use HFSX as the file system. HFSX is a variation of HFS+ with one major difference. HFSX is case sensitive. This means that two files on the file system can have the exact same name, but the case sensitivity is what allows the file system to differentiate between the two [10]. As mentioned by Ryan R. Kubasiak [11] and Zdziarski [12] the iOS devices are configured with two disk partitions. These do not reside on a physical disk drive (the type with spinning platters) since the iDevices uses a solid state NAND flash, but are treated as a disk by storing a partition table and formatted file system on the flash.

Our developed forensics tool is executed on the investigator forensics workstation, the tool will then check for Apple Firmware updates which are property of Apple and cannot be distrusted with the tool and then download the Firmware. After words the Kernel and iBSS are extracted from the Firmware update and patched to allow unsigned code execution. At the same time the Forensics workstation will contain an already prepared Ramdisk that contains all the necessary tools such as SSH, DD and other utilities needed to image the iDevice. After preparing the Investigator Forensics workstation the iDevice is set to the DFU Mode, in order to do that the investigator needs to connect the iDevice to the Forensics workstation, power off the device, hold down the sleep/power button and home button for 10 seconds, then release the sleep/power button while still holding the home button until the device is detected by the forensics tool.

240

This partition which is mounted in the “/var” directory as read/write is riddled with all the user data as well as all the applications installed on the iDevice, which makes it a rich source of evidentiary data. When an Apple device gets backed up from iTunes; it gathers information from the Mobile directory “/var/mobile” which resides on the data partition.

The first partition which is called the system (root) partition is around 500 MB which is used to house the operating system and all of the preloaded applications used with the iDevices. This partition is mounted as read-only by default, and is designed to stay in a factory state for the entire life of the iDevice, hence the contents of this partition are usually non-evidentiary; however, sometimes an examination could be necessary.

This dual-partition scheme was the most logical way for Apple to perform easy upgrades to the iPhone software, because the first partition can be formatted by iTunes without deleting any of the owner’s music or other data [12].

The second partition which includes the needed information for a forensic investigation is called the data partition, the size of this partition is the remaining available size after identifying the system partition, and it can vary from 7 to 31 GB according to the iDevice. TABLE I.

Directory /

IOS V. 4.3 FILE SYSTEM DIRECTORIES

In this directory the user data partition is mounted as read/write, it also contains all user data and it is the main focus of forensic investigation.

/var/mobile

This directory contains user Documents, Photos, Videos, Application, Application Settings

/var/mobile/Appli cations

This directory contains Applications in subdirectories named with identifier

/var/mobile/Appli cations/{Identifie r}/Documents

This directory contains application documents. e.g. pdf docs for Adobe Reader

/var/mobile/Appli cations/{Identifie r}/Library

This directory contains Cache and Preferences in their respective subdirectories. It also contains Cookies and WebKit storage if the application makes use of them. The preferences are stored in plist files. This directory contains the applications itself

/var/mobile/Libra ry

/var/mobile/Medi a

With identifying the directories on the file system and understanding what it contains, the process of gathering the artifacts can start as we have understood and identified the location of the required data.

Description This directory contains operating system files and system apps. It doesn’t change throughout the life of device unless the firmware is upgraded and it is mounted as read-only

/var

/var/mobile/Appli cation/{Identifier }/{AppName}.ap p

We have studied the iOS version 4.3 in our research and identified the directories in this version see table 1.

B. Artifacts Acquired The iDevice can contain a wealth of information which can be used in a forensic investigation, due to it is increasing storage capabilities and internet connectivity. Along with these specifications the mobility of these devices and the thousands of applications available for them have provided an environment that would create new sources of evidence, that could reveal more information about the suspect compared to the traditional digital evidence found in computers. For that reason studies are done to understand the inner workings of the devices to intelligently articulate some of the processes that are accomplished to facilitate artifact extraction. iDevices applications store data in binary lists called plists and makes heavy use of sqlite database files to store information such as address book contacts, SMS messages, email messages, and other data of a personal nature. Plists or what is known as property lists are XML manifests used to describe various configurations, states, and other stored information, these files are commonly seen in standard OS X systems. Since iOS is a modified OS X system, it stands to reason that we will also see property lists within the directory structure. The iOS data partition is riddled with property lists that can contain valuable information. Property lists can be formatted in either ASCII or binary format. When formatted in ASCII, a file can be easily read using any standard text editor [10], [12].

This directory contains settings for system and system apps in their respective subdirectories. Data is stored in plist and sqlite databases. It contains Calendars, Address Book, Logs, Mailboxes, Notes, Voicemail, Safari Data, SMS This directory contains user’s Photo’s, Video’s, Book’s, Download’s, Podcast’s, Purchase’s, Music and iTunes Data

Plists can contain valuable information such as cookies, accounts, Google maps history, preferences, safari web browsing history along with bookmarks, WebClips and system configuration. They are used by the iDevices preinstalled applications and third-party applications, hence their numbers are continuously increasing as there are thousands of third-party applications available in the market. Even though there is valuable information in plists but most of the user’s data are stored in database files using SQLite database software, which is an open source public domain database package. The information that is available in these files such as address book contacts and images,

241

Google Maps data, calendar events, call history, E-mails, SMS messages, voice mail and other data of a personal nature can be of most value to a forensic investigator. Property lists organize data into named values and lists of values using several object types. These types give the means to produce data that is meaningfully structured, transportable, storable, and accessible, but still as efficient as possible. Property lists are frequently used by applications running on both Mac OS X and iOS. The property-list programming interfaces for Cocoa and Core Foundation allows converting hierarchically structured combinations of these basic types of objects to and from standard XML. The XML data can be stored to disk and later be used to reconstruct the original objects [16]. In order to extract data that are useful to an investigation the structure of these XML plists need to be understood. Figure 1 shows an example of an XML plist called history.plist which is the web browsing history of safari. The XML file begins with standard header information, and contains one root object, wrapped with the document type tag. Graphs and objects are created using XML elements such as , , , and .

Figure 2.

Dictionaries are created using the tag, where each member is encoded by placing the dictionary key in a tag and immediately following it with the key value using an appropriate tag depending on its type.pe. The tag returns an array containing the values that are passed as arguments. Values are not copied but retained using the retain callback provided when an array was created.

WebHistoryFileVersion 1 WebHistoryDates http://cnn.com/ title CNN.com International Breaking, World, Business, Sports, Entertainment and Video News lastVisitedDate 341098773.6 visitCount 1 redirectURLs

Similarly, when a value is removed from an array, it is released using the release callback. Along with understanding the structure of plists files, it is essential to understand SQlite database structure in order to understand what data can be recovered, where it’s stored and how to access it. SQlite database is used to store Address books, Calendar, Notes, Text Messages, Photos, and Voicemails. Data within these files is broken up into tables, which contain the actual data [17]. Along with extracting artifacts through plists and SQLite database files see figure 2 which represents the tool directory view, the designed tool can as well extract deleted data. As we have created a bit level image of the device using our developed imaging process we can extract deleted files such as SMSs, address books entries, emails and browsing objects.

http://edition.cnn.com/ D 1

When it comes to the deleted data from third party application, the forensics investigator can use other third party and open source application with the created bit-level image to recover the deleted files. V.

CONCLUSION

Mobile forensics is one of the most prominent fields of digital forensics; this is a result of the phenomenal move of technology toward mobility. Its vast spread across the globe have created new and diverse sources of evidence caused by

Figure 1.

Analysis using the directory view

An Example of an XML plist “ Histroy.plist”

242

the usual utilities available on the mobile device along with the artifacts created by thousands of third party applications.

[5]

When studying this field, it is noticeable that what distinguishes it from the other traditional fields of digital forensics is the diversity of devices available in the market, which means that the acquisition and analysis methods used to gather evidence can be different according to the device. This makes the development of forensics tools a hard task as it requires to have different tools according to the investigated device.

[6]

In this paper we have studied a few of the devices that have a wide spread across the globe which are iPhones, iPad, iPod that as a group we can call them iDevices. These devices have the same structure which eases the process of designing forensics tools that target all of these devices.

[9]

[7]

[8]

[10] [11]

The research aim was to develop an acquisition and analysis method that insures the integrity of the evidence collected. A main issue that is encountered with iDevices is ensuring the integrity of evidence, as the acquisition method requires preforming a process called jail breaking in order to be able to acquire an image of the device. This process is considered unorthodox in the field of digital forensics as it risks one of the pillars of this field which is the integrity of evidence gathered. Along with that comes the issue of the long imaging period that can take up to 20 hours, which is a waste of valuable time that can be used in analyzing the data.

[12] [13]

[14]

[15]

The main contribution of this paper is presenting a method for imaging iDevices without the need to jailbreak the device as well as reducing the imaging time to less than 30 minutes.

[16]

Along with the imaging method we have developed a tool to analysis the acquired image hence ease the iDevices investigation process. VI.

[17]

FUTURE WORK [18]

With the wide spread of iDevices the need of studying them becomes necessary as these devices can include a wealth of information that might make or break a case. Considering the thousands of third party applications available in Apple store which can be installed on the iDevices, we plan to have a detailed study of several of these applications and modify our developed analysis tool to acquire the needed artifacts for a forensics investigation. We are also currently working on developing a method to extract data without rebooting the phone. REFERENCES [1] [2]

[3]

[4]

Ayers, Richard. "Mobile Device Forensics – Tool Testing". National Institute of Standards and Technology May 6 2009: 1-23. Apple Press Info. Apple. [Online] Apple, 2007. [Cited: Oct 30, 2011.] http://www.apple.com/pr/library/2007/10/22Apple-Reports-FourthQuarter-Results.html. File:IPhone sales per quarter.svg. Wikipedia. [Online] [Cited: oct 30, 2011.] http://en.wikipedia.org/wiki/File:IPhone_sales_per_quarter.svg. Apple Press Info. Apple. [Online] Apple. [Cited: oct 30, 2011.] http://www.apple.com/pr/library/2010/07/20Apple-Reports-ThirdQuarter-Results.html.

243

Apple Press Info. Apple. [Online] Apple. [Cited: Oct 30, 2011.] http://www.apple.com/pr/library/2010/10/18Apple-Reports-FourthQuarter-Results.html. Apple Press Info. Apple. [Online] Apple. [Cited: Oct 30, 2011.] http://www.apple.com/pr/library/2011/01/18Apple-Reports-FirstQuarter-Results.html. Apple Press Info. Apple. [Online] Apple. [Cited: Oct 30, 2011.] http://www.apple.com/pr/library/2011/04/20Apple-Reports-SecondQuarter-Results.html. Apple Press Info. Apple. [Online] Apple. [Cited: Oct 30, 2011.] http://www.apple.com/pr/library/2011/07/19Apple-Reports-ThirdQuarter-Results.html. Apple Press Info. Apple. [Online] Apple. [Cited: Oct 30, 2011.] http://www.apple.com/pr/library/2011/10/18Apple-Reports-FourthQuarter-Results.html. Morrissey, Sean. iOS Forensic Analysis for iPhone, iPad, and iPod touch. s.l. : Apress, 2010. 978-1-4302-3342-8. Ryan R. Kubasiak, Sean Morrissey. Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit. Burlington, MA : Elsevier, Inc., 2009. 13: 978-1-59749-297-3. Zdziarski, Jonathan. iPhone Forensics: Recovering Evidence,Personal Data, and Corporate Assets. s.l. : O’Reilly, 2008. 978-0-596-15358-8. Universal, fast method for iPad forensics imaging via USB adapter. Luis G´omez-Miralles, Joan Arnedo-Moreno. s.l. : 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 2011. 978-0-7695-4372-7/11. UFED Physical Analyzer - iPhone. cellbrite . [Online] cellbrite . [Cited: 11 5, 2011.] http://www.cellebrite.com/forensicproducts/forensic-products/ufed-physical-analyzer-2/iphone.html iOS overview. Apple Developer. [Online] Apple. [Cited: Nov 10, 2011.] http://developer.apple.com/library/ios/#referencelibrary/GettingStarte d/URL_iPhone_OS_Overview/_index.html#//apple_ref/doc/uid/TP40 007592. Property List Programming Guide. Apple Developer. [Online] Apple. [Cited: 11 12, 2011.] http://developer.apple.com/library/ios/#documentation/Cocoa/Concep tual/PropertyLists/Introduction/Introduction.html#//apple_ref/doc/uid/ 10000048i. Andrew Hoog, Katie Strzempka. iPhone and iOS forensics : investigation, analysis, and mobile security for Apple iPhone,. s.l. : Elsevier, Inc., 2011. ISBN 978-1-59749-659-9 Charles Yates; Lydia Ray; Jianhua Yang, 2011, An Investigation into iPod Touch Generation , Information Security Curriculum Development Conference 2011, Kennesaw, GA, USA, ACM 978-14503-0812-0/10/11