Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
iPod Forensics: Forensically Sound Examination of an Apple iPod Dr Jill Slay and Andrew Przibilla Enterprise Security Management Laboratory University of South Australia MAWSON LAKES SA 5095 AUSTRALIA
[email protected] Abstract This paper reports on the development of a method for extracting and verifying an image of the hard drive of an iPod in a forensically sound manner via a USB2 connection, so as to create a standard operating procedure for Australian Law Enforcement. It also establishes an understanding of the nature of proprietary data stored on the iPod and indicates how this can be used as a guide within a forensic investigation. It also develops a sound understanding of the nature of any metadata stored on the iPod and reports on how the information gained, and the standard operating procedures developed from this research, may be applied to gain a better understanding of imaging issues in other portable electronic devices, such as music players and memory based devices, and how similar standard operating procedures may be constructed for the analysis of these devices. .
1.
Introduction. The Apple iPod in its many variations is one of the most popular portable music devices currently on the market. The popularity of the iPod continues to grow, and sales figures show the increasing adoption of the iPod with 5.31 million, 6.16 million, and 6.45 million iPods sold in the first three quarters of 2005 ([1],[2],[3]). The current generation of the iPod has more features than its predecessors, including many PDA like features, making it an attractive as a diary and for note taking. The iPod has also garnered interest from the criminal community as a tool to store information relating to their crimes, and some have also warned business that iPods could be used to steal company secrets [4]. Since the iPod is beginning to be
found at crime scenes, and thus is of interest in criminal investigations, it is imperative that forensically sound methods of examining the iPod are developed. The primary goal of the research presented here is to develop a method of extracting and verifying an image of the hard drive of the iPod in a forensically sound manner via a USB2 connection, and to create a standard operating procedure (SOP) for doing this. This would not only allow highly qualified investigators in e-crime labs to carry out this kind of analysis but, with carefully planned and documented SOPs, equip officers with lower levels of IT skills to carry out this kind of work. This will in turn allow investigations to proceed faster and leave e-crime labs to focus on more complex investigations and major crime. Other goals are the establishment of a listing of standard data types of interest to a forensic examiner, and to provide a standard operating procedure for different types of data. Also to establish an understanding of the nature of proprietary data stored on the iPod, and how this can be used by a forensic examiner in an investigation. We also examine the nature of the metadata stored on the iPod and develop methods for understanding and analysing this information. The aim of this is to be to determine the sequence of events at any given time, such as who uploaded or modified certain data on the iPod and the time of occurrence, and the determination of the likelihood that an accused might have knowledge of specific information on the iPod.
2. iPods and Crime. It is well-known that criminals are early adopters of new technologies [8], and investigators increasingly need to extract evidence from a growing range of
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007 1530-1605/07 $20.00 © 2007 IEEE
1
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
digital devices [9]. Use of the iPod follows this same trend, and reports indicate that it has been discovered by police in their prosecution of a car theft racket in the United Kingdom [7], and has been identified as a possible tool for industrial espionage and data theft [8]. The small size and innocent nature of the device means it has been overlooked previously, but with the realisation that vast amounts of arbitrary data can be stored, and that the iPod can be hacked and customised as a storage tool for crime, its use in crime is likely to increase.[6]. With proper configuration and a bit of patience there are many different ways to hack or customise the iPod, as a brief search on the internet, or even a local book store will reveal. Most iPods can be customised to become a virtual computer in a box, allowing any computer that boots from an external device to boot into either a Windows or Linux operating system [9]. Custom AppleScript scripts can be written to form any program and access mechanism the language will allow, and as the iPod Linux project uncovers the inner workings of the iPod, any person with familiarity in Linux programming will be able to write programs to achieve any criminal outcome they desire.
3.
Forensic Investigation of the iPod. Some initial work has been carried out into the forensic investigation of the iPod by Marsico and Rogers [10]) providing a number of open questions for further research. Of the tools that could be used to analyse the drive, the most useful was Encase by Guidance Software. Apart from being recognised by law enforcement, and the courts by precedence for it forensic soundness, this program was also the most efficient at recovering data from both Windows formatted and Apple formatted iPods, even after it was deleted, and the iPod factory restore utility had been run several times. The iPod showed a number of characteristics that would be of interest to a forensic examiner. These include the fact that the iPod stores references to the computer (and user) it was initialised on in its system partition. These can easily be recovered by searching through the system partition with Encase and could be useful in tying a suspect to the iPod [10]. Calendar and contacts entries use the industry standard vCard and vCalendar formats stored in plain text format. These can be easily found by searching the drive for the text strings BEGIN:VCARD and BEGIN:VCALENDAR respectively which indicate the beginning of the respective entries, and remain after the entries are deleted [10].
The iPod uses a lazy deletion technique, where files are forgotten rather than erased [11]. This is possibly used to conserve battery power, but has the valuable side effect of leaving the data in place where it can be recovered if needed. For the forensic examiner this combines perfectly with another characteristic exhibited by the iPod where data is written to the drive from beginning to end, before returning to the beginning. Marsico and Rogers[10] suggested this may be a wear-levelling technique, but it may just as likely be a design feature allowing the conservation of battery power, as this reduces the amount of head movement required in most circumstances. The main issue the forensic examiner needs to resolve is how to create and verify an image of the hard drive in the iPod. Marsico and Rogers [10] had trouble trying to image the drive without opening it, however it is suggested (after communicating with them personally) that the reason they were not able to create a forensically sound image was that they were not allowed to open the device. To overcome this issue, some Australian Law Enforcement agencies report on opening the iPods and directly interfacing with the hard drives to create the images [11]. This process has proved successful but a high level of technical skill and specialised hardware is required to interface with the non-standard hard drives used in the iPod. Current generation Apple iPods exhibit many PDA like functions, such as contacts lists and diaries. PDAs came onto the market in the early 1990’s with the Apple Newton, released in 1993, being one of the early, and still popular, versions of these devices. PDAs have been readily identified as potentially containing evidence critical to investigations and this has led to the American National Institute of Standards and Technology (NIST) releasing a series of Guidelines on PDA Forensics. It took ten years from the time PDA’s entered the market to the publication of the NIST guidelines. Work by Marsico and Rogers [10]indicates that there is a need for SOPs to be developed for the analysis of the Apple iPod, only four years after its release.
4. The Australian Context. In Australia, as in the rest of the world, many police assigned to e-crime units have limited experience [12]. To help combat this problem the Australian Federal Police (AFP) have established the Australian High Tech Crime Centre (AHTCC), a collaborative body representing all national policing bodies, to create a coordinated approach to combating electronic crime.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
2
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
The AFP have expressed a need for the creation of a set of standard operating procedures for dealing with proprietary data formats and the creation of a tool to implement these procedures and produce a human readable output. The South Australian Police have also expressed interest in the development of tools and SOPS for the analysis of the iPod that would ideally also be able to applied to other digital music devices [12]. In Australia the rules of evidence, as detailed in the Evidence Act 1995, are less stringent in regards to processes used than the Daubert criteria established in the United States. This makes investigating evidence stored on the iPod, and the development of SOPs easier in Australia, than it would be in America. When deciding on the tools to use for this investigation a conscious decision was made to consider the resources available to a local State police department, and how the procedures could be made equally relevant to both small, and large police departments. With this in mind, the tools used were selected so that a small agency could use them successfully to conduct an investigation .
5. Verification of Previous Research. Since this specific field of investigation is in its infancy the only prior work is by Marsico and Rogers [10]. In their work, they showed it was possible to identify the username and computer used to initialise the iPod by examining the \iPod_Control\iTunes\DeviceInfo file. Further investigation showed that this was only true when the iPod had been setup within iTunes. If the iPod has the software restored but then upon reconnection to the computer iTunes is prevented from loading, the \iPod_Control\iTunes\DeviceInfo file will only contain one line of text containing the word “IPOD”. The full process that is required for the username and computer name to be found on the Windows iPod is shown below. When considering the process outlined below, it is important to note that the restore process does not clear the hard drive of the iPod in any way. The restore process simply copies the new data onto the iPod to make it function as though it was erased and reloaded. Any information that was stored on the iPod before the restore remains. Unless the data was explicitly overwritten by the restore process the iPod simply loses reference to it. The restore process is outlined in the following steps: 1. An unformatted, corrupted, or Macintosh formatted iPod is connected to the
Windows computer and Windows automatically loads the drivers. 2. The iPod Updater software loads and prompts the user to format the iPod. When “Restore” is selected the following happens: a. New Partition tables are written to the iPod’s hard drive b.New iPod System Partition is created and loaded with required data c. New Data Partition is created and File Allocation Table for the FAT32 Data Partition is created d.\iPod_Control and \iPod_Control\ Device directories are created e. \iPod_Control\Device\Preferences file created containing some binary data f. \iPod_Control\Device\SysInfo file created which contains some technical data about the iPod in text format which will be described later 3. The iPod is connected to the Power Adapter and the operating memory is reloaded. 4. The iPod is re-connected to the computer and the iTunes software automatically loads, or the user opens it. 5. When prompted by the iTunes iPod Setup Assistant, the user can set the name of the iPod. If the user sets a name and selects “Next” then the name will be set in the DeviceInfo. If the user cancels out the iPod Setup Assistant then the name will default to “IPOD”. Either “iPod” or the user selected name will then be stored in the DeviceInfo file with the username and computer name used to setup the iPod within iTunes. The below procedure then occurs: a. The \iPod_Control\iTunes directory is created and the files DeviceInfo, iTunesControl, iTunesEQPresets, iTunesPrefs, and winPrefs are created within it. b. The \iPod_Control\Music directory is created and subdirectories are created within it named sequentially from F00 through to F49. Step 5 is the most useful step in this process, as it not only creates the connection between the username, the computer, and the iPod, but it is also reflected in the \Windows\setupapi.log file on the computer in question with a second entry within a short space of time by the iPodService.exe program with the USB serial number of the iPod.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
3
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
6. The iPod Partition Structure Once the iPod has been restored as either a Windows or Macintosh format iPod, the device contains a known partition structure. The two formats of the iPod have a very similar partition structure; both have a System Partition and a Data Partition. The key difference between the two formats is that the Windows format iPod has only the two partitions, but the Macintosh format iPod has three. The extra partition on the Macintosh format iPod is due to the HFS+ file system that the Macintosh format iPod uses. The HSF+ file system is split into a Resource Fork containing information about the files on the Data Partition, and a Data Fork contains the actual files. Analysis of the System Partitions of both the Windows and Macintosh format iPod has revealed that there is no user identifiable data stored in this partition. The data stored there relates directly to the running of iPod and includes: x The iPod Operating System, x The images used during the operation of the device, including the Apple logo, the “Do Not Disconnect” screen, x The fonts used to display the text, x The games and other applications stored on the device. Initial thoughts would suggest it would be possible to hash the system partition to determine the version of the software installed on the device. By calculating a set of hash values for different versions of the iPod Operating System, the identification of the version of the Operating System in use would simple, but this may not always be the case. By moving through the menu to “Settings” > “About” > “Version” will show the version of the software reportedly installed on the iPod. By comparing the hash derived from the system partition to that of the pre-calculated hash values, it can quickly be seen if the official software is being used. If the hash values do not match, it does not necessarily mean that malicious software is masquerading as an official version (although this could be the case) since there are legitimate ways to change the hash value derived. One method of changing the hash value of the System Partition is by customising the images used during the operation of the iPod. Changing the Apple Logo, or the images for the “Do Not Disconnect” screen are easily done by following instructions found on the internet. These images are all stored in the System Partition and thus changing any one of them will change the hash value derived for that partition.
Installing Linux on the iPod will also change the hash value for the System Partition, since it modifies the boot loader in the System Partition to allow the user to choose between the official Apple operating system and the Linux operating system. The iPod Linux Project is a collaborative effort within the Open Source community to port a version of Linux to the iPod to add functionality to the device. Available from their website at http://www.ipodlinux.org/ versions of the iPod Linux operating system are available for the first, second, and third generations of the iPod, with a version for the fourth generation under development. Although the files for the iPod Linux operating system are stored in the iPod’s Data Partition, it requires the boot loader in the System Partition to be modified, and thus changes the hash value. The SysInfo file is located in the iPod’s Data Partition under the \iPod_Control\Device directory and is placed there during the process of restoring the iPod using the software provided by Apple. The existence of this file is dependant on the iPod being used as a portable music player in the manner Apple intended, and using the software provided by Apple. Although this sounds self evident as the majority of users who purchase an iPod do so to use it as a portable music player, this point highlights the fact that the iPod will operate outside this realm as, for example, an external hard drive formatted in an arbitrary fashion. This file exists on both the Windows and Macintosh format iPod in the same location within the directory structure. Interestingly, this file also exists on both the Windows and Macintosh iPod at the same byte offset from the beginning of the drive beginning at hexadecimal byte offset 5F02200, at least on the 30 GB iPod Photo used in this study. This makes it very easy to find this information either by extracting the file using a forensic tool, or by searching with a hex editor. When using a hex editor it is possible to seek directly to the hexadecimal byte offset 5F02200, or to search for the string “BoardHWName” as shown in Figure 1 below. If it is still difficult to find the SysInfo file then searching for the serial number of the iPod, which can often be found on the back cover of the iPod, also allows discovery of the file. The data found in this file should be verified to ensure that the iPod has not been tampered with. The field pszSerialNumber should match the serial number on the casing of the device and the field FirewireGuid should match the serial number the iPod presents to a computer via the USB or FireWire connection. When analysing a Windows computer it is the FirewireGuid that will be found within the registry and the \Windows\setupapi.log file.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
4
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
Figure 1. Viewing the image of the Macintosh format iPod in a Hex Editor, showing the beginning of the SysInfo data file at hex offset 5F02200. When investigating the Macintosh iPod’s Data Partition there were various references using the terms “user”, “uid” and “gid”. These occurred both within XML documents stored on the Macintosh iPod, but also within what appeared to be file system constructs. When using the stat command within the Macintosh OS X command line to get user information for various files on the iPod that were put there by a given previous user, the results returned indicated the owner of the files as the user issuing the stat command, regardless of whether they were the original owner of the files or not. Upon investigation of the drive in a hex editor there are references to a second user who did not add or change any files on the iPod, but rather only issued the stat command to query details about the owner of some files put onto the iPod by the first user. The significance of the references found to the second user are not known at this stage, however this could have a huge impact on a criminal prosecution if left unresolved. The odd results returned by the stat command when issued from the Macintosh OS X command line may be explained by insight gained from investigating the Windows formatted iPod using Ubuntu Linux. When the Windows formatted iPod was allowed to be automatically mounted by Ubuntu, the mount command was issued with the nouser and nogroup switches. When considering the response from the OS X command line, the varying ownership information may be in response to the operating system not tracking the ownership information in both the Windows and Macintosh format iPod. Although this phenomenon may possibly be explained by this lack of tracking, the existence of the references to the second user who did not actually add or modify any files warrants further investigation. Recent work by Carvey and Altheide [13] discussed the possibility of tracking USB storage devices within a Windows environment using artefacts generated by the Windows operating system. In their paper they show how USB mass storage devices leave evidence of their presence in both the Windows registry and the
setupapi.log within the Windows installation directory. By applying the investigative principles set out in their paper, the evidence the iPod left in these locations was examined. The first time the iPod is connected to the computer a key is created within the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro lSet\Enum\USBSTOR\ with the values of the form Disk&Ven_Apple&Prod_iPod&Rev_1.62. Under this value, another key is created using the value of FirewireGuid from the SysInfo file on the iPod followed by &0 and this includes many other keys and values. It is important to note that because this key is generated using the serial number the iPod presents, a unique key will be created for each different iPod connected to the computer. This allows identification of the time when a particular iPod has been connected to the computer. Within the registry, each key and value also has a last write time, similar to a creation time for a file, and these values record the last time the value was written or changed. Unfortunately these last write values are temporal, and previous values are lost when the new values are written. These last write times are not always visible but some registry analysis tools can reveal them, and the Windows registry editing tool, Regedit, will also reveal these times when sections of the registry are exported to a text file. The setupapi.log file records driver installations that occur after boot time. When the iPod is connected for the first time, this event will be recorded by a series of entries in the setupapi.log file. If the Apple iPod software is not installed, then this first series of entries will be the only entries relating to the iPod. If the Apple iPod software is installed then the iPodService.exe program will record an entry in the setupapi.log file for each and every occurrence of the iPod being connected to the computer after boot time. If the iPod is connected to computer at boot time, no record will be recorded in the setupapi.log file. Generally, the last write time of the registry key formed with the serial number of the iPod will more accurately indicate the last time the iPod drivers were loaded by the system, rather than the timestamps in the setupapi.log file. It is thus important to recognize that the current registry value will indicate the first time the iPod drivers were loaded since the last reboot, which may have been during the last reboot. The setupapi.log file will indicate each connection after boot time. If the iPod was connected at boot time the registry will reflect this but the setupapi.log file will not. If the iPod is removed and then reconnected the registry will still keep the time the drivers were loaded at boot time, but the setupapi.log file will indicate the
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
5
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
reconnection time. This information can then be used to establish a partial time line in an investigation.
7.
Utilising Purchased Music as Digital Evidence When investigating portable music devices, and indeed computers, the ability to identify and investigate purchased music can provide significant investigative leads, but it may not be a silver bullet in drawing a link between a computer and a suspect. With various competing digital rights management (DRM) standards such as Fairplay used by Apple Corporation, Helix used by RealNetworks, and Windows Media DRM used by Microsoft Corporation, the task of connecting a suspect to a device can become complex. With the opening of the Australian iTunes Music Store while this research project was being carried out, there was not enough time properly to investigate how to draw connections or establish relationships between music purchased from the Australian iTunes Music Store, and metadata from the files stored on the iPod. For this research, the possibility of purchasing music from other retailers was not considered due the incompatibilities of the iPod with the other DRM schemes. As such, the insights presented here offer a purely theoretical perspective. Although in a general sense it could be very difficult to establish a connection between purchased music identified on a portable music player, or computer, the store the music was purchased from, and ultimately the purchaser, the iPod presents an almost perfect case study. All purchased music ultimately has to be purchased from the iTunes Music Store and is stored in .m4p files. As it was not the intention of this research to reverse engineer the file format, this has not been done butit would be possible to do so to identify which files were purchased by the same person, or if they come from various purchasers. Once the purchased files have been identified it would become possible to use existing legal means to compel Apple Australia to identify who had purchased the music, the credit cards used to purchase the music, and the IP addresses the songs were downloaded to. From there, it would be possible to make further investigations and eventually a connection between the suspect and the music, and thus the device it was found on, could be made. The iPod, like many other portable media devices, can store both media files and arbitrary data files. This has made it very popular both as a media player and as a bulk portable storage device. Unlike other USB media devices, the iPod was designed to be a
fundamental part of a music distribution system that is the iPod / iTunes combination. The intention was that it could be used not only to play music ripped from CD’s but also securely to play purchased music acquired through the iTunes stores. Because of the need to keep the purchased music secure the iPod / iTunes system tries to keep a strong link between the computer it was initialised on and where the music was generally stored, and the device itself, to ensure Apple could meet its anti-piracy obligations to the record companies. The requirement for the strong link between the computer the iPod was associated with and the iPod itself tends to lend itself naturally to the support of forensic investigation
8. Imaging and Verification. Although the iPod was not intentionally designed to be accurately imaged, investigation has shown that, when connected using the USB interface, the iPod provides direct access to the drive. The iPod is software controlled but appears to have a number of hardware controlled functions, such as Disk Mode. Experimentation has shown that the Disk Mode provides a reliable method of data access and this is the mode the iPod operates in when connected to a computer. When the iPod detects it has been connected to a computer, the software switches automatically into Disk Mode; this can also be achieved by manually toggling the “Hold Switch” on then off again, then pressing the “Menu” and “Select” buttons until the Apple logo appears, then immediately releasing the “Menu” and “Select” buttons and holding down the “Select” and “Play” buttons until the Disk Mode screen appears. Although the iPod does give direct hard disk access when in Disk Mode, the connection between the iPod and the computer does not always appear to be stable and this can make imaging difficult. When imaging the iPod in a Windows environment using Encase, the iPod would image and verify correctly but was very slow. When using Rawwrite DD for Windows 0.3 by John Newbigin, the capture rate could be lifted by setting the buffer size to 1Mb instead of 512 bytes and still achieve a successful image of the drive. When watching the progress of Rawwrite DD, it was possible to see the effect of the instability of the connection as at times the transfer would hold very high for a time, then slow drastically, or pause for a short while. While using GNU DD to image the iPod using the Ubuntu Live CD, the same slowdown was still evident. This suggests, with the iPod used in the testing at least, that there was a connection issue but a quality image could
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
6
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
still be taken. When trying to image the iPod using GNU DD on Fedora Core 4, the capture would often fail, and verification would abort prematurely and give a false checksum. This may be a limitation of the USB connection supplied with the iPod, and may not be an issue when using Firewire, but this has not been tested. When verifying the image captured from the iPod, it was necessary to either use Encase to verify the image taken matched the original source, or to use MD5SUM included on the Ubuntu Live CD. It was possible to use MD5SUM as implemented by George M Garner in his Forensic Acquisition Utilities package within Windows but only to verify the image captured, not the source. This appeared to be due to George M Garner’s implementation not being able to operate directly on a Windows NT block device. This unfortunately meant that it was not possible to hash the actual source as was copied using Rawwrite DD on Windows. Using the Ubuntu Linux Live CD, it was possible to image and verify the drive, however due to the incompatibility between Windows and UNIX/Linux systems it became necessary to image the iPod to a FAT32 drive for analysis within Windows, and the image needed to be split to be within the 4GB file size limit of FAT32. After the end of the experimentation process, a driver was found to give Windows read access to the Linux EXT2 and EXT3 file systems which makes splitting the file redundant, but due to time constraints this was not investigated. The driver is called EXT2 IFS for Windows NT / 2K / XP Version 0.3 and is available from http://uranus.it.swin.edu.au/~jn/linux/ext2ifs.htm. As the main goal of this investigation was to establish a set of standard operating procedures for the imaging, verification and analysis of the iPod, a series of Standard Operating Procedures were detailed but are not included here due to space constraints
9. Identification of the Type of iPod Despite the difference in the format of the Data Partition when comparing the Windows and Macintosh format iPod there is a key physical difference between the two which becomes very evident when investigating the iPod at a low level. The first way to tell the difference between the two variants of the iPod is by navigating the menu to “Settings” > “About” > “Format”. The format will either display as “Windows” or “Macintosh” depending on how the iPod is configured but this method requires the device controls to be used substantially and may not be desirable in an investigation. The other method is to consider the partition structure of the iPod.
When the iPod is connected to Ubuntu Linux, even when auto-mounting of removable media is disabled, it will be automatically detected by the operating system and appear within the device tree but not be mounted. This will allow only block access to the device and when used carefully writing to the device can be prevented. When the device appears within the device tree it will appear as a SCSI drive, and will assume the next free drive number. Since it will be seen as a SCSI drive it will begin with /dev/sd, and if it is the first drive then it will be labelled a, thus in this example it would appear as /dev/sda. Each partition on the drive will then appear as a number appended to the end, hence partition one will appear as /dev/sda1. The key here is that the Windows format iPod has only two partitions, sda1 and sda2. Sda1 is the iPod’s System Partition and sda2 is the FAT32 Data Partition. The Macintosh format iPod has three partitions. Sda1 is the Resource Fork of the HFS+ file system, sda2 is the iPod’s System Partition, and sda3 is the Data Fork of the HFS+ file system. Thus it can quickly be established which variant of the iPod is being investigated by the number of partitions the iPod contains.
10. Analysis of the iPod. Analysis showed that there was no user identifiable data stored in the iPod System Partition, but due to the possibility of users changing the images stored here, or modifying the boot loader to enable iPod Linux to be installed it is not possible to rely on hashing alone to show if the original software was being used.
10.1 Key Files of Interest . As indicated in Sections 6 and 7above, on both the Windows and Macintosh format iPod there were two key files containing useful information. The \iPod_Control\Device\SysInfo file is placed on the iPod when the system software was restored and contains valuable data about the iPod. The \iPod_Control\iTunes\DeviceInfo file is the other significant file created after iTunes has linked the iPod with a computer; this file will contain the name of the user and computer involved in the linkage. If the computer named in this file is running Windows there will be a record of the iPod in the registry and setupapi.log file with a reference to the USB / Firewire serial number presented in the SysInfo file on the iPod.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
7
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
10.2 Time and Date Issues.
12. iPod Error Mode.
It has been shown by experimentation that the time on the iPod has no direct correlation to the Created, Accessed, and Modified times of any of the files stored on the iPod when in normal operation. If a user runs the iPod on Linux, or runs a non standard program on the iPod, it is possible that this could change file times, but if that is not evident from the analysis of the iPod, then it can be assumed that all times are set by the computer the iPod was attached to. Experimentation has also shown that playing music files on the iPod, or viewing calendar or contact entries, will not change the last accessed time on the files, thus all last accessed times are set by the computer the iPod has been connected to. When the iPod is restored as either a Windows or Macintosh iPod, it appears that the iPod’s internal clock becomes set to the same time as the computer performing the restore, at least to minute accuracy. The same updating of the time is evident when the iPod is simply connected to a computer and iTunes is loaded.
During this investigation, there were times the iPod was forced to operate in ways it would normally not operate. One example of this was when the entire disk drive was cleared by filling with 0’s to enable a new baseline to be established, and ensuring the only data on the device was due to known events. This operation was completed by using DD within the Ubuntu Live CD environment to copy from /dev/zero, a continuous data source of zeros, to the iPod’s hard drive. To enable the device to be restored, it had to be disconnected from the Linux-based computer and attached to either the Macintosh or a Windows computer. When the iPod was disconnected it appeared to do a self check and detected that all was not well and went presented what is commonly called the “sad iPod face”, an error screen with a folder with an exclamation mark. When this occurs all that is possible to regain usability was to force the iPod into its hardware Disk Mode. This can be done by toggling the Hold Switch on and off again, then pressing and holding the “Select” and “Menu” buttons until the Apple logo appears, then immediately releasing the “Select” and “Menu” buttons and holding down the “Select” and “Play” buttons until the screen indicates the iPod is in Disk Mode. The iPod Updating software can then be used to restore the software for either the Windows or Macintosh format iPod.
10.3 Key Files Types of Interest. As already mentioned, other key file types of interest would be .m4p files as these are purchased from the iTunes Music Store and can be used to link the iPod to a suspect. These can be forwarded to Apple with the correct warrant and the appropriate information can be gathered, such as account, payment, address, and IP address and access logs. Virtually any other files can also be stored on the iPod as it becomes literally an external hard drive. As such any files that would be of interest to police such as office files, picture and movie files, and software can all be analysed and extracted using already established hard disk forensic techniques.
11. Ownership and Other Meta Data . Unfortunately the iPod does not store user ownership information regarding the files stored on the iPod. Due to the FAT32 file system in operation on the Windows format iPod, the file system has no means to store any ownership information. The Macintosh format iPod utilises the HFS+ file system which does support ownership information but it appears that this functionality if not utilized within the iPod, so unfortunately there is no user of computer information stored about specific files.
13. Transferring or Extending Research Findings to Other Devices. This research sets a strong foundation for the forensic analysis of the Apple iPod by extending other key research in the area. Although some of the findings are very specific to the iPod, some can be widely applied. A methodology that would be most transferable to other devices is the analysis of the Windows registry and setupapi.log file so as to identify if a given USB device has been connected to a given Windows compute,r and to determine if a time line of connections can be established. The investigation of purchased music files is also applicable to other portable music devices. Unfortunately it might require more analysis than is necessary with the iPod, as it will be necessary to determine where the music was purchased from.
14. Conclusion
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
8
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
The major purpose of this research has been to investigate how to image the iPod in a forensically sound manner, and to develop a Standard Operating Procedure to do this. This has been successfully completed and has highlighted several issues involved with the imaging and verification that were not anticipated. These include the Windows XP Service Pack 2 write blocking failing to block some write calls, and the instability in the USB connection causing the imaging and verification to fail on some Linux operating systems. The procedures developed will allow a user with limited technical experience to be able to image and verify the iPod and decrease the load on the more highly skilled investigators. The secondary goals of this research have also been successfully completed and when combined provide an excellent understanding of the forensic issues involved with investigating the iPod and other portable music devices. Common data types of interest to the iPod have been identified and in particular it has been shown how purchased music can be used to identify a suspect and create a link between them and evidence found at a crime scene. The relevant proprietary data stored on the iPod has been identified and described, and its relevance to an investigation identified. The metadata contained on the iPod has been identified and investigated, and how this can be used in an investigation has been presented. Standard Operating Procedures (excluded due to space constraints) developed are not only useful for the investigation of the Apple iPod, but much of the work is also transferable to other portable music devices. Overall this research, although specifically focused on the Apple iPod, has a much broader context and applicability. Portable digital media forensic investigations are in their infancy when compared to other more established electronic investigations and all work that furthers the understanding of the field helps to build a coherent set of tools for investigators.
15. Further Research. There are a number of key areas where further research would greatly benefit the forensic community. Firstly the investigation of how other portable media devices can be tracked using residual artefacts within the Windows registry, the setupapi.log file and in other as yet unidentified areas. As the Windows registry is very large and complex there is the possibility that more data may be stored elsewhere. Secondly researching what information can be extracted from DRM protected files from the various leading DRM systems and how this information can be
utilised to aid an investigation without having to forward all files in question to every retailer. This would allow an investigator to quickly identify what purchased media is on a device, where and when it was purchased, and possibly user identification. This would significantly decrease the amount of time required for an investigator to follow these leads and develop a sequence of events. Finally further analysis of the Macintosh formatted iPod, how it interacts with the Apple operating system and what, if any, data is left on the system due to iPod connection events. Developing a sound understanding of this would not only be applicable to the iPod, but possibly yield leads about how other portable media devices interact with the Macintosh operating system, and what evidence of their connection may be generated.
16. References. [1] Apple 2005a, Apple reports second quarter results, . [2] Apple 2005b, Apple reports third quarter results, . [3] Apple 2005c, Apple reports fourth quarter results, viewed 1 Nov 2005, . [4] iPod car theft ringleader jailed 2004, BBC News, http://news.bbc.co.uk/1/hi/england/london/3932847.stm>. [5]McFedries, P 2005, 'Technically speaking: the ipod people', Spectrum, IEEE, vol. 42, no. 2, p.71 [6] Cass, S 2004, 'Tools & toys : ipod a go-go', Spectrum, IEEE, vol. 41, no. 8, pp. 49-51. [7]Thomas, D 2004, Mobile threat to company data exposed by security experts, PersonnelToday, viewed 14 March 2005, http://www.personneltoday.com/ rticles/Article.aspx? liArticleID=25477>. [8] Colley, A 2005, 'E-cops playing catch-up', AustralianIT, 25 May 2005. [9] Stern, H 2004, iPod and itunes hacks, O'Reilly, [10] Marsico, C & Rogers, M 2005, iPod forensics, Perdue University. [11] Slay, J 2005, Personal communication, Enterprise Security Management Laboratory, University of South Australia. [12] Blundell, B 2005, Personal communication, Electronic Crime Division, South Australia [13] Carvey, H & Altheide, C 2005, 'Tracking USB storage: analysis of windows artefacts generated by USB storage devices', Digital Investigation, vol. 2, pp. 94-100.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
9
