iPods have standard file systems of either Apple's HFS+ or Microsoft's FAT32, which we will explore in greater detail later. These file systems are static because they are not continually transferring data like other types of file systems, such as cell phones, for instance. Because of their static nature, performing forensics on MP3 players is not substantially different from performing forensics on a regular computer hard drive. The difference between the two that makes an MP3 player an alternative media device is that its primary function is that of a music player. Even though MP3 players have always been able to store files like USB flash drives have, only recently have iPods evolved into photo storage and video player devices. Because they are used for entertainment purposes, iPods might not be thought of as data repositories containing evidence.

The first step in iPod forensics is to create an image of a device and hash it to ensure integrity. As we've discussed in previous chapters, with digital evidence, we do not work on original evidence. Instead, we attempt to create a duplicate of the evidence. This duplicate can be an exact replica of all data contained on the device. There are two types of images: physical images and logical images. A physical image is a bit-for-bit copy of all data contained on a device, and a logical image is an image of the file system exactly as it appears on a device. For forensic purposes, a physical image is always the preferred type.

To preserve the integrity of the data, forensic examiners perform what is called a “hash” at every step of the way. A hash is a one-way mathematical algorithm that acts as a “fingerprint” of all data contained on a device. This ensures that the data has not been altered from its original state at any point during the imaging process. You can perform a hash by using a tool such as md5sum. First you apply the tool to a file, and it returns a number that corresponds to a particular algorithm. Then the imaging is performed and you rerun the md5sum tool. If any part of that file is altered after you rerun the md5sum tool, the number will change, signifying a potential loss of evidence integrity. This will ensure that the data you are working on has not been altered.

Another way to preserve the data is to use a write blocker. Write-blocking a device will protect the device from any manipulation. It will essentially guard your evidence from being written to during imaging. This way, if you happen to make an error, your evidence will be protected. A write blocker typically comprises visible external hardware, such as Logicube's Forensic Talon or Intelligent Computer Solutions' (ICS) Solo III. A hard drive is physically attached to one of these devices, which will ensure that no writes can be made to the evidence contained on that drive.

Because iPods do not have Integrated Drive Electronics (IDE) interfaces and they use FireWire or USB, they cannot be synced to standard IDE imaging devices such as the Solo III without a USB adapter. Similarly, an iPod should not be synced into a forensic tower and imaged using a Windows-based tool. When you plug any USB or FireWire device into a Windows machine, Windows will “touch” the device and change the files contained on the device. One of the most important rules that forensic examiners must follow is not to alter evidence, including date and time stamps on evidence.

As we saw in Chapter 6, you can image data using hardware and software operating systems. It is highly recommended that if you have a hardware device that has a USB and/or FireWire interface, you should image the data using the hardware device. Hardware devices write-block very well and they leave little room for error. An excellent hardware device is the Tableau Forensic USB Bridge, but others like it are available on the market. They are relatively inexpensive and user-friendly. A nonhardware solution, such as an operating system like Linux or DOS, can be configured to not automatically mount a device when imaging. Linux is not a substitution for a write blocker, and it is susceptible to human error.

It is possible to obtain an image by removing the hard drive from an iPod if the iPod does not use flash memory. See the section “Types of iPods,” later in this chapter, to see which ones contain hard drives. You can remove a hard drive from an iPod, but this is prohibitive because removing a hard drive could break the device.

Once you have write-protected the device, you can then use any number of tools to create an image. You also can use on the device EnCase and other software used to create a forensic image of hard disks. Another method you can use, but only if absolutely necessary, is to employ an operating system such as Linux for imaging. You can configure Linux to not automatically mount a USB device when the device is plugged into your forensic tower. This means that in theory, an iPod would remain untouched with files being unaffected when plugged in. This method allows for no write protection, however. If you make a mistake, you could destroy your evidence. We suggest that if you use this method, you employ the Linux command dd or the DCFL lab version, called DCFLDD, to image the device.

Using DD to create an image of an iPod or MP3 player involves several steps. The steps to perform this method follow.

The first thing that you see is the fdisk output of the device, with two partitions. In this case, the device /dev/sdd corresponds to the iPod device which is the target of the imaging process. The first entry in fdisk's output for /dev/hda corresponds to the hard drive of the host computer used in the imaging operation and can be safely ignored (see Figure 8.3).

It is important to remember that the whole point of imaging in this way is to not mount the device. You can do everything you need to image the device without mounting.

The next step is to collect the MD5 hash of the device. You can perform this step in multiple ways, such as using another hashing tool or outputting an MD5 file to another directory. Figure 8.4 shows the command syntax for running the MD5 checksum utility md5sum on the target device /dev/sdd and storing the result in the file /root/ipod.before.md5.

Next, you view the /root/ipod.md5 file to make sure the hash is valid (see Figure 8.5). In forensics, it is good to double-check your work at every point, especially when there is no hardware write protection.

The next step is to create an image file from the device. This example uses the Linux dd command to image the data (see Figure 8.6). The BS option stands for “block size.” Block size can change as desired, and has no impact on the data copied, except to optimize the throughput rate of the copy by copying that many bytes on each copy operation. The next two commands are the input file and the output file. It is important to double-check that an iPod device is the input file and not the output file. Putting the iPod device as the of parameter could alter the contents of the evidence drive!

Figure 8.7 is an example of a completed dd function.

After the image is complete, you would then perform another hash to ensure that the data has not been changed. As shown in Figure 8.8, by comparing the two hashes, you can then see that the data has not changed.

As the previous example shows, the before and after hashes of the iPod device are the same, which means nothing on the evidence drive was altered. Additionally, a hash of the forensic copy should be made to ensure that the hash of the image file is the same as that of the iPod. This proves that the image contains the exact same data as the iPod and that the “dd” of the drive worked correctly.

If you are using a Windows-based imaging tool such as Guidance Software's EnCase, you can use a key in the Windows Registry to write-block a USB device that is plugged into a forensic tower. This will keep Windows from writing to evidence. Doing a Web search on “write-blocking USB device” will give further information on the steps necessary to carry out this procedure.

It is important to remember that using Linux or a Registry key edit for imaging is a last resort. It is always better to use a hardware write-blocking device. You can find many guides online that will detail the steps you need to follow if you choose to take this route. You can also go to www.windowsitpro.com/windowsstorage/Article/ArticleID/44380/44380.html.

iPods come in many different physical and firmware versions. The first generation of iPods became available to consumers in October 2001. They had a storage capacity of up to 10 GB. Apple has introduced many subsequent generations of the iPod. With each new generation, features became enhanced, including the addition of color screens, and video storage and playback capability. The storage capacity increased as well. Newer iPods can have storage capacities of up to 80 GB, using a Toshiba 1.8 hard drive.

The iPod Mini debuted in January 2004. The Mini was the first iPod available in various colors and was substantially smaller than other models. Storage capacity for the Mini was up to 6 GB, using a 1-inch Hitachi Microdrive.

The iPod Nano was the new version of the Mini. It was even sleeker and smaller and came in either black or white. Current Nano models have a storage capacity of up to 8 GB, using flash memory. The Nano has the ability to store and show digital photographs and video via a color screen.

The iPod Shuffle appeared in January 2005. The Shuffle used flash memory instead of a hard drive. The first Shuffle was smaller than a pack of gum. Unlike the other iPod models, it had no LCD display. The second-generation Shuffle was even smaller than its predecessor.

Currently, iPods support the following file types: Advanced Audio Coding (AAC), Protected AAC, MPEG Audio Layer III (MP#), Variable bit rate MP# (MP# VBR), Audible Audiobook, Apple Lossless, Audio Interchange File Format (AIFF), Windows Audio, and Compact Disc Digital Audio, JPG, JPEG, TIF, TIFF, GIF, PNG, BMP, PSD, SGI, MPEG-4, and H.264.

A file system is what organizes the files that are accessed by a computer's operating system and other software installed on the machine. We discussed file systems at length in Chapter 4. Just as computers may use different file systems, devices such as MP3 players also use various file systems to access files. The file system used needs to be one that's supported by the computer that will be used to copy music and other files to the MP3 player.

The iPod uses two standard file systems: Microsoft's FAT32 and Apple's HFS+. The FAT32 file system is compatible with Apple Macintoshes and Windows PCs. HFS+ is writeable only with Macintoshes. If a user has an iPod formatted with FAT32 and both a Macintosh and a Windows-based PC, he can read and write to the iPod using both file systems. Such a user can also write and read to the iPod using Linux. The iPod is essentially a storage device and you can configure it to use almost any file system. I have used the extended 2 and 3, as well as FAT16 file systems on my iPods.

Because an iPod or other MP3 players can be used to store data other than music files, it follows suit that they can also be loaded with hacking tools or malicious software. For example, by repartitioning an iPod Shuffle, you can create enough space to install a bootable Linux distribution that contains various “hacking tools,” including the popular Metasploit. The iPod control folder is left intact, along with all of the other folders needed for the iPod to function normally. By plugging the iPod into another machine, you can then boot it into Linux and use Metasploit or another hacking tool to break into another machine and access its data. Even if an iPod appears to act like it should, it may not in fact be what it seems.

Mojopac is another hacking tool for use with the Windows operating system. Mojopac allows a hacker to use an iPod as a virtual Windows desktop. Plugging an iPod into the USB port on a Windows computer copies the applications on that computer's desktop and allows the iPod to become a working virtual machine. For more information or to purchase this tool, go to www.mojopac.com.

Another hacking technique using iPods is called “slurping.” Slurping uses a tool called Slurp that captures documents, spreadsheets, and other files from the desktop of a computer using an iPod via the computer's USB port. This can be useful or malicious. For example, a malicious user could ask you whether she can use your computer to charge up her iPod using a USB port on your computer. Once the iPod is synced to the computer, Slurp captures all the documents and spreadsheets on your computer's desktop. You can find the original article and code at www.sharp-ideas.net/pod_slurping.php.

When conducting an exam, forensic examiners need to know the distinction between normal data files and evidence that is not normal. Depending on the firmware and version of a particular iPod, there may be some variance in this determination throughout an analysis. For example, on older iPods, the song-naming convention displays the entire name of a song plus the music file extension, whereas on newer iPods songs are displayed with a four-letter code in addition to the file extension.

In Figure 8.9, you see the main directory structure of an iPod Nano, which contains the iPod_Control, Device, iTunes, Music, and Artwork main directories. The New Folder icon is not typical.

The Device folder contains files with some important information about the iPod, such as the firmware version and serial number. One of the files that forensic examiners should note is the iTunes DB file, which provides information about music files, including their file type, their music category, and the location on the device. This file is controlled by the iTunes software (see Figure 8.10). If a user manually moved a file onto an iPod, it would not be listed in the iTunes DB file. The file is found in the iPod_Control/iTunes directory.

The iPod Shuffle has a file called iTunes SD, which provides MP3 location and song title information. The shuffle is the only iPod which contains this file. The iPod_Control directory is the control center of an iPod. It contains the Music and iTunes directories. This is where all music files are stored by default. All music files are dispersed into various directories, each named F##. Further investigation of the directories reveals the actual music files themselves. Newer versions of iTunes will condense MP3 or other digital-music-formatted songs into four-letter codes followed by an extension, as shown in Figure 8.11 and as discussed earlier.

When you are looking at digital photos or video files on an iPod, it is important to understand that the photos or videos themselves may be important evidence. The evidence could reside in plain sight on the iPod, or it could be hidden inside folders. For example, in a child pornography case, photo or video evidence might be in the default photo and video directories. Further investigation might be necessary to uncover hidden evidence.

Other directories are the Contacts, Podcasts, and Notes directories. Different versions of iPods have slightly different directories. For example, the iPod Shuffle has the Shuffle DB but does not have a picture-viewing directory. If there are photos in a Shuffle directory, those photos were placed on the device manually, not using the iTunes software.

Just because an iPod has been manipulated or changed from its factory configuration does not necessarily mean that suspicious activity is occurring. Many people like to change or hack their iPods. Sometimes it can be innocent, but other times it can be a telltale sign of malicious activity.

Suspicious items to look for are things such as mismatched file extensions. An example is a .jpeg file with an .mp3 extension. Most forensic tools are able to detect such discrepancies by using signature analysis tools. These tools find files that have a header that is different from the extension. You can configure most forensic tools to add custom file signatures.

Other suspicious items are hidden or improperly named files, which include files named something innocuous—for example, a photo that is named to look like an MP3 file. Additionally, files that should arouse suspicion could include those with blatantly outrageous names, such as “hax0r.”

Too many partitions indicate that an iPod is not set to the factory default and should be looked at carefully. A file system other than the standard FAT32 or HFS+ installed on an iPod could indicate suspicious activity.

For example, the image in Figure 8.12 appears to contain a normal iPod directory structure. However, there are a few unusual items that bear notice, such as a Knoppix directory and the syslinux.cfg and ldlinux.sys files, which indicate that this iPod has some form of Linux on it. Also of note is the framework-2.5 directory. This directory contains the Metasploit hacking tool which you can find at www.metasploit.com. In this case, it happens to be Damn Small Linux (DSL), a very small, bootable version of the Linux operating system. There is also a slurp-audit directory, which is very suspicious.

Another tactic that users employ to disguise files is to insert text within a music file. A hidden message such as “The cow jumps over the moon at noon” might be inserted into an MP3 file. The MP3 will still play normally, which makes it difficult to detect. In this case, the best way to detect text within an MP3 file is through keyword searches. It is also possible to get hashes of songs from Apple and compare them to the song hashes on the suspect device. This will not show up on signature analysis because the actual file header will still match its extension.

Yet another way to hide photos is to make them cover art. With the color iPods, users can match cover art to music files. Default cover art is often included in songs purchased from iTunes. There are also Web sites that have current cover art. Users have the option of changing the cover art to suit their preferences, making it a good place to hide bad photos.

Forensic examiners can use almost any forensic tool that supports FAT32 or HFS+ for analyzing iPods, including Guidance Software's EnCase, AccessData's FTK, Brian Carrier's Sleuth Kit, and Paraben's P2. All of these tools utilize similar functionality to carry out analyses. All have a relatively intuitive user interface. The Sleuth Kit is primarily for more advanced users and runs only on the UNIX/Linux platform. All of these tools are commercially available; the Sleuth Kit is downloadable free of charge. Not all of these tools will support the HFS+ file system, so users may be limited by particular file system parameters. All of these tools are capable of rendering image files and text files, and they have keyword search capability. A forensic examiner would use these tools in the same manner as he or she would in performing a static hard-drive analysis.

Cell phones work by connecting to a cellular network, which people pay a subscription fee to join. The cellular network is a wireless digital/radio network that is made up of cells that are served by transceivers called base stations. These base stations are connected to the public switched telephone network (PSTN) the same as a normal landline phone, allowing the calls to and from your wireless phone to be sent to any phone, regardless of whether it's part of the cellular network.

Cell phones use Subscriber Identity Modules (SIM) or SIM cards, which are smart cards, to store information about the subscriber to the cellular network. Because the card stores information about the cell phone subscriber, it allows cell phone users to switch phones by removing the card and placing it in a new phone. The information in the card is used to authenticate the user to the network.

Cell phones may also use memory storage cards called flash media, which allow pictures, video, music, applications, and other data to be stored on the cell phone. Some of the most common cards are Compact Flash, Smart Media, and Memory Stick cards.

You can acquire data from cell phones using a combination of software and hardware. Readers are used to access data from flash cards and SIM cards, and are relatively inexpensive. Forensic software such as EnCase can then be used to acquire evidence from the card as it would other types of media. In addition to this, other products are available that are specifically designed for cell phones and other mobile devices, such as PDAs and BlackBerry devices (which we'll discuss later in this chapter).

Wireless devices such as cell phones, PDAs, pagers, and so on require additional measures for storage, as they can receive unwanted signals that can corrupt or modify the evidence on these devices. Because they can accept incoming transmissions, it is possible for a suspect to access a device that's been seized from him or her remotely, and delete or modify any incriminating evidence. For example, many devices store a limited log of incoming calls, where the oldest phone numbers are purged to make room for new calls received by the device. By repeatedly calling the cell phone, a suspect could remove evidence of calls received by people.

Similarly, if pagers, cell phones, or other equipment that contains possible evidence and runs on battery is involved, they need to be preserved for immediate examination. Phone numbers, pages received by the person, and other evidence could be lost once the battery power runs out. As such, it's important to document anything that is visible through the display of a device, and to photograph it if possible.

To preserve the evidence on these devices, it's important to store them in special bags and boxes that prevent unwanted signals from reaching them. Some of these boxes even provide outlets to allow power to be provided to the devices while they are being stored. Examples of two such products are the StrongHold Bag and StrongHold Box developed by Paraben (www.paraben-forensics.com).

As shown in Figure 8.13, Paraben's Wireless StrongHold Bag is an evidence bag that is made of nickel, copper, and silver-plated nylon woven fabric. Because of this amalgam of materials, signals are prevented from penetrating the bag.

As shown in Figure 8.14, Paraben's StrongHold Box is a portable faraday cage that allows you to store wireless devices inside, and work on them inside the box through signal blocking gloves. The box has shielded power, light, and data connections, and is constructed of materials that prevent signals from reaching any wireless devices stored inside.

The PDA device has several components. Our intent here is to discuss some of the more common ones. The first component of the PDA is the microprocessor, which is similar to any other microprocessor except that there is a restriction on its size. Another component of the PDA is some form of input device, such as a touch screen. In addition to these components, an essential component is the operating system that is running the software for the PDA device.

As discussed previously, the concept of PDA forensics is very similar to the procedures and methodologies that are used with any form of forensics. When we discuss PDA forensics, there are investigative methods that you should use when performing a forensic investigation of a PDA. The four main steps when it comes to performing a forensic investigation of a PDA are:

We start off by securing the evidence. It is essential that you follow a process that has been approved by legal counsel to secure the PDA. When you seize the PDA you have to ensure that you take the PDA, the docking cradle, and the external memory cards. This is probably one of the most difficult things to control and requires that you conduct a thorough search for any and all memory cards. With the size of memory cards today, there is an extensive amount of evidence that you would be missing if you missed just one memory card. Once you secure the evidence, the next step is to create an exact image to preserve the crime scene. Once you have acquired the image it is time to examine the evidence. Once you have examined the evidence, you have to present it, which is usually done by compiling an extensive report based on the investigation thus far. It is also your responsibility as the examiner to maintain the evidence, which consists of keeping it in a secure location. You also have to ensure that the PDA remains charged so that the data and information are maintained in a constant state.

When it comes to the PDA device, you need to consider several things while carrying out an investigation. These devices can be managed and maintained at all times. Adding further complication is the fact that with PDA devices, a suspect can have immediate access 24 hours a day, seven days a week. Another thing that makes your job as an investigator more challenging is that PDAs are immediate boot cycle devices. Accordingly, it is important to remember that these devices typically contain a plethora of information and are a vault of evidence for the forensic examiner.

Whereas several tools are available for conducting a forensic investigation, fewer tools are available when investigating handheld or PDA devices.

The current version of the BlackBerry OS has numerous capabilities and features, including over-the-air activation, the ability to synchronize contacts and appointments with Microsoft Outlook, a password keeper program to store sensitive information, and the ability to customize your BlackBerry display data.

The BlackBerry device has an integrated wireless modem, which allows it to communicate over the BellSouth Intelligent Wireless Network. The BlackBerry uses the BlackBerry Serial Protocol, which is used to back up, restore, and synchronize the data that is communicated between the BlackBerry handheld unit and the desktop software. This protocol comprises simple packets and single byte return codes. The device uses a strong encryption scheme that safeguards confidentiality and authenticity of data. It keeps data encrypted while in transit between the enterprise server and the device itself.

Because the BlackBerry is an always-on, push messaging device, information can be pushed to it at any time. It is important to note that the information that is pushed has the potential of overwriting any data that was previously deleted. The problem is compounded by the fact that, without warning, a multitude of applications may receive information and make the attempts by the forensic investigator to recover information and an unaltered file system much more difficult. The first step in preserving the information is to eliminate the ability of the device to receive this data push. If possible, you can turn the radio off, or a better solution is to take the device to an area where the signal cannot be received, such as putting the device inside a filing cabinet drawer. One might think, “I'll just turn it off.” This would be a serious mistake! The BlackBerry is not really “off” unless power is removed for an extended period, or the unit is placed in storage mode. Furthermore, once the unit is powered back on, any items that were in the queue waiting to be pushed to the device could possibly be pushed before you could stop them. As mentioned previously, it is quite possible that a change to state such as a power-off of the BlackBerry could result in a program being run on the unit that will allow the device to accept remote commands via e-mail.

Several tools and methods are available that allow you to attack a BlackBerry. The first tool is the BlackBerry Attack Toolkit, which you can use along with the BBProxy software to exploit Web site vulnerabilities. The second tool is the Attack Vector, which links and tricks users by downloading malicious software to the BlackBerry. The last method we will discuss is the method of hijacks (or blackjacks). As the name implies, this allows someone to hijack a legal user's BlackBerry and replace him or her on the network with potentially harmful devices.

You can do several things to secure the information on a BlackBerry. The first thing you can do is clean the BlackBerry memory, and protect stored messages on the messaging server. You can encrypt the application password as well as the storage of it on the BlackBerry. Furthermore, you can protect storage of user data on a locked BlackBerry by limiting the password authentication attempts. It is possible to set a maximum of 10 attempts to gain access to the device. Additionally, you can use AES technology to secure the storage of the password keeper and password entries on the BlackBerry.