Artifact Integrity in Forensic Acquisitions of iPhones using Jailbreak Preprocessing
Primary Investigator:
Marcus Thompson
Ian Hamilton, Marcus Thompson
Abstract
Smartphones store increasingly large amounts of personal data that is often of importance
to criminal investigations. This information must be retrieved in an approved and accepted
manner by the forensic community and the judicial system in order to be acceptable in a court of
law. Methods of acquiring data that meet these requirements are considered forensically sound.
The continually increasing security that is added into newer smartphones and mobile operating
systems is creating difficulties for mobile forensic examiners to acquire this important data in a
forensically sound manner. The increased security is most prevalent within Appleās iPhone and
iOS and started with the release of the iPhone 4S and the A5 chip.
One method of circumventing this security is through the use of a jailbreak. The
jailbreaking process is not currently considered forensically sound due to its invasive nature, but
little scientific research has been done to identify how invasive a jailbreak is, or whether it alters
information stored on the device that would call into question the integrity of any data retrieved
after it was jailbroken by a forensic examiner. The research conducted will utilize
hash value comparisons to determine if a select number of important files are changed
throughout a jailbreak and an iTunes restore.