Proposal / Submission Type
Peer Reviewed Paper
Location
Richmond, Virginia
Start Date
30-5-2012 3:20 PM
Abstract
Due to their usage increase worldwide, iPads are on the path of becoming key sources of digital evidence in criminal investigations. This research investigated the logical backup acquisition and examination of the iPad2 device using the Apple iTunes backup utility while manually examining the backup data (manual examination) and automatically parsing the backup data (Lantern software - automated examination). The results indicate that a manual examination of the logical backup structure from iTunes reveals more digital evidence, especially if installed application data is required for an investigation. However, the researchers note that if a quick triage is needed of an iOS device, then automated tools provide a faster method for obtaining digital evidence from an iOS device. The results also illustrate that the file names in the backup folders have changed between iOS 3 and iOS 4. Lastly, the authors note the need for an extensible software framework for future automated logical iPad examination tools.
Keywords: iPad, forensics, logical backup, iOS, manual examination.
Scholarly Commons Citation
Ali, Somaya; AlHosani, Sumaya; AlZarooni, Farah; and Baggili, Ibrahim, "iPad2 Logical Acquisition: Automated or Manual Examination?" (2012). Annual ADFSL Conference on Digital Forensics, Security and Law. 12.
https://commons.erau.edu/adfsl/2012/wednesday/12
Included in
Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, Information Security Commons
iPad2 Logical Acquisition: Automated or Manual Examination?
Richmond, Virginia
Due to their usage increase worldwide, iPads are on the path of becoming key sources of digital evidence in criminal investigations. This research investigated the logical backup acquisition and examination of the iPad2 device using the Apple iTunes backup utility while manually examining the backup data (manual examination) and automatically parsing the backup data (Lantern software - automated examination). The results indicate that a manual examination of the logical backup structure from iTunes reveals more digital evidence, especially if installed application data is required for an investigation. However, the researchers note that if a quick triage is needed of an iOS device, then automated tools provide a faster method for obtaining digital evidence from an iOS device. The results also illustrate that the file names in the backup folders have changed between iOS 3 and iOS 4. Lastly, the authors note the need for an extensible software framework for future automated logical iPad examination tools.
Keywords: iPad, forensics, logical backup, iOS, manual examination.
