Jonathan Zdziarski's Domain

The iPhone has become America’s #1 mobile device, and is increasingly being used in business, personal activities, and also crime. The iPhone stores an enormous amount of information useful to corporate security professionals and law enforcement agents. Enterprises must adequately manage sensitive data which may put their company at risk. Law enforcement agencies and freelance forensic examiners must process the iPhone for evidence linking its owner to crimes.

Host a course for your department and provide these crucial skills to your personnel. Jonathan Zdziarski, original iPhone hacker and author of many iPhone books including iPhone Forensics and iPhone SDK Application Development, will lead your organization’s security professionals through the delicate process of recovering and processing evidence stored on the iPhone. This full two-day course will guide you, hands on, through forensic recovery and electronic discovery of an iPhone, iPhone 3G, and iPhone 3G[s] and cover iPhone firmware up to and including v3.1.2. Attendees will receive a 170pp white paper containing Zdziarski’s latest methods, the tools they can use in the field, and a certificate of completion to certify their skillset. All of the tools and demo content used in the classroom will also be provided so attendees can learn and follow hands-on. Have Jonathan train your personnel hands-on to learn:

• What kind of evidence is stored on an iPhone, and what can be recovered through desktop trace
• Raw disk recovery of a v1.x, v2.x, and v3.x iPhone user disk partition, preserving and recovering the entire raw user disk. Recovery over USB cable or Wi-Fi.
• Making commercial tools, such as Encase, recognize an iPhone disk image
• Bypassing passcode protection and device encryption to gain access to the device’s user interface for compatibility with third-party triage tools, or for time-sensitive cases where preservation of life is priority.
• Interrupting the iPhone 3G’s “secure wipe” process
• Recovering deleted voicemail, images, email, and other personal data using data carving techniques
• Recovering geotagged metadata from camera photos (GPS coordinates taken at the time the photo was taken)
• Electronic discovery of Google map lookups, WiFi connect records, keyboard typing cache, and other sensitive data stored on the live file system
• Extracting contact information and other data from the iPhone’s database
• Collecting desktop trace and establishing trusted relationships to owners’ desktops
• Different recovery strategies based on case needs

Using the tools and know-how provided in this course, you’ll work hands-on to recover stored and deleted information from the iPhone including:

• Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication.
• Screenshots preserved from the last state of an application, taken whenever the home button is pressed, or when 3D zoom effects are used.
• Deleted images from the suspect’s photo library, camera roll, and browsing cache.
• Deleted address book entries, contacts, calendar events, and other personal data.
• Exhaustive call history, beyond that displayed.
• Reconstructing record fragments from corrupt databases
• Map tile images from the iPhone’s Google Maps application, lookups and longitude/latitude coordinates of previous map searches, and coordinates of the last GPS fix.
• Browser cache and deleted browser objects, which identify the web sites a user has visited.
• Cached and deleted email messages, SMS messages, and other communication with corresponding time stamps.
• Deleted voicemail recordings stored on the device.
• Pairing records establishing trusted relationships between the device and one or more desktop computers.

In addition, Jonathan will walk you through many common corporate and crime scene scenarios and describe the kind of data that will prove most useful in your investigation. A Q/A session will conclude the conference as time permits. Classroom assistants will be available to help during all classes.

This is a Mac-only course. Be sure to bring an Intel-based Mac notebook and an iPhone if you would like to learn hands-on. Do not bring live evidence or any data that cannot be at risk from classroom mistakes.

Classroom Specifications:
For attendees wishing to participate in hands-on demonstrations, please bring the following:

• An Intel-based Mac notebook running Mac OS X Leopard 10.5.7, 10.5.8, or Snow Leopard 10.6.0, or 10.6.1
• At least one of:
  iPhone with firmware v1.0.2 – 1.1.4
  iPhone 3G with firmware v2.0.0 – 3.1.2
  iPhone 3G[s] with firmware v3.0.0 – 3.1.2
• iTunes 8.1.1 (downgrade intructions available)

Don’t miss the opportunity to have your personnel trained by the leading expert in iPhone forensics. Register your course today, as space is limited.

Course Scheduling
To request an on-site course
in the US and Canada, contact

jonathan@zdziarski.com

* Contact us for special Law Enforcement pricing

Contact us to inquire about hosting a course at your facility.