Advanced iPhone Forensics Workshop

Recovering Evidence, Personal Data, and Corporate Assets

The iPhone has become America's #1 mobile device, and is increasingly being used in business, personal activities, and also crime. iPhones store an enormous amount of information useful to corporate security professionals and law enforcement agents. Enterprises must adequately manage sensitive data which may put their company at risk. Law enforcement agencies and freelance forensic examiners must process the iPhone for evidence linking its owner to crimes.

Join us as Jonathan Zdziarski, original iPhone hacker and author of many iPhone books including iPhone Forensics and iPhone SDK Application Development, leads your organization's security professionals through the delicate process of recovering and processing evidence stored on the iPhone. This three-day workshop will guide you, hands on, through forensic examination of an iPhone and iPhone 3G and cover iPhoneOS v1.x, v2.x, and the new v3.0 software. Attendees will receive a special examiner's edition of iPhone Forensics containing an additional 30-40 pages of content and updates since the book went to print. All of the tools and demo content will also be provided so attendees can learn and explore hands-on. Join us and follow along hands-on to learn:
  • What kind of evidence is stored on the device
  • How to prepare an environment for iPhone forensics
  • Breaking v1.x and v2.x passcode-protected iPhones to gain access to the device
  • Building a custom recovery toolkit for the iPhone
  • Interrupting the iPhone 3G's "secure wipe" process
  • Data recovery of a v1.x, v2.x, and v3.0 iPhone user disk partition, preserving and recovering the entire raw user disk partition. Recovery over USB cable and Wi-Fi will be demonstrated.
  • Recovering deleted voicemail, images, email, and other personal data using data carving techniques
  • Recovering geotagged metadata from camera photos (GPS coordinates taken at the time the photo was taken)
  • Electronic discovery of Google map lookups, keyboard typing cache, and other data stored on the live file system
  • Extracting contact information and other data from the iPhone's database
  • Collecting desktop trace and establishing trusted relationships to owners' desktops
  • Different recovery strategies based on case needs
Using the tools and know-how provided in this workshop, you'll work hands-on to recover stored and deleted information from the iPhone including:
  • Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication.
  • Screenshots preserved from the last state of an application, taken whenever the home button is pressed or an application is exited.
  • Deleted images from the suspect's photo library, camera roll, and browsing cache.
  • Deleted address book entries, contacts, calendar events, and other personal data.
  • Exhaustive call history, beyond that displayed.
  • Map tile images from the iPhone's Google Maps application, lookups and longitude/latitude coordinates of previous map searches, and coordinates of the last GPS fix.
  • Browser cache and deleted browser objects, which identify the web sites a user has visited.
  • Cached and deleted email messages, SMS messages, and other communication with corresponding time stamps.
  • Deleted voicemail recordings stored on the device.
  • Pairing records establishing trusted relationships between the device and one or more desktop computers.
In addition, Jonathan will walk you through many common corporate and crime scene scenarios and describe the kind of data that will prove most useful in your investigation. A Q/A session will conclude the conference as time permits. Classroom assistants will be available to help during all classes.

This is a Mac-only course. Be sure to bring a Mac notebook and an iPhone if you would like to learn hands-on. Do not bring live evidence or any data that cannot be at risk from classroom mistakes. Classroom Specifications:
  • Mac OS X 10.5.7
  • iPhone 1st Gen or iPhone 3G
  • Firmware v1.1.4, v2.2.1, or v3.0
  • iTunes 8.1.1
Don't miss the opportunity to have your personnel trained by the leading expert in iPhone forensic examination. Register today, as space is limited.

 
LAST WORKSHOP

May 26-27 2009
Chicago, IL
9:00am - 5:00pm CT

Chicago Police
Training Academy

$3500 per person*

* Contact us for special Law Enforcement pricing (available to sworn, active duty officers)

NEXT WORKSHOP

Contact us to inquire about hosting a workshop on-site.