Artifact Integrity in Forensic Acquisitions of iPhones using Jailbreak Preprocessing [8F2-795]
Ian Hamilton, Marcus Thompson
Smartphones store increasingly large amounts of personal data that is often of importance to criminal investigations. This information must be retrieved in an approved and accepted manner by the forensic community and the judicial system in order to be acceptable in a court of law. Methods of acquiring data that meet these requirements are considered forensically sound. The continually increasing security that is added into newer smartphones and mobile operating systems is creating difficulties for mobile forensic examiners to acquire this important data in a forensically sound manner. The increased security is most prevalent within Apple’s iPhone and iOS and started with the release of the iPhone 4S and the A5 chip. One method of circumventing this security is through the use of a jailbreak. The jailbreaking process is not currently considered forensically sound due to its invasive nature, but little scientific research has been done to identify how invasive a jailbreak is, or whether it alters information stored on the device that would call into question the integrity of any data retrieved after it was jailbroken by a forensic examiner. The research conducted will utilize hash value comparisons to determine if a select number of important files are changed throughout a jailbreak and an iTunes restore.