• DocumentCode
    2129732
  • Title

    iOS Forensics: How Can We Recover Deleted Image Files with Timestamp in a Forensically Sound Manner?

  • Author

    Ariffin, Aswami ; D´Oorazio, Christian ; Choo, Kim-Kwang Raymond ; Slay, Jill

  • Author_Institution
    Inf. Assurance Res. Group, Univ. of South Australia, Mawson Lakes, SA, Australia
  • fYear
    2013
  • fDate
    2-6 Sept. 2013
  • Firstpage
    375
  • Lastpage
    382
  • Abstract
    IOS devices generally allow users to synch their images (pictures) and video files using iTunes between Apple products (e.g. an iPhone and a Mac Book Pro). Recovering deleted images, particularly in a forensically sound manner, from iOS devices can be an expensive and challenging exercise (due to the hierarchical encrypted file system, etc). In this paper, we propose an operational technique that allows digital forensic practitioners to recover deleted image files by referring to iOS journaling file system. Using an iPhone as a case study, we then conduct a forensic analysis to validate our proposed technique.
  • Keywords
    computer vision; file organisation; mobile computing; operating systems (computers); Apple products; IOS devices; deleted image files; digital forensic practitioners; forensic analysis; iOS forensics; iOS journaling file system; iTunes; Catalogs; Cryptography; Digital forensics; File systems; Media; Random access memory; data recovery; hierarchical file system plus (HFS Plus); iOS forensics; iPhone forensics; journaling file system; per-file key cryptography;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Availability, Reliability and Security (ARES), 2013 Eighth International Conference on
  • Conference_Location
    Regensburg
  • Type

    conf

  • DOI
    10.1109/ARES.2013.50
  • Filename
    6657266
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2129732