Title :
iOS Forensics: How Can We Recover Deleted Image Files with Timestamp in a Forensically Sound Manner?
Author :
Ariffin, Aswami ; D´Oorazio, Christian ; Choo, Kim-Kwang Raymond ; Slay, Jill
Author_Institution :
Inf. Assurance Res. Group, Univ. of South Australia, Mawson Lakes, SA, Australia
Abstract :
IOS devices generally allow users to synch their images (pictures) and video files using iTunes between Apple products (e.g. an iPhone and a Mac Book Pro). Recovering deleted images, particularly in a forensically sound manner, from iOS devices can be an expensive and challenging exercise (due to the hierarchical encrypted file system, etc). In this paper, we propose an operational technique that allows digital forensic practitioners to recover deleted image files by referring to iOS journaling file system. Using an iPhone as a case study, we then conduct a forensic analysis to validate our proposed technique.
Keywords :
computer vision; file organisation; mobile computing; operating systems (computers); Apple products; IOS devices; deleted image files; digital forensic practitioners; forensic analysis; iOS forensics; iOS journaling file system; iTunes; Catalogs; Cryptography; Digital forensics; File systems; Media; Random access memory; data recovery; hierarchical file system plus (HFS Plus); iOS forensics; iPhone forensics; journaling file system; per-file key cryptography;
Conference_Titel :
Availability, Reliability and Security (ARES), 2013 Eighth International Conference on
Conference_Location :
Regensburg
DOI :
10.1109/ARES.2013.50
