iOS Forensics: How Can We Recover Deleted Image Files with Timestamp in a Forensically Sound Manner?

Abstract: iOS devices generally allow users to synch their images (pictures) and video files using iTunes between Apple products (e.g. an iPhone and a MacBook Pro). Recovering deleted images, particularly in a forensically sound manner, from iOS devices can be an expensive and challenging exercise (due to the hierarchical encrypted file system, etc). In this paper, we propose an operational technique that allows digital forensic practitioners to recover deleted image files by referring to iOS journaling file system. Usi… Show more

“…For example in another related work, Al Mutawa et al 33 extracted a database file from the Facebook application on an iOS 4 device, which was not found on iOS 6 devices 34 . Ariffin et al 35 also explained the complexity of retrieving unallocated and encrypted data from iOS devices and presented an acquisition method for recovering deleted image files from the iOS journaling system in iPhone 3GS and 4, which may not work for newer iOS devices.…”

Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms

“…For example in another related work, Al Mutawa et al 33 extracted a database file from the Facebook application on an iOS 4 device, which was not found on iOS 6 devices 34 . Ariffin et al 35 also explained the complexity of retrieving unallocated and encrypted data from iOS devices and presented an acquisition method for recovering deleted image files from the iOS journaling system in iPhone 3GS and 4, which may not work for newer iOS devices.…”

Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms

“…Recently, Arrifin et al (2013) presented an acquisition method of deleted image files after interaction with the iOS journaling system "from an Hierarchical File System (HFS) Plus volume in an iOS device". They highlighted the complexity of unallocated data retrieval procedures and the importance of data encryption during them, as these were the two main directions of their research.…”

“…The file system key (EMF) was employed for encrypting structural OS elements, such as journal and catalog entities, metadata and file system particles, whereas user data used to be encrypted by the AES engine. Taking into consideration that the acquired files are split in blocks within the journal, "the EMF and per-file (AES encrypted) keys have to be used respectively" (Arrifin et al, 2013). The technique was successful in the two target devices (3GS and 4) the researchers tested and they aspired the study to be extended to newer versions.…”

A critical review of 7 years of Mobile Device Forensics

“…The imaging process was less than 30 minutes and they were successfully developed an acquisition method that protects the integrity of the collected evidences. Recently, Ariffin was proposed an operational technique that allows digital forensic investigators to recover deleted image files by referring to Apple iOS journaling file system [45]. The proposed method was implemented on an iDevice that has been Jailbreak and used a customized RAM disk that was loaded into the device RAM.…”

Advances of Mobile Forensic Procedures in Firefox OS