Conducting an iPod Forensic Investigation

  • Conzetti Finocchiaro
  • Eric Goldman
  • Abhiney Natarajan
  • Maegan Stanek

22 Feb 2009   ::   Security   ::   #ipod #forensics #filesystem #pda #ftk #encase #sleuthkit


Executive Summary

This report provides an overview of how to conduct a forensic investigation of an Apple iPod. The report provides an explanation of the unique features of the iPod which are important for forensic analysis. In addition, the key files which will be of primary interest to the forensic investigator will be detailed and evidence acquisition will be demonstrated. The report includes references to previous research and contributes some new discoveries not previously considered in the forensic analysis of iPods.

Caveats in the Research Process

Due to time constraints and available resources we were not able to examine how the iPod file system works under various conditions. For example, we did not have access to an iPod that was formatted for Mac; as a result we were not able to observe differences between the various formatting options. It is noteworthy to mention, that in our situation, the dd image engulfs only the data partition of the iPod, rather than an entire disk. Certain data which is known to be useful in a forensic investigation was not created or available in our test images. As a result, our techniques and results are limited to the test images and data which were available during this time. In the future, it would be necessary to have a more advanced laboratory with various host computers and iPod variations in order to build out more complex procedures and scripts. The iPod can contain data on past calendar entries as well as upcoming ones. Though they did not exist on the provided iPod images, they would prove useful in an iPod.s forensic analysis.


This file was once useful at one time for acquiring useful user-related data; however, it is not created on modern iPods or on modern version of iTunes or other software. Therefore we were unable to examine and put this file to use.

Process Overview

In order to conduct the forensic analysis, we used multiple tools to demonstrate evidence acquisition. In addition, we developed a BASH script which employs command line Sleuthkit tools in order to automate some common forensics tasks. In order to conduct the experiments we acquired images of the iPod file system using command line dd after mounting the iPod as read only in Linux (note, the device can be accessed directly as a block device, therefore there is no need to actually mount the device). The raw image in the dd format was chosen since it could easily be imported into all of the tools selected for demoing the forensics process. In this report, we selected the following tools to perform a forensics analysis: EnCase, FTK, Autopsy, and Sleuthkit for scripting.

Problem Statement

At first glance, the iPod may seem like an innocuous portable audio player. However, the common acceptance of the iPod makes it a clever storage medium for illegal activity. For example, an employee could employ his iPod as an external hard drive and use it to copy company data for illegitimate purposes; since the iPod is not primarily understood to be used for this purpose, it is less likely to draw attention. In another case, a criminal may store his records or other data on his iPod. Current law enforcement may not be knowledgeable about the potential to hide electronic data on the iPod and it may not be included in a warrant or seized during a search of the criminal.s property. A craftier criminal may even use the interactive features of the iPod to access and modify data without connecting to a host computer. For example, a loan shark could secretly store and modify payment records on his iPod. Again, because most people believe that the iPod is simply a music player, they may never seize the device for forensics analysis.

As one can see, the iPod can easily be converted from is innocent design to a tool for illegal activity. As a result, it becomes important to understand how the internal workings of the iPod function. iPods can natively store calendar, contact, and image data in addition to audio files. It is also possible to directly access the file system of the iPod allowing a criminal to store data in unusual places or using steganography techniques. Therefore, we are conducting this research in order to facilitate real world investigations of seized iPods. We hope that our research will streamline the process for forensic investigators and help them better understand the challenges they face in their investigations.

While not covered explicitly within this report, the forensic investigation of an iPod can also provide some interesting secondary evidence. Under some operating situations, when an iPod is synced to a host system artifacts of the connection are left on both the iPod and on the host computer. These artifacts can later be discovered and used in a comprehensive forensic investigation. As a result, secondary evidence may be available such as when they information was copied or moved or what other machines or devices may have also been used in perpetrating the crime. This information may also be useful to prove ownership of the device so that a criminal cannot claim planted evidence.

The remainder of this report has many heavy graphical references and is therefore only available in download-able format. The PDF is a little larger than 1.5 MB and can be downloaded by clicking here. The full report details how to use each tool, and explains all relevant information. Many screenshots are included.

For more information, please view the accompanying PowerPoint presentation for this report:

This presentation covers tools and techniques which can be used to perform a computer forensic investigation on an Apple iPod. Many forensic investigators may be unaware of the valuable information a mobile entertainment device may hold. Criminals may intentionally hide information on such an inconspicuous device or the normal functionality and data syncing may provide valuable case clues.