This book is intended for individuals who are interested in the iPhone and other iOS devices and, more importantly, in the type of data that is stored and can be recovered from these devices. The demand for mobile forensics has grown tremendously with the release of smart phones. Communication on these devices is now documented because people are no longer using their phones for just talking. Whether people use their iOS devices to send text messages, check their personal and work e-mail, browse the Internet, manage their finances, or even take photos and videos, what they do not realize is that this data is being stored on their devices. When they delete a piece of information, it is expected that data is gone forever. This book not only explains why this data can still be recovered but also provides detailed methods on how a forensic examiner can extract this information from an iOS device.

The book is organized in a manner that allows the reader to independently focus on one chapter at a time. If a Corporate Security Officer is only interested in whether the data stored on an iPhone or iPad is secure, he or she can jump straight to Chapter 4– iPhone Data Security. If an experienced mobile forensic examiner understands all the files stored within the iPhone's file system but is interested in learning more about some advanced analysis techniques, he or she can skip through the first few chapters and focus on Chapter 6– Data and Application Analysis.

The following paragraphs contain a brief summary of each of the chapters.

Chapter 1 provides an overview of the iPhone, including a timeline of events leading up to its development. Details related to the various models are outlined, including a definition of many of the hardware components within the device. The forensic acquisition of an iPhone device is introduced by defining the various ways in which data can be extracted. The chapter concludes with an introduction to Linux, showing how the use of these command-line tools can be extremely powerful in a mobile examination.

Chapter 2 introduces many of the popular Apple devices running iOS, as well as the features unique to these devices. Software updates, an introduction to device security, and the various operating modes are among the topics covered. Also covered are techniques describing the performance of system upgrades and downgrades and booting of the devices into different operating modes. The interaction between iTunes and an iOS device is discussed, including the functions it provides to support these iOS devices.

Chapter 3 discusses the type of data that is stored on the iPhone, the general locations of this data storage, and the format. Common file types recovered from an iOS device are described in detail in order to provide the examiner with an understanding of how the data is stored so that he or she can more efficiently recover data from these files. The type of memory contained on an iPhone is also outlined, in addition to the operating system, file system, and disk partitions contained on the device.

Chapter 4 provides mobile device administrators within companies options on the protection of user data. The reader is walked through the process involved in the testing of these Apple devices in an effort to determine the type of sensitive data that can be recovered from them. Also covered in this chapter is the development of secure mobile applications, strongly encouraging testing from both the user and developer perspective. Finally, some general recommendations for device and application security are provided, allowing users and administrators to proactively secure the devices used within their company.

Chapter 5 covers the various types of forensic acquisitions that can be performed on the iPhone, iPad, and other iOS devices. The importance of forensic imaging is discussed, followed by an explanation of the different ways in which a device can be imaged. Two different methods of data retrieval through the iPhone's backup files are stepped through in detail; this is followed by a logical acquisition and, finally, a physical extraction of the device. The possibility of imaging other iOS devices, including the iPod Touch and Apple TV, is also outlined.

Chapter 6 encompasses the analysis of the data contained on an iPhone. It starts out by introducing the reader to several different analysis techniques. Some basic methods are discussed, such as the mounting of a disk image, as well as more advanced techniques including the analysis of an image within a hex editor. Practical scenarios are applied for each technique in order to show an examiner all the steps needed to duplicate the command. Following the analysis techniques, the file system layout is discussed. From this section, the reader can gain an understanding of the location of each type of data. The chapter concludes with a mobile app reference section. Here, examiners can look through a list of specific applications and learn where the data for each is stored.

Chapter 7 covers the use of various mobile forensic acquisition tools, showing how they compare with one another. The data population process, which involves the preparation of an iPhone test device, is outlined. The methodology used for testing is explained in detail, followed by an overview of each of the software products used for analysis. A significant portion of this chapter is devoted to an examination of the test device using each of the tools listed. From start to finish, the reader is stepped through the installation, acquisition, and analysis, as well as a final table for each section contains the findings for that particular tool.