iOS forensics: how can we recover deleted image files with timestamp in a forensically sound manner?

Ariffin, A.; D'Orazio, C.J.; Choo, K.K.; Slay, J.

doi:10.1109/ARES.2013.50

iOS forensics: how can we recover deleted image files with timestamp in a forensically sound manner?

Date

2013

Authors

Ariffin, A.

D'Orazio, C.J.

Choo, K.K.

Slay, J.

Type:

Conference paper

Citation

Proceedings: 2013 International Conference on Availability, Reliability and Security: ARES 2013, 2013, pp.375-382

Conference Name

2013 International Conference on Availability, Reliability and Security ARES 2013 (2 Sep 2013 - 6 Sep 2013 : Regensburg, Germany)

DOI

10.1109/ARES.2013.50

Abstract

iOS devices generally allow users to synch their images (pictures) and video files using iTunes between Apple products (e.g. an iPhone and a MacBook Pro). Recovering deleted images, particularly in a forensically sound manner, from iOS devices can be an expensive and challenging exercise (due to the hierarchical encrypted file system, etc). In this paper, we propose an operational technique that allows digital forensic practitioners to recover deleted image files by referring to iOS journaling file system. Using an iPhone as a case study, we then conduct a forensic analysis to validate our proposed technique.

Rights

Published Version

https://doi.org/10.1109/ARES.2013.50

Persistent link to this record

https://hdl.handle.net/1959.8/151722

Full item page

iOS forensics: how can we recover deleted image files with timestamp in a forensically sound manner?

Date

Authors

Editors

Advisors

Journal Title

Journal ISSN

Volume Title

Type:

Citation

Statement of Responsibility

Conference Name

DOI

Abstract

School/Discipline

Dissertation Note

Provenance

Description

Access Status

Rights

License

Grant ID

Published Version

Call number

Persistent link to this record