Need to edge out the competition for your dream job? Train for certifications today.
Experts Exchange Solution brought to you by
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
The iPhone (and iPad) use solid-state NAND chips to store user data. These chips act as a type of hard drive for the device. Physical chip dumps have shown that memory is stored in 512K chunks in various locations of the chip. The solid state disk firmware attempts to minimize writes to the same portions of NAND, and even attempts to move blocks of memory around on the physical chip to ensure that the entire chip is used. This process results in dormant data generally lasting longer periods of time on the
device before it is eventually overwritten. Due to the hardware-based encryption present on the iPhone
3G[s], iPhone 4, and iPad, chip-off forensics has proven extremely difficult.
You can’t simply remove the hard disk out of an iPhone or iPad, connect it to a write blocker, and image it
the way you would a desktop machine. Even if you could rip out the disk (or perform a chip-off), you’d
have to content with an encrypted file system. Mobile forensics requires limited interaction with the device
to extract data from it. On iOS based devices, a forensic imaging agent is instituted as a process in the
device’s memory – a portion of remote code containing the instructions to transfer the file system,
encryption keys, or raw disk from the device to a connected desktop machine. The agent is injected into a
protected system area on the device, where it will not affect the user disk or any user data. This is
necessary, especially on newer devices, to allow the device itself to handle hardware-based decryption
transparently, or to obtain otherwise restricted information from the device, such as secret encryption keys.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Q. Do you limit usage of this product to law enforcement agencies only?
A. We used to, but not anymore.
From novice to tech pro — start learning today.
Premium members can enroll in this course at no extra cost.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Please enter a first name
Please enter a last name
Must be at least 4 characters long.
Join and Comment