Friam

Digital forensics?

classic Classic list List threaded Threaded
3 messages Options
Tom Johnson
Reply | Threaded
Open this post in threaded view
|

Digital forensics?

Tom Johnson
A friend writes:

"A friend and colleague recently died under suspicious/unclear circumstances overseas and the local police appear to have somehow unlocked his Apple devices (an iphone and Macbook laptop).

Those devices are now in the family's possession and I said I'd look into whether tools or experts might exist to help assess what files/stuff were accessed, deleted, or added to his devices close to and since the evening of his death.
Can you offer any advice?"

FRIAM-ers: any suggestions or advice?

Tom

============================================
Tom Johnson - [hidden email]
Institute for Analytic Journalism   --     Santa Fe, NM USA
505.577.6482(c)                                    505.473.9646(h)
NM Foundation for Open Government
Check out It's The People's Data                 
============================================

Virus-free. www.avast.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
archives back to 2003: http://friam.471366.n2.nabble.com/
FRIAM-COMIC http://friam-comic.blogspot.com/ by Dr. Strangelove
Russell Standish-2
Reply | Threaded
Open this post in threaded view
|

Re: Digital forensics?

Russell Standish-2
Using Linux, you can just mount the Mac's hard drive, and use unix
tools to investigate those files that were touched in the time span of
interest. To be really sure, you should clone the drive first (eg
using the Linux dd command) so that you don't accidently destroy any
evidence in your poking around (you work with just the copy).

As for the iPhone, I don't know how you would clone its storage, as
it's locked down by Apple. Presumably, you would need to jail break
the device first (potentially destroying the evidence you're looking
for). But once you have cloned it, you can mount the storage on Linux
as per usual - I believe iOS just uses the normal HDF+ file system
that MacOSX uses.

Cheers

On Wed, Apr 17, 2019 at 10:42:52AM -0600, Tom Johnson wrote:

> A friend writes:
>
> "A friend and colleague recently died under suspicious/unclear circumstances
> overseas and the local police appear to have somehow unlocked his Apple devices
> (an iphone and Macbook laptop).
>
> Those devices are now in the family's possession and I said I'd look into
> whether tools or experts might exist to help assess what files/stuff were
> accessed, deleted, or added to his devices close to and since the evening of
> his death.
> Can you offer any advice?"
>
> FRIAM-ers: any suggestions or advice?
>
> Tom
>
> ============================================
> Tom Johnson - [hidden email]
> Institute for Analytic Journalism   --     Santa Fe, NM USA
> 505.577.6482(c)                                    505.473.9646(h)
> NM Foundation for Open Government
> Check out It's The People's Data                 
> ============================================
>
>
> [icon-] Virus-free. www.avast.com
>
>  

> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9a-11:30 at cafe at St. John's College
> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
> archives back to 2003: http://friam.471366.n2.nabble.com/
> FRIAM-COMIC http://friam-comic.blogspot.com/ by Dr. Strangelove


--

----------------------------------------------------------------------------
Dr Russell Standish                    Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Senior Research Fellow        [hidden email]
Economics, Kingston University         http://www.hpcoders.com.au
----------------------------------------------------------------------------

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
archives back to 2003: http://friam.471366.n2.nabble.com/
FRIAM-COMIC http://friam-comic.blogspot.com/ by Dr. Strangelove
Tom Johnson
Reply | Threaded
Open this post in threaded view
|

Re: Digital forensics?

Tom Johnson
Thank you, sir. 

On Wed, Apr 17, 2019, 7:24 PM Russell Standish <[hidden email]> wrote:
Using Linux, you can just mount the Mac's hard drive, and use unix
tools to investigate those files that were touched in the time span of
interest. To be really sure, you should clone the drive first (eg
using the Linux dd command) so that you don't accidently destroy any
evidence in your poking around (you work with just the copy).

As for the iPhone, I don't know how you would clone its storage, as
it's locked down by Apple. Presumably, you would need to jail break
the device first (potentially destroying the evidence you're looking
for). But once you have cloned it, you can mount the storage on Linux
as per usual - I believe iOS just uses the normal HDF+ file system
that MacOSX uses.

Cheers

On Wed, Apr 17, 2019 at 10:42:52AM -0600, Tom Johnson wrote:
> A friend writes:
>
> "A friend and colleague recently died under suspicious/unclear circumstances
> overseas and the local police appear to have somehow unlocked his Apple devices
> (an iphone and Macbook laptop).
>
> Those devices are now in the family's possession and I said I'd look into
> whether tools or experts might exist to help assess what files/stuff were
> accessed, deleted, or added to his devices close to and since the evening of
> his death.
> Can you offer any advice?"
>
> FRIAM-ers: any suggestions or advice?
>
> Tom
>
> ============================================
> Tom Johnson - [hidden email]
> Institute for Analytic Journalism   --     Santa Fe, NM USA
> 505.577.6482(c)                                    505.473.9646(h)
> NM Foundation for Open Government
> Check out It's The People's Data                 
> ============================================
>
>
> [icon-] Virus-free. www.avast.com
>


> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9a-11:30 at cafe at St. John's College
> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
> archives back to 2003: http://friam.471366.n2.nabble.com/
> FRIAM-COMIC http://friam-comic.blogspot.com/ by Dr. Strangelove


--

----------------------------------------------------------------------------
Dr Russell Standish                    Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Senior Research Fellow        [hidden email]
Economics, Kingston University         http://www.hpcoders.com.au
----------------------------------------------------------------------------

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
archives back to 2003: http://friam.471366.n2.nabble.com/
FRIAM-COMIC http://friam-comic.blogspot.com/ by Dr. Strangelove

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
archives back to 2003: http://friam.471366.n2.nabble.com/
FRIAM-COMIC http://friam-comic.blogspot.com/ by Dr. Strangelove
Free forum by Nabble Edit this page