Data Integrity Validation of Open Source Idevice Forensic Tools with Reference to Commercial Tool

Abstract

In early 2010, Apple launched its first tablet and named it iPad. With the passage of time different models were invented. Locally and internationally, such tablets are commonly used and are in demand. User data partition and system partition are the two partitions that an iPad holds. User data partition contains user‟s data and extra applications installed, whereas basic applications and iOS are covered by system partition. From forensics viewpoint, user data partition contains various applications e.g. Adobe Reader, File Manager etc. These applications have spreadsheets and text documents that are likely to hold financial and sensitive data. Other applications like Skype and Facebook are expected to have important information (e.g. chat history). GUI, core OS, standard applications (like Mail, iPod, Safari, Calendar etc.) and application binaries are present in system partition. But the related statistics (such as user mail) are kept in data partition. Techniques used to acquire data from iPad include synchronizing method, using inbuilt operating system utilities and using forensic tools (open source, freeware, or commercial). Some methods provide fast data extraction; on the other hand some practices are slow. Some techniques involve jailbreaking and some tools claim to provide fast data extraction without jailbreaking the device. Data extraction methods and open source tools are either freely available or can be bought in low price, whereas commercial tools are closed source and are highly expensive. It is also hard to define that the stated methods are real and whether these methods and tools preserve legitimacy of the data stored in the device. In this research NIST standard/test results for iPad acquisition tool has been established and iPad forensics using a commercial tool has been performed in order to develop a reference for comparison. Then, iPad forensics using open source tools has been carried out. The legitimacy of data obtained from open source forensic tools has been compared to the data obtained from a commercial tool. Therefore, the research introduces a comparative study to illustrate complete forensic analysis of iPad, showing the changes that have taken place and the areas affected by these changes when the system is jailbreaked. The proposed research also concludes about data integrity validation of iPad forensics using open source tools. Focus of the research is to determine whether data extracted from open source tools are valid and to what extent. To check data integrity of open source tools, statistics extracted from a commercial tool are kept as a baseline (standard/model).