For anyone interested...

Upcoming iPhone Forensics Workshops
Sponsored by O'Reilly Media and Jonathan "NerveGas" Zdziarski, author of "iPhone Forensics"

The Boston workshop was a great success, and we learned a few new things that will help to make the next set of workshops even better. We've decided to take our course on the road, and are hoping to educate many law enforcement agencies and enterprises this fall.

We have scheduled two upcoming workshops:

Washington DC, November 12-13
URL: http://ipf2.eventbrite.com

Dallas, Ft. Worth TX, December 3-4
URL: http://ipf3.eventbrite.com

We are anticipating a larger turnout at these two events, so please register with us to ensure there's room. Vetted law enforcement personnel may contact us from a government email address to receive a $1,000 discount off admission.

Below is some information about the workshop. Please contact me directly if you have any questions, and I look forward to meeting some of you there!

Workshop Information:

Attendees will receive a copy of the print book "iPhone Forensics", which is now available on Amazon and at Barnes and Noble stores. This book covers the v2.x firmware as well as v1.x, and passcode breaking for both versions. Attendees will also receive a USB keychain drive containing the tools and payloads used in the workshop and an example set of sample evidence, in which you'll be able to follow along or participate hands-on, learning:

- What kind of evidence is stored on the iPhone
- How to prepare a desktop environment for iPhone forensics
- Breaking v1.x and v2.x passcode-protected iPhones to gain access to the device
- Performing field-expedient recovery of basic suspect data, such as that backed up using commercial tools
- Building a custom recovery toolkit for the iPhone
- Interrupting the iPhone 3G's "secure wipe" process
- Data recovery of a v1.x and v2.x iPhone user disk partition, checksuming, preserving and recovering the entire raw image
- Recovering deleted voicemail, images, email, and other personal data using data carving techniques
- Recovering geotags and timestamps from camera photos
- Electronic discovery of Google map lookups, typing cache, browser history, wifi history, application data and other data stored on the live file system
- Reassembling maps from the Google map tile cache and estimating chosen routes
- Extracting contact information, SMS messages, and other data from the iPhone's database
- Collecting desktop trace and establishing trusted relationships to owners' desktops
- Building an examination checklist and different recovery strategies based on case needs

Using the tools and know-how provided in this workshop, you'll work hands-on to recover stored and deleted information on the iPhone, including:

- Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication
- Screenshots preserved from the last state of an application, taken whenever the home button is pressed or an application is exited
- Deleted images from the suspect's synced photo library, camera roll, and downloaded browser objects
- Deleted address book entries, contacts, calendar events, and other personal data
- Exhaustive call history, beyond that displayed
- Map tile images from the iPhone's Google Maps application, lookups and longitude/latitude coordinates of previous map searches, and coordinates of the last GPS fix
- Browser history and deleted browser objects, which identify the websites a user has visited
- Cached and deleted email messages, SMS messages, and other communication with corresponding time stamps
- Live and deleted voicemail recordings stored on the device
- Pairing records establishing trusted relationships between the device and one or more desktop computers

In addition, you'll be walked through common corporate and crime scene scenarios and describe the kind of data that will prove most useful in your investigation. A Q/A session will conclude the conference as time permits. Classroom assistants will be available to help during all classes.

Coffee and a light lunch fare will be served. Be sure to bring a Mac or Windows laptop (Mac preferred) and an iPhone if you would like to follow along. Do not bring live evidence.

Attendees are welcome to follow along with the demonstrations or actively participate with their own devices and laptops. While the techniques covered support many different firmware versions, certain specific versions will be demonstrated to keep the class moving. The following combindations will be covered in the workshop:

1. Passcode Breaking:
a. A first-generation iPhone running firmware v1.1.4 on Windows
b. A first-generation iPhone running firmware v1.1.4 on Mac
c. An iPhone 3G running firmware v2.1 on Mac

2. Forensic Recovery:
a. A first-generation iPhone running firmware v1.1.4 on Windows
b. An iPhone 3G running firmware v2.1 on Mac

Homework for active participants on the first day will be to recover the full disk image from their device. For those following along, a sample disk image will be provided for them to work with.

While the workshop covers techniques on both Mac and Windows, we strongly recommend you consider using a Mac for this workshop. The Mac's native compatibility with the HFS+ file system makes working with firmware and disk images much easier, and a few tools designed to streamline the rebuilding of data (such as Google maps and filesystem backups) are Mac-specific.