iOS Forensic Research

Welcome to the source for law enforcement tools and documentation in iOS forensic research
Home to the only complete suite of forensic tools for iPhone, iPad, and other iDevices.

Upcoming Workshop: Boston, MA
Jul 22, 2013: iOS Advanced Forensic Investigation: http://ios-boston.eventbrite.com

Follow @JZdziarski on Twitter

Site access is freely available to full time, active duty law enforcement or military personnel tasked with mobile forensic imaging as part of their duties. To quality as a law enforcement agency, the agency must have arrest and search/seizure powers and be subject to only one government (e.g. no international agencies, who are subject to multiple governments). Contact us from your law enforcement email account to request free access. Please provide your credentials and the contact name and number of a supervisor. You MUST provide an agency email address to send credentials to.

Site access is NOT freely available to, and you may not share these tools with:

Commercial entities
Third party contractors (including forensics contractors)
Outside consultants (contracted through non-government entities)
Private investigators
Part-time personnel
Any personnel not specifically tasked with mobile forensic imaging as part of their duties
Any countries not considered a friend of the United States of America
International agencies subject to any foreign government
Students or "researchers"

Please allow for 7-10 business days for your request to be reviewed.
Due to the number of incomplete or inappropriate requests for site access, any invalid requests will be deleted and remain unacknowledged.

ALL WEBSITE ACCESS IS LOGGED AND AUDITED.

Latest News

May 16, 2013: New Tool Available: iOS Enhanced Interrogation
iOS Enhanced Interrogation is an advanced logical tool for performing dumps of iOS devices over USB or WiFi. EI utilized a number of private services and back doors to obtain clear text copies of data that is otherwise encrypted when backup encryption is used. As a result of its intensive operations on the device, it is capable of extracting much more than most of the leading iOS forensic acquisition tools. EI is entirely free of charge to all active law enforcement. This tool is maintained in this website's AutomatedTools directory. Read the README file.

Jul 22, 2013: Boston MA: iOS Advanced Forensic Investigation

Jul 22, 2013: Boston, MA: iOS Advanced Forensic Investigation

Join us as Jonathan Zdziarski, author, forensic scientist and iOS expert, leads your organization's law enforcement or security professionals through the delicate process of recovering and processing evidence stored on these devices. This advanced, one-day course will guide your investigators, hands on, through imaging and electronic discovery of iPhone and iPad devices. Attendees will receive a special law enforcement forensics guide and access to the tools used in the field by thousands of law enforcement agencies world wide. All tools and classroom content will be provided to attendees on a USB stick so students can learn and explore hands-on. This course has undergone numerous transformations to make it continually one of the best iOS forensics courses available.

Registration is now OPEN: http://ios-boston.eventbrite.com/

May 14, 2012: Advanced iOS Forensic Imaging and Investigation
May 14, Boston MA - Marriott Copley Square
Advanced iOS Forensic Imaging and Investigation L-1
[ Register Here ]

Join us as Jonathan Zdziarski, author, forensic scientist and iOS forensics expert, leads your organization's law enforcement or security professionals through the delicate process of recovering and processing evidence stored on these devices. This advanced, two-day course will guide your investigators, hands on, through imaging and electronic discovery of an iPhone, iPhone 3G, iPhone 3G[s], iPhone 4, and iPad 1 devices covering iOS and desktop trace up to and including iOS 5.0 firmware. Attendees will receive a special law enforcement forensics guide and access to the tools used in the field by thousands of law enforcement agencies world wide. All tools and classroom content will be provided to attendees on a USB stick so students can learn and explore hands-on. This course has undergone numerous transformations to make it continually the #1 forensics course for iOS based devices.

June 20, 2011: Advanced iOS Imaging and Investigation L-1 Workshops
We've once again revamped the "Advanced iOS Imaging and Investigation L-1" workshop! Several new pieces to the curriculum have been added and we are actively booking for summer and fall workshops. Please contact us if your agency would be interested in hosting a workshop and can guarantee a minimum of 10 seats. These classes typically run as high as 40 with good results.

The following new material has recently been added, and is now part of the two day course:

iOS application forensics. Learn how applications are organized on the device and delve into the world of electronic discovery within some of the most popular mobile applications, including Facebook, Twitter, and other social network applications, TomTom, and texting applications.
Keychain Decryption and PIN brute forcing. Learn how to obtain the device's encryption keys and decrypt passwords on the keychain, as well as how to brute force and determine the user passcode PIN on iOS 4 devices.
Raw disk decryption. Learn how to decrypt the device's raw disk, including files normally found encrypted from a file system dump, such as protected email and certain application data.
Consolidated geolocation data. Learn iOS 4's new consolidated.db and how to parse geolocation data harvested by the device.
SQLite database forensics. Learn how to recover deleted data within iOS' many SQLite 3 databases, and reverse engineer timestamps and other critical records, even when only fragments of data remain.

Many improvements have also been made to the workshop curriculum including:

Using the latest multi-platform iOS 4 tools in OSX and Linux
Best practices for securing an iPhone and preventing remote wipe
Support for the CDMA iPhone 4
Imaging an iPad

Please contact us to inquire about hosting a class for your department.
A full description of the course can be found here: http://www.iosresearch.org/workshop.html

June 14, 2011: Updated Zdziarski Method FAQ
Many have written in with questions about the latest version of the Zdziarski method, which is used in the automated tools available free to law enforcement agencies worldwide. This is a quick rundown of the most frequently asked questions. This new FAQ shall be a living compendium of important questions.

http://www.iphoneinsecurity.com/faq.html

December 10, 2010: National Institute of Justice Validates "Zdziarski" Method
The National Institute of Justice, in conjunction with The National Institute of Standards and Technology, has published test results validation the methods used in the forensic imaging tools and techniques used on this site.

http://www.nij.gov/pubs-sum/232383.htm

November 1, 2010: iPhone Forensics Whitepaper
Andrew Hoog, Chief Investigative Officer at Via Forensics, has put together an iPhone Forensics Whitepaper summarizing the available forensic techniques for recovering data from the iPhone. Depending on what kind of information you want to get, there are a number of different techniques you can use.

July 24, 2009: Bypassing 3Gs Passcode and Encryption
[ Video ] Bypassing Passcode and Backup Encryption
[ Video ] Forensic Recovery of Raw Disk
[ Video ] What Kind of Data Can You Steal in 2 Minutes?

These YouTube videos, courtesy of security researcher Jonathan Zdziarski, demonsrate just how easy it is to bypass the passcode and backup encryption in an iPhone 3G[s] within only a couple of minutes' time. A second video shows how easily tools can pull an unencrypted raw disk image from the device. The seriousness of the iPhone 3G[s]' vulnerabilities may make enterprises and government agencies think twice before allowing these devices to contain confidential data. Apple has been alerted to and aware of these vulnerabilities for many years, across all three models of iPhone, but has failed to address them. Jonathan adds:

The 3G[s] has penetrated the government/military markets as well as top fortune-100s, possibly under the misleading marketing term "hardware encryption", which many have taken at face value. Serious vulnerabilities such as these threaten to put our country's national security at risk. Unfortunately, the only way Apple seems to listen is through addressing such problems publicly, as all previous attempts to talk with them have failed. I sincerely hope they fix these issues before a breach occurs..