iOS Forensic Research
Welcome to the source for law enforcement tools and documentation in iOS forensic research
Home to the only complete suite of forensic tools for iPhone, iPad, and other iDevices.
Follow @JZdziarski on Twitter
Site access is freely available to full time, active duty law enforcement or military personnel tasked with mobile forensic imaging as part of their duties. To quality as a law enforcement agency, the agency must have arrest and search/seizure powers and be subject to only one government (e.g. no international agencies, who are subject to multiple governments). Contact us from your law enforcement
email account to request free access. Please provide your credentials and the contact name and number of a supervisor. You MUST provide an agency email address to send credentials to.|
Site access is NOT freely available to, and you may not share these tools with:
Please allow for 7-10 business days for your request to be reviewed.
- Commercial entities
- Third party contractors (including forensics contractors)
- Outside consultants (contracted through non-government entities)
- Private investigators
- Part-time personnel
- Any personnel not specifically tasked with mobile forensic imaging as part of their duties
- Any countries not considered a friend of the United States of America
- International agencies subject to any foreign government
- Students or "researchers"
Due to the number of incomplete or inappropriate requests for site access, any invalid requests will be deleted and remain unacknowledged.
ALL WEBSITE ACCESS IS LOGGED AND AUDITED.
||May 16, 2013: New Tool Available: iOS Enhanced Interrogation|
iOS Enhanced Interrogation is an advanced logical tool for performing dumps of iOS devices over USB or WiFi. EI utilized a number of private services and back doors to obtain clear text copies of data that is otherwise encrypted when backup encryption is used. As a result of its intensive operations on the device, it is capable of extracting much more than most of the leading iOS forensic acquisition tools. EI is entirely free of charge to all active law enforcement. This tool is maintained in this website's AutomatedTools directory. Read the README file.
||Jul 22, 2013: Boston MA: iOS Advanced Forensic Investigation|
Jul 22, 2013: Boston, MA: iOS Advanced Forensic Investigation
Join us as Jonathan Zdziarski, author, forensic scientist and iOS expert, leads your organization's law enforcement or security professionals through the delicate process of recovering and processing evidence stored on these devices. This advanced, one-day course will guide your investigators, hands on, through imaging and electronic discovery of iPhone and iPad devices. Attendees will receive a special law enforcement forensics guide and access to the tools used in the field by thousands of law enforcement agencies world wide. All tools and classroom content will be provided to attendees on a USB stick so students can learn and explore hands-on. This course has undergone numerous transformations to make it continually one of the best iOS forensics courses available.
Registration is now OPEN: http://ios-boston.eventbrite.com/
||May 14, 2012: Advanced iOS Forensic Imaging and Investigation|
May 14, Boston MA - Marriott Copley Square
Advanced iOS Forensic Imaging and Investigation L-1
[ Register Here ]
Join us as Jonathan Zdziarski, author, forensic scientist and iOS forensics expert, leads your organization's law enforcement or security professionals through the delicate process of recovering and processing evidence stored on these devices. This advanced, two-day course will guide your investigators, hands on, through imaging and electronic discovery of an iPhone, iPhone 3G, iPhone 3G[s], iPhone 4, and iPad 1 devices covering iOS and desktop trace up to and including iOS 5.0 firmware. Attendees will receive a special law enforcement forensics guide and access to the tools used in the field by thousands of law enforcement agencies world wide. All tools and classroom content will be provided to attendees on a USB stick so students can learn and explore hands-on. This course has undergone numerous transformations to make it continually the #1 forensics course for iOS based devices.
||June 20, 2011: Advanced iOS Imaging and Investigation L-1 Workshops|
We've once again revamped the "Advanced iOS Imaging and Investigation L-1" workshop! Several new pieces to the curriculum have been added and we are actively booking for summer and fall workshops. Please contact us if your agency would be interested in hosting a workshop and can guarantee a minimum of 10 seats. These classes typically run as high as 40 with good results.
The following new material has recently been added, and is now part of the two day course:
Many improvements have also been made to the workshop curriculum including:
- iOS application forensics. Learn how applications are organized on the device and delve into the world of electronic discovery within some of the most popular mobile applications, including Facebook, Twitter, and other social network applications, TomTom, and texting applications.
- Keychain Decryption and PIN brute forcing. Learn how to obtain the device's encryption keys and decrypt passwords on the keychain, as well as how to brute force and determine the user passcode PIN on iOS 4 devices.
- Raw disk decryption. Learn how to decrypt the device's raw disk, including files normally found encrypted from a file system dump, such as protected email and certain application data.
- Consolidated geolocation data. Learn iOS 4's new consolidated.db and how to parse geolocation data harvested by the device.
- SQLite database forensics. Learn how to recover deleted data within iOS' many SQLite 3 databases, and reverse engineer timestamps and other critical records, even when only fragments of data remain.
- Using the latest multi-platform iOS 4 tools in OSX and Linux
- Best practices for securing an iPhone and preventing remote wipe
- Support for the CDMA iPhone 4
- Imaging an iPad
Please contact us to inquire about hosting a class for your department.
A full description of the course can be found here: http://www.iosresearch.org/workshop.html
||June 14, 2011: Updated Zdziarski Method FAQ|
Many have written in with questions about the latest version of the Zdziarski
method, which is used in the automated tools available free to law enforcement
agencies worldwide. This is a quick rundown of the most frequently asked
questions. This new FAQ shall be a living compendium of important questions.
||December 10, 2010: National Institute of Justice Validates "Zdziarski" Method|
The National Institute of Justice, in conjunction with The National Institute of Standards and Technology, has published test results validation the methods used in the forensic imaging tools and techniques used on this site.
||November 1, 2010: iPhone Forensics Whitepaper
Andrew Hoog, Chief Investigative Officer at Via Forensics, has
put together an iPhone Forensics Whitepaper summarizing the available forensic
techniques for recovering data from the iPhone.
Depending on what kind of information you want to get,
there are a number of different techniques you can use.
||July 24, 2009: Bypassing 3Gs Passcode and Encryption|
[ Video ] Bypassing Passcode and Backup Encryption
[ Video ] Forensic Recovery of Raw Disk
[ Video ] What Kind of Data Can You Steal in 2 Minutes?
These YouTube videos, courtesy of security researcher Jonathan Zdziarski, demonsrate just how easy it is to bypass the passcode
and backup encryption in an iPhone 3G[s] within only a couple of minutes' time.
A second video shows how easily tools can pull an unencrypted raw disk image
from the device.
The seriousness of the iPhone 3G[s]' vulnerabilities may make enterprises
and government agencies think twice before allowing these devices to
contain confidential data. Apple has been alerted to and aware of
these vulnerabilities for many years, across all three models of iPhone,
but has failed to address them. Jonathan adds:
The 3G[s] has penetrated the government/military markets as well as top fortune-100s, possibly under the misleading marketing term "hardware encryption", which many have taken at face value. Serious vulnerabilities such as these threaten to put our country's national security at risk. Unfortunately, the only way Apple seems to listen is through addressing such problems publicly, as all previous attempts to talk with them have failed. I sincerely hope they fix these issues before a breach occurs..
All website content Copyright ©, All Rights Reserved. Reproduction prohibited without permission.
This website is in no way affiliated with or endorsed by Apple, Inc.