iOS Forensic Analysis for iPhone, iPad and iPod Touch (Books for Professionals by Professionals) [ペーパーバック]

This book contains some useful descriptions of SQL column values you might not otherwise be able to intuit from casual schema diving, but it's also full of plainly offensive grammatical errors and blatant misinformation. The section on "WebKits" was particularly egregious--not only is there no folder called "WebKits" on the device's filesystem, WebKits (sic) were not "designed to speed up the experience for the user accessing data from the web using HTML5 technology." WebKit is an HTML rendering engine, and while there may be several active branches of said engine under active development, it makes little sense to refer to it in the plural. It makes even less sense to make up information to fill in the gaps in your understanding just to pad out your book.

At this price, it's a definite pass.

I wanted to love this book. I've spoken to the author previously so I know of his deep passion for digital forensics in the Apple world. While the actual content of the book is very strong, the presentation is sloppy. The book reads like a final draft that was submitted to the publisher and released without any editing. The book is replete with problems such as spelling errors (in the form of incorrect words that would not be picked up by a spell check function), grammatical errors, and confusingly written sentences. I gave up highlighting all of the errors I ran across around the time I hit the sixth chapter. Additionally, the many of the images in the book are difficult to view clearly. I can understand pictures being hard to view on an actual Kindle device, but when they are blurry and unusable in the Kindle for PC version, it comes down to an attention to detail failure on the part of someone in the creation process for this book. For example, in the fourth chapter, the blurry pictures of the Cellebrite tool make it look like it had informed on a Mafia boss and had entered the witness protection program. I feel bad for the author because he clearly put tremendous amount of very thoughtful work into the project. I understand fully that after spending a considerable amount of time with a large writing project, it can be very difficult to catch your own errors. That's why authors of books like these need other dispassionate people to edit their work before it goes to press.

Chapter 1 provides the reader with an excellent history of Apple mobile devices and operating systems. I appreciated the author taking the time to set the stage for the forensic aspect of the book by explaining the overall history of these devices. The pictures in this chapter are relatively clear and show the internals of the many of the devices that are discussed.

Chapter 2 delves into the subject of the iOS operating system itself. It starts out with a history of the operating system and then covers the history of application development. This chapter includes a detailed explanation of file systems, how these devices are partitioned, and how to examine the various databases and plists available.

Chapter 3 provides a comprehensive explanation of the legal issues involved with the search and seizure of these devices. The chapter concludes with instructions on how to safely seize a device in a manner that maximizes the preservation of evidence. This chapter also includes information on how an investigator should not forget about computers that have been used to interact with these devices and explains what evidence can and should be obtained from them.

Chapter 4 is the iPhone logical acquisition chapter and includes a review of the various tools available to recover logical information from these devices. This includes the author's step by step instructions (complete with sometimes poor quality screenshots) on how to use tools such as Lantern, Secure View 2, Oxygen Forensic Suite 2010, Cellebrite, and Device Seizure to obtain and parse data. The chapter concludes with an assessment of how well the various tools performed against a sample iPhone 3GS.

Chapter 5 is the logical data analysis chapter and it starts with an excellent guide on how to set up a proper digital forensics workstation. It includes an extensive list of software to facilitate examinations. The rest of the chapter is spent instructing the reader on how to examine a wide variety of artifacts dealing with topics such as SMS, MMS, browser history, photos, and system configuration information. The chapter also addresses the analysis of third party applications dealing with topics such as Skype, Facebook, and Twitter. It concludes with coverage of document recovery and also includes a discussion of anti-forensic tools such as iErase.

Chapter 6 focuses on forensic artifacts of interest that can reside on Mac or Windows desktops such as backups of iOS devices.

Chapter 7 provides a detailed analysis of various GPS related evidence that can be recovered from iOS devices. This was one of my favorite chapters of the book because it illustrated how much geodata can be found on a device and how it can be used in an investigation.

Chapter 8 is the media exploitation chapter. The book defines media exploitation as obtaining all information from a device. This means that media exploitation is essentially another term for a physical image. The chapter starts with a comprehensive explanation of digital rights management (DRM) that includes an overview of the recent legal history of DRM. It then goes into an explanation of methods of creating images such as using tools such as iXAM.

Chapter 9 is the media examination chapter and deals with the examination of an acquired image of a device. This chapter covers issues such as the recovery of email and the use of tools such as MacForensics Lab, EnCase, and Forensic Tool Kit tool to examine an image. The chapter concludes with a discussion of spyware tools.

Chapter 10 is the final chapter and covers the topic of network analysis. The chapter begins with a relatively comprehensive explanation of general networking concepts and then moves onto showing how to examine network data stored on the phone. This chapter also shows the reader how to capture and examine network traffic.

I call this book a diamond in the rough because if you set aside the frustrating presentation issues, this is a fine book that does an admirable job educating the reader about iOS forensics. This could have very easily have been a five star book. Unfortunately, it's undermined by the poor quality of some of the images and lack of professional editing. Hopefully, there will be a 2nd edition with updated content and proper editing.

Despite the flaws, I recommend this book to anyone who wishes to become educated on the topic of iOS forensics. It's an excellent resource both for digital forensics practitioners and those who aren't in digital forensics, but who want a detailed understanding of these devices.

I've read many forensics books over the last decade and written one as well. I believe that iOS Forensic Analysis (IFA) offers some useful information, but the manner in which the author presents it is not as effective as it could be. If the author were to write a second edition that structures the material in the way I recommend, I believe it would merit a four or five star review.

My primary issue with IFA is the author's ability to relate to his audience. Forensics books need to identify the audience and cater to its needs. Some books are expressly written for newbies, while others are intended specifically for advanced practitioners. I got the sense that the author designed IFA for a wide audience with little familiarity with iOS. Unfortunately, I don't think he presents his material in a way best suited for that crowd.

For example, if the author assumes the reader is not familiar with iOS, he is probably writing for a fairly nontechnical reader who may not have ever used an iPhone. I'm thinking of the "cop on the beat" who becomes the county "forensics expert" because he or she can create pivot tables in Excel. I've read several books aimed at this demographic, and the best ones take the following approach. First they explain the goal of the investigation. Next they explain the technology, applications, and their relevance. Finally they describe how to acquire and perhaps analyze evidence.

While I could tell IFA attempted to meet these goals, I don't believe the final product is as helpful as it could be. For example, on p 84 the author mentions "lockdown certificates," which mean absolutely nothing to the sort of person I expect to read IFA. The term appears again on pp 212-214, but I'm sure the lower end audience would still be puzzled by this concept. I'm not saying "dumb down" the book, but rather carefully explain material as it is introduced.

Elsewhere I thought IFA included discussions with little to no relevance to iOS forensics. The Digital Rights Management section in ch 8 is one example. The "network forensics" material in ch 10 provided no real benefit either.

Overall, as mentioned by other reviewers, there is valuable material in IFA. However, the reader will need to know what he or she is looking for and be able to relate it to a case. I hope to see a second edition of IFA or one of the other iOS forensics books arriving soon to be a better introduction for readers.