MFW09 Day 1

So, the first day at Mobile Forensics World 2009 has come to an end. I heard some very interesting stuff today on low-level iPhone forensics and mobile phone forensic tool testing.

The first talk was from Rick Voss (FBI) about the future developments in digital (and some mobile) forensics. It was mainly about the recent proposal for new legislation on conducting digital forensic investigations. Think of certification and accreditation of labs and so forth (can't remember the rest). It was less applicable to me, cause it was focused on the US legislation, but still interesting to hear.

The second talk I attended was from Jonathan Zdziarski about low-level iPhone forensics. This guy definately knows what he's talking about.
He explained the process of 'hacking' the iPhone and how to initiate a dd dump of the user partition of the internal memory over SSH. The hack of the iPhone (often the term 'jailbreaking' is used, even though it is not accurate) is forensically acceptable, since only the system partition is altered in this process. The exact details are to elaborate for now, but in essence it just alters the system parition to include certain tools like netcat, sshd and dd in the system. These are then used to dump the memory over a netcat connection. The same method of altering the system partition can be used to disable an activated handset lock. This is a matter of deleting or altering a certain file in the system partition.
Further, Jonathan is working on a method to transfer the memory over USB instead of the network which should make it faster.

The third talk was from Rick Ayers (NIST) about forensic tool testing. He explained how the process works and how to interpret the documents that result in this process.
In 2010 they will start forensic tool testing for smart phones specifically! This means, comparing and testing the tools available for Symbian, Windows mobile, Apple iphone, RIM blackberry and Android (although this one was not on his sheet).

That was it for today, more tomorrow!