#11 – When Things Go Awry

Scenario: A user connects an iPhone to a Windows 7 computer. The computer prompts the user with options of how to view the contents, sync contents, etc. The user chooses to view the files, browses to the DCIM folder, and begins to copy the photos to the computer. A few minutes into the file copy, iTunes opens on the computer and interrupts the connection to begin creating a backup. The user stops the iTunes backup, closes iTunes, and ejects the iPhone. The user unplugs the iPhone from the computer and plugs it back in to restart the DCIM file copy. Oddly, there are no photos to copy. On the iPhone, the Photos folder is empty, and there are no Recently Deleted photos. Add to this, iCloud Photo Sharing and iCloud Sync are disabled, and Photo Stream is turned off. What would you do to recover the photos?

This is what I tried when presented with this problem.

  1. Create a forensic image of the iPhone. I used Cellebrite Physical Analyzer, Method 1 and Method 2, to capture the contents. Jailbreaking the iPhone was not an option due to MDM settings (and I wasn’t going to risk losing everything).
  2. Carve for images. I again used Cellebrite Physical Analyzer for this. This method located 595 images, with all but two recovered images being junk portions of possible images. The two recovered images were application thumbnails and not the missing photos.
  3. Create a forensic image of the memory on the Windows 7 computer. I used FTK Imager for this because it was already installed on the machine. It made a copy of the pagefile.sys and created a memdump.mem file. I analyzed both of these with X-Ways — still no missing photos.
  4. Create a forensic image of the hard drive from the Windows 7 computer. I used a Logicube Falcon for the image creation, decrypted the image with EnCase, then analyzed the image in X-Ways. After carving for photos, no such luck.

What else would you have tried?

7 thoughts on “#11 – When Things Go Awry

  1. Does your VSS on the Win7 box have any iTunes backups? Also, what does the timeline of the Win7 image show happening file wise during that time?

    Like

    • The phone was not backed up after the photos were taken and before the file copy took place, so VSS wouldn’t have it. Good idea though.

      The timeline shows the file copy in progress, iTunes service starting, file copy halted, iTunes backup started, iTunes backup halted, Windows failing to connect to the iPhone, and then the iPhone connection dropped. (And that was a massive run-on sentence!)

      Like

  2. maybe a thumbs.db was left behind in the file copy if the user changed view settings while the copy was in progress

    Like

    • The phone has never been backed up, and was not backed up after the photos were taken. It was connected to the computer after the photos were taken, only to copy off the DCIM folder, then this happened.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s