Like any good service provider, HAYSTACKID is never happier than when a big challenge enters into the workplace. One such complex project occurred when the team was given an inoperable, severely damaged iPhone that potentially contained critical evidence in a criminal case involving domestic abuse.
As many lawyers and district attorneys know, destruction of evidence is a common issue that too many defendants, and even prosecutors, often partake in. However, whereas an investigator years ago would not possibly be able to recover burnt records and destroyed files, today’s digital landscape provides an opportunity to do so, so long as the firm tasked with the project has a certain level of expertise.
In this project, the State Forensic Lab involved in the investigation was not capable of recovering the critical Electronically Stored Information (“ESI”) from the damaged iPhone. The task was transferred to HAYSTACKID, which is a company that is no stranger to this type of challenge.
The forensic team first had to overcome the physical failure of the device. The Clean Room Engineer removed the severely corroded printed circuit board (“PCB”) assembly and ran it through multiple cycles in an ultrasonic cleaner. Next, the PCB was hand cleaned in isopropyl alcohol with an acid brush, and swapped into a new iPhone housing.
The device, PCB and new housing was then sent to the Forensic Lab for imaging, where the investigator used the Elcomsoft iOS Forensic Toolkit 115 on Mac OS 10.6. After connecting the smartphone to the USB port and placing it into device firmware update mode, the investigator was able to load Elcomsoft’s RAMDISK.
Once this software was properly loaded, it was set to acquire a bit-to-bit forensic image of the device’s file system. The device’s partition was acquired with no errors to Mac disk image format, DMG. The investigator then used Elcomsoft to get the device keys and keychain data necessary to decrypt the user partition.
The user.dmg image was successfully decrypted into another Mac disk image format named user-decrypted.dmg with MD5 hash authentication. HAYSTACKID decided to provide the iPhone image in its native format because EnCase 7 and BlackLight by BlackBag Technologies support iOS file systems, while DMG images are the native format for iOS and Mac investigations.
This decision allowed the Forensic Investigator to mount and verify the DMG image in EnCase 7. The BlackBag investigation identified forensic remnant and that the iPhone was set to factory reset with minimal data recovered.
However, a valuable text was recovered that exonerated the defendant and led the District Attorney to drop all charges. HAYSTACKID was heavily involved in the entirety of the project, as its Forensic Examiner wrote affidavits in preparation for live testimony.
This is yet another example of how the most complex and challenging tasks do not necessarily have to end poorly. HAYSTACKID maintains a commitment to excellence, and to retaining the most talented individuals in the field, to ensure that all projects are completed efficiently, accurately and comprehensively, no matter what they might entail.