Skip to content

iPods Sing for Investigators

Finding a fleet of luxury cars parked incongruously outside a set of low-rent apartments, a London policeman set in motion an investigation that ultimately led to the arrest and conviction of six car thieves who had been operating in the area for more than a year. During that time, they had stolen 70 vehicles worth more than £1 million (nearly $2 million).

The case is significant because the thieves used new technology to aid their efforts. They did not steal cars outright. Through identity theft and forged credit documents, they tricked car dealers into thinking that they were well-heeled customers with whom they should do business.

The ruse allowed the criminals to “buy” the vehicles via the usual financing arrangements. Later, through other fake documentation, they tricked the U.K.’s Higher Purchase Investment (HPI), the organization that maintains the country’s vehicle financial records, into documenting the car as fully paid for.

During the course of the investigation, it was learned that the six were part of a gang that relied on the trendy iPod music players to hold voluminous documents used in their misdeeds. Unfortunately for the thieves, the same technology that they used to carry out their scheme was also their undoing. The Metropolitan Police Service (MPS) raided the gang’s headquarters and found the iPods. When the MPS Computer Crime Unit at New Scotland Yard conducted forensic examinations of these devices, says Alastair Campbell of the MPS Press Bureau, it discovered enough evidence to put gang members behind bars.

While this group may be among the first to be caught using iPods for illegal purposes, they are not likely to be the last. Security professionals should take note of this likely trend.

Storage capacity. Why are iPods likely to become a popular tool for electronic crimes? Because they provide thieves huge, portable storage capacity, and they can be configured as portable hard drives.

How much storage space do they have? At present, the largest iPod can hold 60 gigabytes (GB) of data, more than many laptops. That capacity would allow it to hold, for example, 25,000 high-resolution pictures.

Location, location. Another reason that iPods are likely to become a tool in cybercrime is that they are appearing in workplaces with increasing frequency. As they become ubiquitous, it will be more tempting for workers to use them to do things they shouldn’t, such as copying sensitive data and taking it from the office.

Criminal cantata. The good news from the perspective of security professionals is that iPods used to store evidence of a crime can be made to sing for the investigators who know how to coax the notes from the data. And this evidence can be used to make the guilty parties face the music in court.

I have seen how useful the iPod can be as a source of evidence. The case involved a company’s longtime bookkeeper, whom we will call Joe.

For more than 15 years, Joe was a quiet and diligent worker who kept the books and never aroused any suspicions. But shortly after Joe retired, the new bookkeeper (we’ll call her Jane) noticed something unusual: a small bank fee that had been paid with every previous transaction during Joe’s tenure was not added to new transactions. Thinking this odd, and not wanting to make any errors her first week on the job, Jane looked more closely at the record of previous deposits.

Although the books showed the transactions being paid to the bank, the bank records showed no such deposits. Jane notified the owner of the company, who contacted the bank. They discovered that the deposits were made into another account that the owner knew nothing about. The police were called in to investigate.

Embezzlement. Investigators arrived on the scene and quickly unraveled Joe’s scheme. For years, he had systematically used a small portion of company funds to pay a “deposit fee” on every transaction made to the company’s bank.

While his plan went undetected for years, the one detail that he never considered was what to do when he retired. The investigators saw that the small deposits had added up over the years and now totaled hundreds of thousands of dollars.

Once Joe’s prior actions became suspect, the owner remembered that Joe had sometimes brought a laptop to the office so that he could bring work home on weekends. He also remembered that for the last year or two, Joe kept an iPod on his desk. The investigating officer surmised that the bookkeeper may have used the laptop in the commission of the crime; the investigator prepared a search warrant for the residence.

The police and a team of forensic investigators went to the former bookkeeper’s residence with a warrant to seize any computer devices. They were nearly overwhelmed with the huge amount of potential evidence, because the suspect had an array of computer systems, all connected and running, in addition to a series of external hard drives. While the process of collecting all of these devices was underway, an officer on the scene noticed the iPod. The device was taken as evidence along with the other more traditional pieces of computer equipment. 

Back in the lab, forensic investigators at first came up empty-handed, finding no evidence against the bookkeeper on any of his home desktop computers or laptops. The only device remaining to be analyzed was the iPod.

Imaging. The investigator treated the iPod like any other external hard drive, careful to preserve its integrity so that any evidence remained untainted. He began by imaging (making a complete copy of) the iPod’s hard drive, which he saved to another hard drive. This copy was the one that would be used for analysis.

The investigator was also aware that iPods have some features that PC hard drives do not. For example, the iPod creates a separate partition that will contain firmware settings for the device (that is, the actual iPod operating system) and application information for iPod applications, including the calendar, contacts, and notes.

Partitions. After imaging the drive, the investigator began to examine it. The first thing he noticed was that Joe’s 40 GB iPod was configured with two data partitions: one 20 GB partition to hold music and another 20 GB partition to store data files.

The investigator ran a directory listing, which showed all the files on the drive that held the data files. This directory listing revealed a number of Excel and Word documents. These documents contained data critical to the investigation and would prove to be the smoking gun.

For example, the Excel spreadsheets contained detailed reports of each transaction the bookkeeper made, including time and date of deposit, as well as a record of each account number the bookkeeper used over the years. This evidence showed that Joe had been updating his records each time he embezzled money from the company; he had then saved the file to his iPod, which appeared to his employer to be nothing more than a portable jukebox.

The evidence taken from the iPod helped put the bookkeeper behind bars.

New forensic tool. iPods aren’t just the latest type of electronic device that investigators need to know how to examine. They also represent the next generation of mobile forensic devices for Macintosh computers.

Configuring the iPod as a forensic system comprises several steps. First, the iPod must be configured as an external hard disk. This is done by using a built-in configuration tool that allows the investigator to choose a check box to select “Use as Hard Disk,” though the iPod itself is used as the investigative tool rather than the hard disk on which data will be stored (a separate external hard drive is used for this purpose).

Next, the investigator needs to load the latest version of the Macintosh operating system, OS X. Investigators can ensure that they are getting the latest version by running a software update utility that automatically checks the version installed and displays all available upgrades.

Like any computer used for forensic examinations, the iPod needs to be configured as a forensically sound system so that when it is connected to a suspect computer, it does not write to the drive and contaminate any potential evidence. The most important step is to turn off “disk arbitration.” This is a feature of OS X that provides plug-and-play functionality so that when another device is plugged in, it can automatically be seen and recognized. However, this process can alter potential evidence, so examiners need to disable this function through a set of commands.

The iPod must also be equipped with software tools to be used by investigators. These tools allow investigators to examine and analyze systems for any data that may be evidence, such as the documents and spreadsheets on Joe’s iPod. Even some deleted data can be found using these software programs. The investigator uses the forensic software to quickly preview or image Mac systems using only the iPod and a small external hard drive on which to store the image.

The iPod’s size and strength make it particularly useful for forensic analysts in covert operations. No longer will a corporate or law enforcement investigator need to bring a bulky system into the field. With the tiny iPod, it is also easier to abort an operation should something go wrong.

Add-ons. In addition to configuring the iPod and adding forensic software as just discussed, investigators should consider adding other capabilities. Possible add-ons to an iPod that an investigator may find useful in the field include a voice-recording capability and a peripheral-camera connection for downloading pictures to the iPod for storage.

Of course, investigators must also be aware that criminals may have added these features. That means the device’s hard drive could include recorded conversations or photos that need to be analyzed.

The iPod can also function as a PDA, with built-in applications including a calendar, notes, and contacts applications. E-mail syncing applications are also emerging and being introduced to the market. These types of features offer additional sources of evidence to the investigator, but they also require the investigator to have the knowledge and skill to maintain and analyze this evidence properly.

If an iPod is being used as a forensic tool, these add-on features can be a boon to investigators. For example, investigators can use an iPod to record suspects’ conversations on site (if legally permissible); or, a digital camera can be connected to the device so that on-scene photos can be taken.

While Apple is on the cutting edge right now, the popularity of the iPod is giving competitors an incentive to make similar products. For example, Toshiba’s Gigabeat F Series is an MP3 player that also comes in a 10, 20, or 60 GB hard drive.

Competition from high-tech overseas producers virtually guarantees that prices will plummet on these gadgets, putting them in more hands and on more desktops. Anyone tasked with solving electronic crimes must become attuned to both the criminal uses and the forensic applications of these high-tech gadgets. Those that do will find their bosses singing their praises as they solve their cases.

Derrick Donnelly is CTO of BlackBag Technologies of Santa Clara, California, a provider of multiplatform forensic software and hardware solutions. He is also a regular instructor for the FBI Computer Analysis and Response Team (CART) and teaches at numerous other international, federal, state, and local law enforcement agencies.