An iPhone 3G was received for analysis. The owner had reportedly taken video of an assault and subsequently deleted the video. The device was user jailbroken and had the “Cycorder” app installed. This app uses the onboard still camera with 6-15 fps (images streamed into a video).
A logical analysis of the device recovered 3,648 live images but no videos located.
The physical analysis recovered 28,791 images but no video files. Visual inspection of the images revealed that a quantity were of a fight and were consistent with witness descriptions. Analysis of the identified images revealed the following:
Header: FF D8 FF D1 (yoya)
Foooter: FF D9
No EXIF information
Post Header: 6D 6A 70 67 (mjpg)
Sorting based on the above information identified 3,648 images. Using a jpg to avi complier and a frame rate of 10 fps, the 6 minute video of the fight was recovered and presented as court evidence.
The methods to obtain the physical DMG of an iPhone and the analysis of file headers/footers are covered in the MFI 202 and 303 classes. Seats are still available for the upcoming 202 class in Mississauga, Ontario, Canada class. See www.mobileforensicsinc.com for more details.