The iPod: A Tool for Criminals?

Today the iPod is the most popular music device in the United States. Newer versions of the device act more like a PDA (Personal Desktop Assistant) than just a music player. They allow users to store such items as contact, calendar items, data files and the newest version allows for the storage of photos on a color screen. In 2004 Duke University gave out iPods to all incoming freshman and encouraged them to store their files, academic calendars, contacts and their homework assignments on the device.

The iPod connects via Universal Serial Bus (USB) or FireWire to the computer making it easy for users to copy the contents of an entire computer to their device. There are two versions of the iPod: a Macintosh version which uses the HFS+ file system and the Windows version that uses the FAT file system. With iPods storing up to 60GB’s of information it also makes it a very appealing tool for criminals. In 2001 and 2002 a gang of criminals in London defrauded auto dealers of luxury cars by hijacking someone’s identity and using the information to make loan free purchases. Authorities raided a home where some of these vehicles were parked. The incriminating evidence found at the scene was an iPod with stolen identities and contact information of criminal associates. This poses a threat to corporate IT Departments because it’s difficult to disable USB ports because most new peripheral devices (mouse, keyboard, printer, etc.) require the uses of these ports.

Secret Service records show that 80 percent of cybercrime cases involve an internal element, whether intentional or unintentional. Along with their use for information theft, iPods and other portable media storage devices can be used to spread viruses and child pornography. Chris Marsico and Marcus Rodgers from Purdue University’s Cyber Forensic Lab wrote a paper titled “IPOD Forensics” in 2005. This is one of the first documents on the subject available on the use of forensics with the iPod. They also tested commercial tools such as EnCase, Forensic Toolkit (FTK) and BlackBag's MAC Forensic Software. These tools were successful at the extraction of latent deleted files from the iPods. They were also successful even after the device had been reformatted once or several times between file systems. EnCase proved to be the most efficient at data recovery for the different versions of the iPod.

This is encouraging for corporate network security departments and forensic examiners. Now CIO’s and IT Managers will have to determine how to monitor and handle iPods as well as other portable storage devices such as CD’s and USB thumb drives within their organizations. I think it’s just a matter of time before an iPod or thumb drive holds the smoking gun in an e-discovery case. While the advancement of technology is good we must also realize the same technology will be used by criminals.