Share thisEvidence/Artifacts (Locating fruits of a crime)
Capturing screen shots of iTunes Preferences is much like obtaining settings from LimeWire, they provide the necessary evidence to show which settings were modified from the default configuration. Such screen shots make great exhibits to present in a lab report. However, it may be difficult at times to collect screen shots if an examiner cannot boot the evidential system in a virtual environment, e.g. VMware or Virtual Box. In unforeseen circumstances, the forensic examiner must depend on looking in other areas of a computer system in hopes of obtaining any type of evidence or artifacts.
The registry will provide very little data from the iTunes application: the installed version and the date of installation. However, the date of installation is not necessarily when iTunes was first installed on the system, but the date of when the latest available version/upgrade was installed.
The iTunes version and installation date can be obtained from the logical registry paths noted in Table 1.
Most systems contain a large number of 16-byte GUIDs listed under the Installer or Uninstall registry keys. Therefore, it would be advantageous for the examiner to search for the word “iTunes” rather than perform the tedious task of selecting each 16-byte GUID one at a time.
Since iTunes is an Apple product, Property List (plist) files exist on a file system, and can be found under the Program Files directory and under the user’s profile. However, the content in each plist file is generic and renders no data with regard to iTunes Preference settings nor provide information of evidentiary value.
Another alternative is to perform a search for key terms, particularly in the pagefile.sys and hiberfil.sys files which could provide evidence that the suspect had searched for child pornography on the peer network using a P2P application. But recall in the child porn case, if evidence media are not seized in a timely manner, any valuable data will more than likely be overwritten in the two system files.
Apple’s Tech Support Web site references iTunes Library files, which is a database iTunes uses to organize files added to the iTunes Library. Two iTunes Library files are created and maintained by iTunes for different purposes: iTunes Library.itl and iTunes Library.xml.4
