A Study on the Evidence Investigation of Forged/Modulated Time-Stamp at iOS(iPhone, iPad)

iOS(iPhone, iPad)에서의 타임스탬프 위·변조 흔적 조사에 관한 연구

Lee, Sanghyun;Lee, Yunho;Lee, Sangjin

  • Received : 2016.04.11
  • Accepted : 2016.06.30
  • Published : 2016.07.31


Since smartphones possess a variety of user information, we can derive useful data related to the case from app data analysis in the digital forensic perspective. However, it requires an appropriate forensic measure as smartphone has the property of high mobility and high possibility of data loss, forgery, and modulation. Especially the forged/modulated time-stamp impairs the credibility of digital proof and results in the perplexity during the timeline analysis. This paper provides traces of usage which could investigate whether the time-stamp has been forged/modulated or not within the range of iOS based devices.


iOS Forensic;Forged Time-Stamp;Modulated Time-Stamp;iPhone Forensic;Digital Forensic


  1. Business Post [Internet], "The market share of smartphone," 2015,
  2. ZD Net Korea [Internet], "Domestic smartphone subscribers," 2015,
  3. Wikipedia [Internet], "iOS Jailbreak," %ED%83%88%EC%98%A5.
  4. SANS, "Forensic analysis on iOS devices," 2012.
  5. M. Kaart and S. Laraghy, "Android forensics: Interpretation of timestamps," Digital Investigation, Vol.11, Issue 3, pp. 234-248, 2014.
  6. Sean Morrissey, "iOS Forensic Analysis for iPhone, iPad and iPod touch," Apress, 2010.
  7. Graeme Horsman and Lynne R. Conniss, "Investigating evidence of mobile phone usage by drivers in road traffic accidents," Digital Investigation, Vol.12, pp.S39-S37, 2015.
  8. SungKyoung Un and WooYoun Choi, "A Trend of Smartphone Forensic Technology," Tech Report of ETRI, 2013.
  9. JaeHyun So, "Search evidence of the iPhone Backup file," AhnLab Tech Report [Internet], 2012,
  10. Sangah Kim, "The Analysis of Synchronized or Restored Pictures in Smart Devices," Graduate School of Information Security, Korea University, 2014.