The iPod has become the most popular MP3 player on the market. Because iPods can also be used as a mass storage device (with the exception of the iPod shuffle), digital evidence may be stored on these devices. The iPod is a computer in it's own right and because of this, it will mount and write to it's internal hard drive when connected to an investigation workstation thus destroying the forensic integrity of the device. By putting the iPod into Diagnostic Mode, an investigator can prevent it from automatically mounting and writing to itself. A forensically sound image of the device can then be made.
- The iPod must be restarted before it can be put into diagnostic mode. First check and make sure the "Hold" switch is off (no orange should be showing).
- Press and hold the following combination of buttons for approximately 10 seconds to reset the iPod.
- iPod 1G to 3G (scroll wheel and touch wheel iPods): Menu and Play/Pause
- iPod 4G+ (includes Photo, Nano, Video, and Mini): Menu and Select
- The Apple logo will appear on the screen and you should feel the hard drive spin up (on models that have a hard drive). Press the following sequence of buttons:
- iPod 1G to 3G: REW + FFW + Select (center button)
- iPod 4G+: REW + Select (center button)
You will hear an audible chirp (3G models and higher) and the Apple logo will appear backwards on the screen.
The iPod is now in diagnostic mode.
- Connect the iPod to your investigation workstation using a FireWire write blocker. If one is not available, make sure to turn off Disk Arbitration in MacForensicsLab using the instructions found here before connecting the iPod to your workstation.
Note: These instructions do not apply to the new iPod Touch.
