iPhone Imaging for ...
 
Notifications
Clear all

iPhone Imaging for non-LE

25 Posts
12 Users
0 Likes
2,187 Views
jekyll
(@jekyll)
Posts: 60
Trusted Member
Topic starter
 

What is the best iDevice imaging method for all the non-LE forensic analysyts out there?

I know there are security concerns related to open publication of the JZ method, but are they really well founded? Does the JZ method allow bypass of iPhone security to such a greater degree than jailbreaking that the rest of the digital forensic community should not have access?

 
Posted : 06/01/2011 5:21 am
(@beasleyjt)
Posts: 56
Trusted Member
 

JZ's tools allow the low-level (security means almost nothing) bit-for-bit imaging of the full device without making any changes to the device minus the memory that it is loaded into. If needed, they also allow the removal of the passcode from most iPhone iOS' allowing the user access to the UI.

The point of his method is to get a virtually unchanged copy of the evidence. If you jailbreak the device, changes have been made and this allow the defense the chance to state that something has been removed/added to the evidence. JZ's method has been tested and documented and can be proven in court what was done to the device.

I personally use the JZ tools for both purposes, but I use the passcode removal to allow the device to be returned to fallen soldiers families.

 
Posted : 06/01/2011 6:44 am
jekyll
(@jekyll)
Posts: 60
Trusted Member
Topic starter
 

I know what JZ's tools allow for, but they are for LE only (I presume because of the passcode removal functionality). That is the whole point of the post (sorry you missed it).

I'm canvasing for an equally forensically sound acquisition method the rest of the digital forensic community can use. I work in civil and criminal matters and I find it frustrating that a good tool for forensically sound acquisition is restricted to LE only.

 
Posted : 06/01/2011 7:22 am
 Doug
(@doug)
Posts: 185
Estimable Member
 

The tools are not solely for LE. They are free to LE and can be purchased by non-LE assuming you can prove your credentials.
I would suggest contacting Jonathan to see if you can purchase the tools.

There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).

 
Posted : 06/01/2011 3:17 pm
jekyll
(@jekyll)
Posts: 60
Trusted Member
Topic starter
 

There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).

I don't know about that!

Andrew Hoog's review of iXAM over at ViaForensics seems to show this tool does exactly what JZ method achieves. Without having used either of them, I can't see any notable differences between these tools with regards to acquiring physical images.

http//viaforensics.com/education/white-papers/iphone-forensics/

Their website also shows some good validation and verification testing is being done

http//www.ixam-forensics.com/passcode_bypass.asp

Not sure if this will allow decryption of data on the fly the way JZ method does, but I assume so.

 
Posted : 07/01/2011 7:42 am
 Doug
(@doug)
Posts: 185
Estimable Member
 

From the sounds of it the tool has improved considerably from the early releases.

After looking on the website I have a question.

There is a note on their site

"Important note iOS 4.0> encrypts raw disk partitions and the e-mail database on 3GS and iPhone 4 devices. iXAM can aquire but not decode this information."

Does this mean that you can acquire an iOS 4+ device but do nothing with the acquired data? Or do they still give you the file system like the iPhone Insecurity tools?

 
Posted : 07/01/2011 3:10 pm
(@beasleyjt)
Posts: 56
Trusted Member
 

Jekyll

I forgot to mention on the other post that AccessData is about to release a major update to their Mobile Phone Examiner PLUS Software. AccessData came to my facility and demoed their soon to release update of MPE+ and is going to send me a copy for testing. They say it is supposed to do physical acquisitions of "all iphones", but we all know that what is said is not always what is.

Once they finally get it to me, I will post some results on it as well as iXAM.

 
Posted : 07/01/2011 10:07 pm
(@gh05teh)
Posts: 15
Active Member
 

iXam is about much use as a chocolate teapot..

JZ's method is still the best at moment.
Isnt the method and process of doing the physical extraction shown in his iphone forensics book.
I though just the automated scripts where LE only.

 
Posted : 07/01/2011 10:51 pm
 isth
(@isth)
Posts: 65
Trusted Member
 

iXam is about much use as a chocolate teapot..

Can you elaborate on this?

 
Posted : 08/01/2011 2:09 am
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
 

Does this mean that you can acquire an iOS 4+ device but do nothing with the acquired data?

That's exactly as I understand it from 3GS onwards with IXAM in relation to the email database and unallocated areas. I'm not seen JZ's method but I didn't think it permits decryption of any data encrypted by the device….or am I wrong?

 
Posted : 08/01/2011 3:49 am
Page 1 / 3
Share: