What is the best iDevice imaging method for all the non-LE forensic analysyts out there?
I know there are security concerns related to open publication of the JZ method, but are they really well founded? Does the JZ method allow bypass of iPhone security to such a greater degree than jailbreaking that the rest of the digital forensic community should not have access?
JZ's tools allow the low-level (security means almost nothing) bit-for-bit imaging of the full device without making any changes to the device minus the memory that it is loaded into. If needed, they also allow the removal of the passcode from most iPhone iOS' allowing the user access to the UI.
The point of his method is to get a virtually unchanged copy of the evidence. If you jailbreak the device, changes have been made and this allow the defense the chance to state that something has been removed/added to the evidence. JZ's method has been tested and documented and can be proven in court what was done to the device.
I personally use the JZ tools for both purposes, but I use the passcode removal to allow the device to be returned to fallen soldiers families.
I know what JZ's tools allow for, but they are for LE only (I presume because of the passcode removal functionality). That is the whole point of the post (sorry you missed it).
I'm canvasing for an equally forensically sound acquisition method the rest of the digital forensic community can use. I work in civil and criminal matters and I find it frustrating that a good tool for forensically sound acquisition is restricted to LE only.
The tools are not solely for LE. They are free to LE and can be purchased by non-LE assuming you can prove your credentials.
I would suggest contacting Jonathan to see if you can purchase the tools.
There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).
There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).
I don't know about that!
Andrew Hoog's review of iXAM over at ViaForensics seems to show this tool does exactly what JZ method achieves. Without having used either of them, I can't see any notable differences between these tools with regards to acquiring physical images.
http//
Their website also shows some good validation and verification testing is being done
http//
Not sure if this will allow decryption of data on the fly the way JZ method does, but I assume so.
From the sounds of it the tool has improved considerably from the early releases.
After looking on the website I have a question.
There is a note on their site
"Important note iOS 4.0> encrypts raw disk partitions and the e-mail database on 3GS and iPhone 4 devices. iXAM can aquire but not decode this information."
Does this mean that you can acquire an iOS 4+ device but do nothing with the acquired data? Or do they still give you the file system like the iPhone Insecurity tools?
Jekyll
I forgot to mention on the other post that AccessData is about to release a major update to their Mobile Phone Examiner PLUS Software. AccessData came to my facility and demoed their soon to release update of MPE+ and is going to send me a copy for testing. They say it is supposed to do physical acquisitions of "all iphones", but we all know that what is said is not always what is.
Once they finally get it to me, I will post some results on it as well as iXAM.
iXam is about much use as a chocolate teapot..
JZ's method is still the best at moment.
Isnt the method and process of doing the physical extraction shown in his iphone forensics book.
I though just the automated scripts where LE only.
iXam is about much use as a chocolate teapot..
Can you elaborate on this?
Does this mean that you can acquire an iOS 4+ device but do nothing with the acquired data?
That's exactly as I understand it from 3GS onwards with IXAM in relation to the email database and unallocated areas. I'm not seen JZ's method but I didn't think it permits decryption of any data encrypted by the device….or am I wrong?