UFED physical for i...
 
Notifications
Clear all

UFED physical for iPhone/iPad

9 Posts
3 Users
0 Likes
745 Views
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
Topic starter
 

The following is a quote from another forum thread;

UFED Physical will soon add support for iPhone/iPad physical extraction and data decoding.

Once this is released, this would be the easiest and most complete solution for iPhone/iPad physical.

RonS

I've started a new thread for this discussion because, as usual, RonS is hijacking an otherwise useful post for blatant marketing messages about his own product.

Anyhow, let's get some substance on your post please.

What models and IOS versions will UFED be supporting for physical dump?
When are you releasing it?
Will it take the form of a bit-for-bit image or is a "filesystem dump" given your product's history at confusing the two?
Will you be jailbreaking the device?
What footprint, if any will be left in the image and device beyond jailbreaking?
Will you extract the system partition too?
Will you be able to decode all or partial data types?

Thanks.

 
Posted : 21/01/2011 2:28 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

with all respect, I think that Bob Elder started his post with the sentence "Update information on iPhone data recovery".

and the additional information that I provided was that UFED Physical will soon to support physical dumps of iPhones and iPads and that we will also be able to decode them.

I think that this information is very much useful for UFED users and users that are searching for a solution.

We will support 3G,3GS and iPhone 4 devices.
no, we are not jail-breaking them.
We will decode the file system and many data types

It will bring the best of all possible methods (for iPhone 4, no we will not decrypt the encrypted image although we do extract it, but we will bypass the encryption)

Additional information will be provided soon.

 
Posted : 21/01/2011 3:03 pm
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
Topic starter
 

with all respect, I think that Bob Elder started his post with the sentence "Update information on iPhone data recovery".

The post title is related to chip off R&D….

It will bring the best of all possible methods (for iPhone 4, no we will not decrypt the encrypted image although we do extract it, but we will bypass the encryption)

Additional information will be provided soon.

Thanks for the information. To be absolutely certain, "bypass the encryption" of and decode;

(i) logical data
(ii) certain datasets , e.g. email database
(iii) all unallocated space ?

 
Posted : 21/01/2011 6:27 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Regarding chip off, as part of the iPhone decoding, UFED PA support the file system reconstruction from a chip off (FTL implementation), This was tested with several versions (not all)

Regarding your other questions
When the iPhone is encrypted on a hardware level, we bypass the encryption by performing a file system extraction of the entire data partition including ALL the files (without jail breaking and also when the device is password locked).
We also support the extraction of the encrypted partition, but as of now the result after file system reconstruction are encrypted files.

I am not aware of any solution at the moment (although we are researching this) that can decrypt the iPhone 4 encrypted dumps.

 
Posted : 21/01/2011 6:46 pm
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

Sorry for the cross post but I see that this conversation has two threads

Hi Ron S

I appreciate your need to advertise your product but the chipoff process has value in areas that the Cellebrite kit can't help, even when it can read physical.

If the guy destroys his phone before or during the arrest, now you have a iPhone or cell phone that won't connect to the cellebrite kit, where do you stand with that?

If the cell phone is not functioning for whatever reason, mechanically that is, how can Cellebrite help us?

If there is water damage or physical damage to the port needed to communicate with the iPhone, where does Cellebrite do with this.

My research was done to allow us to get the RAW data from iPhones and cell phones that have been presented to us in these conditions. If the required chip is still in tack, then we are able to get the data.

I did not do all this work to infringe on the Cellebrite tool, I do this to further the abiltiy of Police Officers and forensic examiners to get the user data from cell phones so we can put bad guys in jail.

I might add that this process is very simple and very "cost effective". (-

 
Posted : 21/01/2011 11:37 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Bob,

I think that there is some miss understanding of what I wrote.
I did not say at any point that chip off has no value.

On the contrary, we constantly perform chip-off for different platforms even before we conclude the R&D and are able to perform the physical extraction using the UFED.

We did this for Symbian, Blackberry, iPhone, LG, Samsung and many others.

We are doing this for 2 purposes
1) Develop file system reconstruction and data decoding so that when our customers perform chip off they have a solution for decoding their data and at the stage we are able to perform the physical dump, we will already have the decoding ready.

As an example, when you perform the iPhone chip-off, you could decode your dump using UFED PA.

2) Validation that our UFED physical extraction gets all and the correct data.

Regarding chip-off being simple as generic solution for physical extraction, I am not sure I agree, but it might be for specific models (like iPhone).

Say hi to Shafik

RonS

 
Posted : 21/01/2011 11:54 pm
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

Thanks for clarifying this, maybe I was a bit defensive in my response and I apologise for that.

In the end, our work can compliment each other (-

"Shaking of hands online"

Bob

 
Posted : 22/01/2011 12:07 am
 RonS
(@rons)
Posts: 358
Reputable Member
 

Bob,

No hard feelings.
Come visit us next week at the DoD Cyber Crime and have a demo of the UFED PA 2.0

RonS

 
Posted : 22/01/2011 12:32 am
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

Hey Ron

Can you contact directly cop.geek@gmail.com

 
Posted : 22/01/2011 12:41 am
Share: