Hello,
I have an iPhone 5 with firmware version 8.3 I have reports from UFED and Oxygen without email (over 6000 emails). I made a jailbreak and install AFC2. Unfortunately iFunbox and other programs still do not see root files (UFED not added method 3). I installed OpenSSH via wifi and I made a backup memory (64 GB). Using SSH I also see a folder with emails (private/var/mobile/Library/Mail/Protected).
You advise us what else? I tried and IEF and UFED, but do not want to analyze this backup. Oxygen wants to import only dmg.
I also tried to copy a file from a backup file, but I also can not (I tried OSForensic and EnCase). I backup using SSH disk0 (which contained two partition).
I have the copied folder itself and with e-mails, but I do not know how to convert it.
If a device is jailbroken you should see method 3 in the Physical Analyser. Are you sure the jailbreak was applied correctly? Maybe you should try it again.
I used TaiG (2.4.3.0) jailbreak. I did it twice. Unfortunately it is not functional repository at apt.taig.com where you can download TaiG AFC2. I had to use another repository and supplement AFC2. Program iMazing me also say that lack AFC2. But I got installed accessory. That's why I also used the jailbreak again. Everything always takes place properly.
Extracting mail from iOS devices is a challenge as it doesn't get backed up. Mail is not stored in either local or cloud backups. Physical acquisition and advanced logical acquisition are basically the only methods that can extract mail.
Physical acquisition you can use Elcomsoft iOS Forensic Toolkit on jailbroken devices (including your iPhone 5). You will get the full device image that you can analyze in a forensic tool such as Oxygen or UFED.
Advanced logical while you can try using AFC2 you've mentioned, AFAIK this acquisition path has been closed in iOS 8.3 (please correct me if I'm wrong).
Hello,
so I solved it. I connected the iPhone using WiFi to Linux. I've done dump disk0 using SSH. It could not be loaded, and then I made a dump disk0s1. There I saw the structure, but the content of the file was different. Backup individual partitions (disk0s1s1 and disk0s1s2) could not be copied (error - resource busy).
Finally, I copied all the files using SSHFS. I put the files into a zip archive. A Oxygen opened the zip archive. And I have all the records. I have more records of others. I recommend.
Jahelka,
What version or distribution of Linux did you use? DEFT/CAINE/PALADIN?