iPhone 5 (8.3) - du...
 
Notifications
Clear all

iPhone 5 (8.3) - dump for emails

6 Posts
4 Users
0 Likes
349 Views
(@jahelka)
Posts: 11
Active Member
Topic starter
 

Hello,
I have an iPhone 5 with firmware version 8.3 I have reports from UFED and Oxygen without email (over 6000 emails). I made a jailbreak and install AFC2. Unfortunately iFunbox and other programs still do not see root files (UFED not added method 3). I installed OpenSSH via wifi and I made a backup memory (64 GB). Using SSH I also see a folder with emails (private/var/mobile/Library/Mail/Protected).

You advise us what else? I tried and IEF and UFED, but do not want to analyze this backup. Oxygen wants to import only dmg.

I also tried to copy a file from a backup file, but I also can not (I tried OSForensic and EnCase). I backup using SSH disk0 (which contained two partition).

I have the copied folder itself and with e-mails, but I do not know how to convert it.

 
Posted : 13/08/2015 1:31 pm
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

If a device is jailbroken you should see method 3 in the Physical Analyser. Are you sure the jailbreak was applied correctly? Maybe you should try it again.

 
Posted : 13/08/2015 2:07 pm
(@jahelka)
Posts: 11
Active Member
Topic starter
 

I used TaiG (2.4.3.0) jailbreak. I did it twice. Unfortunately it is not functional repository at apt.taig.com where you can download TaiG AFC2. I had to use another repository and supplement AFC2. Program iMazing me also say that lack AFC2. But I got installed accessory. That's why I also used the jailbreak again. Everything always takes place properly.

 
Posted : 13/08/2015 2:47 pm
(@v-katalov)
Posts: 52
Trusted Member
 

Extracting mail from iOS devices is a challenge as it doesn't get backed up. Mail is not stored in either local or cloud backups. Physical acquisition and advanced logical acquisition are basically the only methods that can extract mail.

Physical acquisition you can use Elcomsoft iOS Forensic Toolkit on jailbroken devices (including your iPhone 5). You will get the full device image that you can analyze in a forensic tool such as Oxygen or UFED.

Advanced logical while you can try using AFC2 you've mentioned, AFAIK this acquisition path has been closed in iOS 8.3 (please correct me if I'm wrong).

 
Posted : 20/08/2015 1:20 pm
(@jahelka)
Posts: 11
Active Member
Topic starter
 

Hello,
so I solved it. I connected the iPhone using WiFi to Linux. I've done dump disk0 using SSH. It could not be loaded, and then I made a dump disk0s1. There I saw the structure, but the content of the file was different. Backup individual partitions (disk0s1s1 and disk0s1s2) could not be copied (error - resource busy).

Finally, I copied all the files using SSHFS. I put the files into a zip archive. A Oxygen opened the zip archive. And I have all the records. I have more records of others. I recommend.

 
Posted : 05/09/2015 2:29 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Jahelka,

What version or distribution of Linux did you use? DEFT/CAINE/PALADIN?

 
Posted : 08/09/2015 3:31 am
Share: