iOS 10 and forensic...
 
Notifications
Clear all

iOS 10 and forensic tools

5 Posts
3 Users
0 Likes
352 Views
(@streetforensics)
Posts: 55
Trusted Member
Topic starter
 

I know its a brand new release but just wondering what others may know. I recently tried an extraction from an iPhone 5 and iPhone 6 running iOS 10. I used Blacklight 2016 R2 and Cellebrite PA 5.3.0.2 (which claims to support iOS 10). Neither product provided any data. Both claimed to have parsed images and videos, but none were view-able or playable. Hex views on those files appears garbled/encrypted(?).

PA found over 115k un-catagorized files and I found the SMS.db in there, but again, the data appears garbled/encrypted.

So is this data encrypted (I think that the SMS data is now being sent using 'end to end' encryption) but I can view the data on the device so I would think it's in plain text somewhere. But probably in those nooks and crannies that our tools can't get to on iOS devices.

What does anyone here know?

 
Posted : 15/09/2016 11:31 pm
(@streetforensics)
Posts: 55
Trusted Member
Topic starter
 

Update Called Cellebrite and was told to uncheck encrypt backup for devices runing on iOS 10, this seems to have fixed my problem.

 
Posted : 16/09/2016 1:38 am
 RonS
(@rons)
Posts: 358
Reputable Member
 

You probably used UFED PA Advance Logical and enabled iTunes encryption.
I suggest to perform the Advance Logical extraction again but this time don't select the encryption.

This will get you all the data decoded.

iOS 10 encrypted backup support will be added very soon.

Best regards,
Ron Serber

 
Posted : 16/09/2016 1:41 am
(@tom_w)
Posts: 8
Active Member
 

The latest update of MOBILedit Forensic Express 3.5.2 fully supports the new iOS 10 backup encryption.

 
Posted : 26/09/2016 5:48 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Cellebrite UFED PA 5.3.5 that was released today adds support for encrypted iTunes extractions (when password is known) or extraction done using PA while selecting the encrypted option.

RonS

 
Posted : 28/09/2016 1:48 am
Share: