±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 5
Overall: 27325
Visitors: 52

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

iPhone 5

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

iPhone 5

Post Posted: Thu Jan 17, 2013 1:28 pm

Hi everyone,

I was tasked with trying to extract the data from an iPhone 5, in a sexual battery case. The suspect video recorded the battery on his iPhone5. The video has been deleted; however, the phone was seized shortly after that and kept in a faraday bag while powered on to keep from connecting to any networks.

My questions are: 1. What software has anyone used to successfully extract data from an
iPhone 5?

2. Does the software allow for extraction of the slack space or
unallocated space to try and recover the deleted video?

I have full versions of Mobiledit, Device Seizure, UFED Ultimate along with the physical analyzer, and numerous other computer forensics propgrams. At this time the only software I can find which supports the iPhone 5 is Oxygen but my free copy is outdated.

Any help would be greatly appreciated,

Thank You,

Det. J. Diamond  

JDiamond
Newbie
 
 
  

Re: iPhone 5

Post Posted: Thu Jan 17, 2013 5:57 pm

- JDiamond
1. What software has anyone used to successfully extract data from an
iPhone 5?

2. Does the software allow for extraction of the slack space or
unallocated space to try and recover the deleted video?


1. Yes, there are tools to extract a logical file system from an iphone 5, i know the cellebrite ufed will do it.

2. no you will not get a physical dump of an iphone4s+, ipad2+ by any tools. even then, according to apple due to the basic file encryption scheme that they use, every file is encrypted on the device. When a file is deleted the keys are deleted, and in some instances secure erased. Basically it's currently (and I dont know if it ever will be) NOT possible to recover deleted files from a newer ios device.

You may have luck pulling ithmb files but that's all i can think of.
without testing, i think the iphone takes a screen shot when a user does fast application switching. that might show up somewhere but i cant recall off the top of my head where to look.

EDIT: Missed the word not in point 2. For clarity, as far as i know you cant get deleted stuff from the non-jailbreakable devices  

Last edited by randomaccess on Tue Jan 22, 2013 7:33 pm; edited 1 time in total

randomaccess
Senior Member
 
 
  

Re: iPhone 5

Post Posted: Tue Jan 22, 2013 3:51 pm

A few weeks ago, I spoke to a tech at BlackBag, and he said essentially the same thing randomaccess said. The files are individually encrypted, and when they are deleted, the encryption key is deleted. So, although the data likely still exists, without the encryption key, you're not getting that data back.

That actually led to my decision to not buy Cellebrite UFED at this time because it's $10,000 that gets me very little extra over what BlackLight can already do on an iPhone.

I've had luck pulling deleted SMS and MMS messages because those are stored in an SQL Lite database and it is (currently) not flushed as often as Apple would like you to believe.  

Bulldawg
Senior Member
 
 
  

Re: iPhone 5

Post Posted: Wed Jan 23, 2013 9:49 pm

1.no one tools can physical dump from iphone4s+
2.you can try to get deleted data by XRY (produced by MSAB)  

Horking
Member
 
 
  

Re: iPhone 5

Post Posted: Thu Jan 24, 2013 5:57 am

- Horking
1.no one tools can physical dump from iphone4s+
2.you can try to get deleted data by XRY (produced by MSAB)


those two statements seem to contradict each other :S

but curiously, what does XRY do that would get deleted data back?  

randomaccess
Senior Member
 
 
  

Re: iPhone 5

Post Posted: Thu Jan 24, 2013 4:05 pm

Cellebrite UFED will allow you to perform a file system extraction from iPhone 5 (and 4S).
Once this is opened in UFED Physical Analyzer you will get tons of deleted data from SQLite databases automatically for all supported data types (complete deleted files are not recoverable in file system extraction)

Ron Serber  

RonS
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1