±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 3
Overall: 26796
Visitors: 81

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

State of iPhone and iPad forensics (physical & logical)

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

State of iPhone and iPad forensics (physical & logical)

Post Posted: Wed Jul 17, 2013 5:51 am

Hello,

I wanted to get a complete summary of the current state of forensics that can be done with i-Devices, from what I read in this forum and other blogs/articles/research we have the following:

- Physical and logical extraction possible on devices up to iPhone 4 and iPad 1 running firmware up to iOS 5.

- Logical acquisition possible on iPhone 4GS, 5 and iPad 2,3 running up to iOS 6.

- Physical extraction currently not possible with iPhone 4GS, iPhone 5, iPad 2, and iPad 3 (regardless of iOS version).

- PIN Code lock bypass not possible on iPhone 4GS, iPhone 5, iPad 2 and iPad 3.

Am I correct in my summary or has there been any advancements that I might have missed?

Thanks guys!

-Alistair  

Alistair
Member
 
 
  

Re: State of iPhone and iPad forensics (physical & logical)

Post Posted: Wed Jul 17, 2013 7:19 am

- Alistair


- Physical and logical extraction possible on devices up to iPhone 4 and iPad 1 running firmware up to iOS 5.



Physical Analyzer from Cellebrite supports physical and file system extractions up to iPhone 4 and iPad 1 running firmware up to iOS 6.1.3. Not sure about the rest of the mobile device products out there.  

cvanaernam
Newbie
 
 
  

Re: State of iPhone and iPad forensics (physical & logical)

Post Posted: Wed Jul 17, 2013 2:56 pm

Elcomsoft claims, and I have not verified this, that they can perform a physical acquisition on an iPhone 4S and 5 and iPad 2+. The device has to be jailbroken either by the examiner or already jailbroken by the user. The PIN cannot be bypassed.

Can anyone verify this? I do not own Elcomsoft iOS Forensic Toolkit. I'd rather not jailbreak a phone, but if it's a choice between not jailbreaking and getting nothing and jailbreaking, I guess I'll jailbreak it.  

Bulldawg
Senior Member
 
 
  

Re: State of iPhone and iPad forensics (physical & logical)

Post Posted: Wed Jul 17, 2013 6:08 pm

Hey Bulldawg,

it's possible to jailbreak an iPhone without knowing the passcode right? Is entering DFU mode enough?  

Alistair
Member
 
 
  

Re: State of iPhone and iPad forensics (physical & logical)

Post Posted: Thu Jul 18, 2013 12:08 am

does the jailbroken are not clean up all data of users in iPhone4S/5?  

Horking
Member
 
 
  

Re: State of iPhone and iPad forensics (physical & logical)

Post Posted: Thu Jul 18, 2013 5:25 am

I have not looked at the most recent version of the toolkit but have been doing some jailbreak testing over the last couple of weeks. To confirm, it is possible to jailbreak a PIN locked device running 6.1.3 without access to the passcode and from my testing it does not appear to do anything with the data on the device. In the interest of clarity my test device only had 1 contact on it prior to jailbreaking and the contact remained afterwards.

The big problem IMO with the message from Elcomsoft, and anybody else that offers this on the newer devices is that while it may be possible to jailbreak the device without losing data, or, the device may be jailbroken already if the device does not have SSH installed from Cydia then it will not be possible to connect to the device and get any data out. They do mention this in the FAQ but of course it's not part of the marketing message.

So, if the device is locked, you can jailbreak it but without getting past the PIN screen you cannot install OpenSSH from Cydia thus you cannot connect to it.

If the device is already jailbroken and OpenSSH installed you still need the owner to not have the sense to change the root password. Because if they did, even with SSH installed you do not have the correct credentials to authenticate.

One thing I havent tried on this front is installing a "custom bundle" in to the jailbreak payload which includes OpenSSH, however I think there are a number of dependencies that are required and as such this may not be as easy as it sounds, or indeed possible at all.

edit: Thinking about this further, one shouldn't overlook the ability to get a physical acquisition from these devices which are not PIN locked, or where the PIN has been provided. As I'm sure all know the volume of data present in a backup is limited and a physical acquisition and the ability to decode from any device is not to be sniffed at. Though, this may a) involver jailbreaking the device and thus changing the state and b) connecting it to a network to download OpenSSH from Cydia once compromised. There is clearly an inherent risk with both of these steps.

Hopefully that information is useful and perhaps prompts some additional discussion/research on the topic.

Colin
_________________
Colin Mortimer
AirWatch 


Last edited by Coligulus on Thu Jul 18, 2013 5:53 am; edited 1 time in total

Coligulus
Senior Member
 
 
  

Re: State of iPhone and iPad forensics (physical & logical)

Post Posted: Thu Jul 18, 2013 5:48 am

I just did a quick test to see if an already jailbroken device could be accessed using iExplorer on a PC which had not previously "met" the iDevice. The answer was a resounding no. Again it would seem even if jailbroken, if the PC does not have the necessary escrow keybags you cannot access the device prior to inputting the PIN.
_________________
Colin Mortimer
AirWatch 

Coligulus
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next