Cellebrite and iPho...
 
Notifications
Clear all

Cellebrite and iPhone 5s

22 Posts
9 Users
0 Likes
2,123 Views
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

Is anyone else having any issues acquiring an iPhone 5s after the last update?

This my 4th attempt to acquire this iPhone 5s (A1533) logically.

During the acquisition it seems to stop during the "Reading Phone Info" screen at around File 4783 (this time), Once it actually made it to a video file then hung.

The Progress bar scrolls across the screen but the Target Bar never displays any action.

The last acquisition I allowed it to run over night with no success. Stuck trying to read the Phone Info.

I have rebooted the Cellebrite UFED touch 3 times and tried two different USB media targets.

I used the Cellebrite cable as well as a known good second Apple cable.

The phone acquired successfully with Lantern and I successfully acquired an Android both logically and File System acquisition right before attempting the iPhone to the same target media.

Larry

PS. It's the UFED Touch with the latest updates

 
Posted : 24/03/2015 6:32 pm
(@paraben)
Posts: 47
Eminent Member
 

Do you have the latest version of iTunes installed? If so, that's likely the problem. It causes problems with forensic tools accessing the device. Installing an older version has solved this issue for me with other tools.

 
Posted : 24/03/2015 8:36 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

Do you have the latest version of iTunes installed? If so, that's likely the problem. It causes problems with forensic tools accessing the device. Installing an older version has solved this issue for me with other tools.

The acquisition is via the UFED Touch. iTunes not required.

Larry

 
Posted : 24/03/2015 9:02 pm
(@deltron)
Posts: 125
Estimable Member
 

I always seem to have most problems when it comes to Iphone, most of them have to do with the physical condition of the phone. My last problem was the cable i was using seemed to always randomly connect and disconnected i noticed this by the phone having a charging icon then not having an icon. We used rubber bands to keep the cord in place and it worked.

Have you tried other cables?

 
Posted : 24/03/2015 9:11 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

I always seem to have most problems when it comes to Iphone, most of them have to do with the physical condition of the phone. My last problem was the cable i was using seemed to always randomly connect and disconnected i noticed this by the phone having a charging icon then not having an icon. We used rubber bands to keep the cord in place and it worked.

Have you tried other cables?

yes, as stated above I used two known good cables.

I was able to get a file system acquisition off of it.

THe logical is the only issue.

After I sent the last post to the forum an update magically appeared in my email. I have updated the Cellebrite and I am trying the Logical again..

Although it doesn't look promising, the entire time it took me to type this it is stuck on "Reading Phone Info File 4757"

Larry

 
Posted : 24/03/2015 10:42 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

I assume just buying a better tool is not an option, but

* Katana Forensics' Lantern Tool works extremely well with iPhone 5S phones.

* Compelson's Mobiledit Forensic software will also extract logical data from iPhone 5S phones.

Other thoughts

You could create a mobile backup of the device and then use a variety of tools to extract data from the mobile backup such as Magnet Forensic's IEF tool.

If you cannot create a mobile backup, then maybe there is another issue going on with the phone.

Regards,

Larry

 
Posted : 25/03/2015 2:33 am
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

I assume just buying a better tool is not an option, but

* Katana Forensics' Lantern Tool works extremely well with iPhone 5S phones.

* Compelson's Mobiledit Forensic software will also extract logical data from iPhone 5S phones.

Other thoughts

You could create a mobile backup of the device and then use a variety of tools to extract data from the mobile backup such as Magnet Forensic's IEF tool.

If you cannot create a mobile backup, then maybe there is another issue going on with the phone.

Regards,

Larry

I always try to use a minimum of two tools on each device.
I used Lantern and it worked.
THe Cellebrite would not get a logical image but it did get a file system image.

THe reason for two separate tools and acquisitions you ask?
Without slamming or praising any tool, one tool pulled 29 contacts vs 1028 on the other.
One tool pulled 485 call logs, the other 200.
one tool got 789 SMS/Text messages vs 191.

So, I can work with that.. I still have no idea why Cellebrite wouldn't pull a logical off the phone though.

 
Posted : 25/03/2015 2:51 am
(@gorvq7222)
Posts: 229
Reputable Member
 

Hi,

As to iPhone 5s acquisition, my suggestion is
1.Use Pangou to Jailbreak iPhone5s.
2.Install SSH Server and Netcat in order to establish a tunnel between iPhone5s and your forensic workstation.
3.Create a wifi connection between iPhone5s and your forensic workstation. Start physical acquisition by using dd command and pipe to netcat.

Be patient…it will take about more than 1hr when acquiring a 16GB iPhone5s. Once it's done, you could mount the dmg file on your forensic workstation and start to analyze it.

Wish you success~

Rick

 
Posted : 25/03/2015 5:35 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Personally I wouldn't go jail breaking any phone..

You mentioned you are using the Touch for the acquisition, is there any reason why you don't use Physical Analyser and do an advanced logical acquisition using your PC?

To be honest I've never used the Touch device to download an iPhone when PA does a much better job…

 
Posted : 25/03/2015 9:16 am
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

I can do the advanced logical with the PA.

No, I am not going to jailbreak the phone.
Even if I could get a physical off the 5s (A7 Chip) you would not be able to read it, it's encrypted..

Larry

 
Posted : 25/03/2015 10:46 am
Page 1 / 3
Share: