What is the best iDevice imaging method for all the non-LE forensic analysyts out there?

I know there are security concerns related to open publication of the JZ method, but are they really well founded? Does the JZ method allow bypass of iPhone security to such a greater degree than jailbreaking that the rest of the digital forensic community should not have access?
_________________
Paul Pratley MIT, CFCE, GCFA, ENCE, QSA

Senior Consultant
Verizon Business Investigative Response 

JZ's tools allow the low-level (security means almost nothing) bit-for-bit imaging of the full device without making any changes to the device minus the memory that it is loaded into. If needed, they also allow the removal of the passcode from most iPhone iOS' allowing the user access to the UI.

The point of his method is to get a virtually unchanged copy of the evidence. If you jailbreak the device, changes have been made and this allow the defense the chance to state that something has been removed/added to the evidence. JZ's method has been tested and documented and can be proven in court what was done to the device.

I personally use the JZ tools for both purposes, but I use the passcode removal to allow the device to be returned to fallen soldiers families.  

I know what JZ's tools allow for, but they are for LE only (I presume because of the passcode removal functionality). That is the whole point of the post (sorry you missed it).

I'm canvasing for an equally forensically sound acquisition method the rest of the digital forensic community can use. I work in civil and criminal matters and I find it frustrating that a good tool for forensically sound acquisition is restricted to LE only.
_________________
Paul Pratley MIT, CFCE, GCFA, ENCE, QSA

Senior Consultant
Verizon Business Investigative Response 

The tools are not solely for LE. They are free to LE and can be purchased by non-LE assuming you can prove your credentials.
I would suggest contacting Jonathan to see if you can purchase the tools.

There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).  

- Doug

There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).

I don't know about that!

Andrew Hoog's review of iXAM over at ViaForensics seems to show this tool does exactly what JZ method achieves. Without having used either of them, I can't see any notable differences between these tools with regards to acquiring physical images.

viaforensics.com/educa...forensics/

Their website also shows some good validation and verification testing is being done:

www.ixam-forensics.com...bypass.asp

Not sure if this will allow decryption of data on the fly the way JZ method does, but I assume so.
_________________
Paul Pratley MIT, CFCE, GCFA, ENCE, QSA

Senior Consultant
Verizon Business Investigative Response 

From the sounds of it the tool has improved considerably from the early releases.

After looking on the website I have a question.

There is a note on their site:

"Important note: iOS 4.0> encrypts raw disk partitions and the e-mail database on 3GS and iPhone 4 devices. iXAM can aquire but not decode this information."

Does this mean that you can acquire an iOS 4+ device but do nothing with the acquired data? Or do they still give you the file system like the iPhone Insecurity tools?  

Jekyll:

I forgot to mention on the other post that AccessData is about to release a major update to their Mobile Phone Examiner PLUS Software. AccessData came to my facility and demoed their soon to release update of MPE+ and is going to send me a copy for testing. They say it is supposed to do physical acquisitions of "all iphones", but we all know that what is said is not always what is.

Once they finally get it to me, I will post some results on it as well as iXAM.