±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 5
Overall: 27628
Visitors: 65

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

iPhone Imaging for non-LE

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4  Next 
  

iPhone Imaging for non-LE

Post Posted: Wed Jan 05, 2011 6:21 pm

What is the best iDevice imaging method for all the non-LE forensic analysyts out there?

I know there are security concerns related to open publication of the JZ method, but are they really well founded? Does the JZ method allow bypass of iPhone security to such a greater degree than jailbreaking that the rest of the digital forensic community should not have access?
_________________
Paul Pratley MIT, CFCE, GCFA, ENCE, QSA

Senior Consultant
Verizon Business Investigative Response 

jekyll
Senior Member
 
 
  

Re: iPhone Imaging for non-LE

Post Posted: Wed Jan 05, 2011 7:44 pm

JZ's tools allow the low-level (security means almost nothing) bit-for-bit imaging of the full device without making any changes to the device minus the memory that it is loaded into. If needed, they also allow the removal of the passcode from most iPhone iOS' allowing the user access to the UI.

The point of his method is to get a virtually unchanged copy of the evidence. If you jailbreak the device, changes have been made and this allow the defense the chance to state that something has been removed/added to the evidence. JZ's method has been tested and documented and can be proven in court what was done to the device.

I personally use the JZ tools for both purposes, but I use the passcode removal to allow the device to be returned to fallen soldiers families.  

beasleyjt
Senior Member
 
 
  

Re: iPhone Imaging for non-LE

Post Posted: Wed Jan 05, 2011 8:22 pm

I know what JZ's tools allow for, but they are for LE only (I presume because of the passcode removal functionality). That is the whole point of the post (sorry you missed it).

I'm canvasing for an equally forensically sound acquisition method the rest of the digital forensic community can use. I work in civil and criminal matters and I find it frustrating that a good tool for forensically sound acquisition is restricted to LE only.
_________________
Paul Pratley MIT, CFCE, GCFA, ENCE, QSA

Senior Consultant
Verizon Business Investigative Response 

jekyll
Senior Member
 
 
  

Re: iPhone Imaging for non-LE

Post Posted: Thu Jan 06, 2011 4:17 am

The tools are not solely for LE. They are free to LE and can be purchased by non-LE assuming you can prove your credentials.
I would suggest contacting Jonathan to see if you can purchase the tools.

There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).  

Doug
Senior Member
 
 
  

Re: iPhone Imaging for non-LE

Post Posted: Thu Jan 06, 2011 8:42 pm

- Doug

There are some alternatives but they are in no way as thorough and have not been tested in court yet (as far as I am aware).


I don't know about that!

Andrew Hoog's review of iXAM over at ViaForensics seems to show this tool does exactly what JZ method achieves. Without having used either of them, I can't see any notable differences between these tools with regards to acquiring physical images.

viaforensics.com/educa...forensics/

Their website also shows some good validation and verification testing is being done:

www.ixam-forensics.com...bypass.asp

Not sure if this will allow decryption of data on the fly the way JZ method does, but I assume so.
_________________
Paul Pratley MIT, CFCE, GCFA, ENCE, QSA

Senior Consultant
Verizon Business Investigative Response 

jekyll
Senior Member
 
 
  

Re: iPhone Imaging for non-LE

Post Posted: Fri Jan 07, 2011 4:10 am

From the sounds of it the tool has improved considerably from the early releases.

After looking on the website I have a question.

There is a note on their site:

"Important note: iOS 4.0> encrypts raw disk partitions and the e-mail database on 3GS and iPhone 4 devices. iXAM can aquire but not decode this information."

Does this mean that you can acquire an iOS 4+ device but do nothing with the acquired data? Or do they still give you the file system like the iPhone Insecurity tools?  

Doug
Senior Member
 
 
  

Re: iPhone Imaging for non-LE

Post Posted: Fri Jan 07, 2011 11:07 am

Jekyll:

I forgot to mention on the other post that AccessData is about to release a major update to their Mobile Phone Examiner PLUS Software. AccessData came to my facility and demoed their soon to release update of MPE+ and is going to send me a copy for testing. They say it is supposed to do physical acquisitions of "all iphones", but we all know that what is said is not always what is.

Once they finally get it to me, I will post some results on it as well as iXAM.  

beasleyjt
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 4
Go to page 1, 2, 3, 4  Next