±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 4
Overall: 26234
Visitors: 55

±Forensics Europe Expo


±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

UFED physical for iPhone/iPad

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

UFED physical for iPhone/iPad

Post Posted: Fri Jan 21, 2011 4:28 am

The following is a quote from another forum thread;

- RonS
UFED Physical will soon add support for iPhone/iPad physical extraction and data decoding.

Once this is released, this would be the easiest and most complete solution for iPhone/iPad physical.

RonS


I've started a new thread for this discussion because, as usual, RonS is hijacking an otherwise useful post for blatant marketing messages about his own product.

Anyhow, let's get some substance on your post please.

What models and IOS versions will UFED be supporting for physical dump?
When are you releasing it?
Will it take the form of a bit-for-bit image or is a "filesystem dump" given your product's history at confusing the two?
Will you be jailbreaking the device?
What footprint, if any will be left in the image and device beyond jailbreaking?
Will you extract the system partition too?
Will you be able to decode all or partial data types?

Thanks.  

Fab4
Senior Member
 
 
  

Re: UFED physical for iPhone/iPad

Post Posted: Fri Jan 21, 2011 5:03 am

with all respect, I think that Bob Elder started his post with the sentence "Update information on iPhone data recovery".

and the additional information that I provided was that UFED Physical will soon to support physical dumps of iPhones and iPads and that we will also be able to decode them.

I think that this information is very much useful for UFED users and users that are searching for a solution.

We will support 3G,3GS and iPhone 4 devices.
no, we are not jail-breaking them.
We will decode the file system and many data types

It will bring the best of all possible methods (for iPhone 4, no we will not decrypt the encrypted image although we do extract it, but we will bypass the encryption)

Additional information will be provided soon.  

RonS
Senior Member
 
 
  

Re: UFED physical for iPhone/iPad

Post Posted: Fri Jan 21, 2011 8:27 am

- RonS
with all respect, I think that Bob Elder started his post with the sentence "Update information on iPhone data recovery".


The post title is related to chip off R&D....

- RonS

It will bring the best of all possible methods (for iPhone 4, no we will not decrypt the encrypted image although we do extract it, but we will bypass the encryption)

Additional information will be provided soon.


Thanks for the information. To be absolutely certain, "bypass the encryption" of and decode;

(i) logical data
(ii) certain datasets , e.g. email database
(iii) all unallocated space ?  

Fab4
Senior Member
 
 
  

Re: UFED physical for iPhone/iPad

Post Posted: Fri Jan 21, 2011 8:46 am

Regarding chip off, as part of the iPhone decoding, UFED PA support the file system reconstruction from a chip off (FTL implementation), This was tested with several versions (not all)

Regarding your other questions:
When the iPhone is encrypted on a hardware level, we bypass the encryption by performing a file system extraction of the entire data partition including ALL the files (without jail breaking and also when the device is password locked).
We also support the extraction of the encrypted partition, but as of now the result after file system reconstruction are encrypted files.

I am not aware of any solution at the moment (although we are researching this) that can decrypt the iPhone 4 encrypted dumps.  

RonS
Senior Member
 
 
  

Re: UFED physical for iPhone/iPad

Post Posted: Fri Jan 21, 2011 1:37 pm

Sorry for the cross post but I see that this conversation has two threads:

Hi Ron S:

I appreciate your need to advertise your product but the chipoff process has value in areas that the Cellebrite kit can't help, even when it can read physical.

If the guy destroys his phone before or during the arrest, now you have a iPhone or cell phone that won't connect to the cellebrite kit, where do you stand with that?

If the cell phone is not functioning for whatever reason, mechanically that is, how can Cellebrite help us?

If there is water damage or physical damage to the port needed to communicate with the iPhone, where does Cellebrite do with this.

My research was done to allow us to get the RAW data from iPhones and cell phones that have been presented to us in these conditions. If the required chip is still in tack, then we are able to get the data.

I did not do all this work to infringe on the Cellebrite tool, I do this to further the abiltiy of Police Officers and forensic examiners to get the user data from cell phones so we can put bad guys in jail.

I might add that this process is very simple and very "cost effective". (-:  

sideshow018
Senior Member
 
 
  

Re: UFED physical for iPhone/iPad

Post Posted: Fri Jan 21, 2011 1:54 pm

Bob,

I think that there is some miss understanding of what I wrote.
I did not say at any point that chip off has no value.

On the contrary, we constantly perform chip-off for different platforms even before we conclude the R&D and are able to perform the physical extraction using the UFED.

We did this for Symbian, Blackberry, iPhone, LG, Samsung and many others.

We are doing this for 2 purposes:
1) Develop file system reconstruction and data decoding so that when our customers perform chip off they have a solution for decoding their data and at the stage we are able to perform the physical dump, we will already have the decoding ready.

As an example, when you perform the iPhone chip-off, you could decode your dump using UFED PA.

2) Validation that our UFED physical extraction gets all and the correct data.

Regarding chip-off being simple as generic solution for physical extraction, I am not sure I agree, but it might be for specific models (like iPhone).

Say hi to Shafik

RonS  

RonS
Senior Member
 
 
  

Re: UFED physical for iPhone/iPad

Post Posted: Fri Jan 21, 2011 2:07 pm

Thanks for clarifying this, maybe I was a bit defensive in my response and I apologise for that.

In the end, our work can compliment each other (-:

"Shaking of hands online"

Bob  

sideshow018
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next