iOS 10 Beta Release...
 
Notifications
Clear all

iOS 10 Beta Release 5 - Processing Issues

7 Posts
6 Users
0 Likes
794 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Hello,

(I am also submitting this issue to Cellebrite's excellent support group)

BACKGROUND

PHONE EXAMINED Apple iPhone 6S
MODEL MKRG2LL/A
IOS VERSION 10.0 (14A5341a)
CARRIER Verizon 25.0

1) I first used iTunes v. 12.4.3.1 on a MacBook to create a password protected mobile backup of the iPhone 6S, which resulted in a 22GB mobile backup.

2) I created a read-only DMG file of the entire mobile backup folder, which I then copied to an ExFat formatted external USB drive. I plugged the external USB drive into my Windows forensic laptop and then imported the DMG file into FTK Imager v. 3.4.2.6. FTK Imager allowed me to export the mobile backup files to the same USB thumbdrive.

3) I first used UFED Physical Analyzer v. 5.2.0.213 to process the mobile backup (iTunes Legacy option), but UFED Physical Analyzer categorized all of the mobile backup's sub-files as "other" and did not process any of the sub-files. UFED Physical Analyzer DID ask for the iTunes mobile backup encryption password, which I successfully entered.

4) I then tried Compelson's MOBILedit Forensic Expressv. 3.5.0.6621 to process the mobile backup.

A. MOBILedit Forensic did identify that an iTunes encryption password was in place, which I inputted. MOBILedit Forensic was not able to process the mobile backup contents at all. I then had MOBILedit Forensic try to crack the iTunes encryption password, which it did in about 15 seconds (password was 1234), but the tool could still not process the mobile backup.

B. I tried MOBILedit Forensic directly on the iPhone 6S itself, but although the tool said it created a mobile backup, no data could be extracted.

5) I then tried iPhone Backup Exctractor Pro v. 7.1.1.1197 on the mobile backup, but the tool would not recognize the mobile backup at all.

6) I examined the folder structure of the mobile backup and noticed that, unlike previous versions of iTunes mobile backups, there appears to be a new folder structure.

A) Legacy Itunes mobile backups had the following folder and file structure

TOP LEVEL FOLDER NAMED BY IPHONE'S UNIQUE HASH VALUE f8b28a0389ec5f72a81b71bc58e2fce6514e69f4

* WITHIN THE TOP LEVEL FOLDER, MULTIPLE FILES NAMED BY UNIQUE HASH VALUES

B) The iOS 10 (14A5341a) iTunes mobile backup folder and file structure

TOP LEVEL FOLDER NAMED BY IPHONE'S UNIQUE HASH VALUE f8b28a0389ec5f72a81b71bc58e2fce6514e69f4

MULTIPLE SUB FOLDERS NAMED BY "01", "11", etc.

EACH SUB FOLDER CONTAINING MULTIPLE FILES NAMED BY UNIQUE HASH VALUES

7) My theory is that the introduction of sub-folders to the top level folder in the iTunes mobile backup has thrown off the forensic tools. In the electronic discovery world, "load files" have to have specific folder and file path structures in order for electronic discovery review database tools such as Relativity to work. In other words, in order for Relativity to correlate a TIFF image file with the documents metadata, the path to the TIFF image file has to be exactly correct in the "cross reference file".

QUESTIONS

A. Does anyone have any experiencing extracting and successfully creating a report from an iPhone 6S running iOS 10 (14A5341a) Public Beta 5? If so how and using which tool please.

B. Is it still best practice to create a password protected iTunes mobile backup of iPhones using the latest version of iTunes? One of my colleague's opinion is that I should have used Cellebrite UFED4PC or Physical Analyzer directly to extract data from the phone.

I have been informed by LE professionals and my own Cellebrite certification training, that Cellebrite itself uses iTunes running in the background to create a mobile backup, which is then parsed by Physical Analyzer. I have also been informed that the most amount of evidence can be extracted from an iPhone by assigning an encryption password in iTunes. Cellebrite Physical Analyzer itself pops up a message that the latest version of Itunes must be installed in order for an extraction to occur. MOBILedit Forensic Express also first creates a mobile backup using iTunes running in the background.

My colleague's opinion is that I cannot state I have created a true backup of the iPhone 6S because my forensic tools cannot open the mobile backup (he says it is the same as creating a zip file that cannot be opened and thus cannot be judged as valid).

I could try to restore the mobile backup I created to an actual iPhone, but the phone owner would definitely not allow me to do this.

My opinion at this point is that I did successfully use iTunes to create an encrypted mobile backup (I screen shot each step of the process) but that my forensic tools are not compatible with the iOS 10 beta 5 operating system.

Thoughts???

[EDIT] Cellebrite support has an item from 01/11/2016 stating

Following several changes by Apple, mainly the format change in which iOS creates backups, Cellebrite extraction and decoding support level is as follows

* Advanced Logical extraction via PA is supported up to the latest beta version 10.6. Note that this support is limited to unencrypted iTunes backup.

* File System extraction in UFED is available for Apple devices running iOS 10 beta versions, up to and including beta version 10.4.

* Logical is supported for devices running iOS beta versio 10.4.

* Decoding support is available for devices that are not encrypted only.

So it appears that I need to attempt an extraction using Physical Analyzer but without an iTunes encryption password. I am not sure how to remove an iTunes encryption password from an iPhone once one has been put into place so more research…… [EDIT]

 
Posted : 21/08/2016 11:58 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Did you approach by tweet @JZdziarski?

 
Posted : 22/08/2016 1:22 am
(@trewmte)
Posts: 1877
Noble Member
 

Don't forget to keep an eye on the Apple bug reports

beta1
https://beta.applebetas.tk/notes/ios/10.0/beta1.pdf

beta2
https://beta.applebetas.tk/notes/ios/10.0/beta2.pdf

beta3
https://beta.applebetas.tk/notes/ios/10.0/beta3.pdf

beta4
https://beta.applebetas.tk/notes/ios/10.0/beta4.pdf

beta5
https://beta.applebetas.tk/notes/ios/10.0/beta5.pdf

beta6
https://beta.applebetas.tk/notes/ios/10.0/beta6.pdf

beta7
https://beta.applebetas.tk/notes/ios/10.0/beta7.pdf

Also check out any iTunes bug reports
http//www.apple.com/us/search/bug-report?src=globalnav

 
Posted : 22/08/2016 10:56 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Did you approach by tweet @JZdziarski?

No - I have never interacted with Mr. Zdziarski.

I have read his blog though.

 
Posted : 23/08/2016 9:10 pm
(@badgerau)
Posts: 96
Trusted Member
 

I recommend downloading a trial of Blacklight (Blackbag Technologies) and importing the backup to parse. This may be able to work with the back up you have created on the Mac.

If you still have the phone you could create a logical extraction using Physical Analyser or Blacklight

I am unsure why a password protected backup is better than a advanced logical extraction directly from Physical Analyser. As far as i know there is no advantage gained.

The is an advantage gained if you encrypt the backup however, but you have not followed this route.

 
Posted : 24/08/2016 5:32 am
(@tom_w)
Posts: 8
Active Member
 

The latest update of MOBILedit Forensic Express 3.5.2 fully supports the new iOS 10 backup encryption.

 
Posted : 26/09/2016 5:56 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Cellebrite UFED PA 5.3.5 that was released today adds support for encrypted iTunes extractions (when password is known)

RonS

 
Posted : 28/09/2016 1:47 am
Share: