Possible Anomaly wi...
 
Notifications
Clear all

Possible Anomaly with Email Extracted from iPhone

2 Posts
2 Users
0 Likes
804 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Colleagues,

Help and guidance please on explaining an anomaly I am seeing within email extracted from an iPhone.

DEVICE ANALYZED Apple iPhone 6s Plus (A1687) (N66AP)
IOS VERSION 10.3.3
TOOL USED UFED4PC v 6.2.1.17
JAIL BROKEN STATUS Not jail-broken

1) I informed the attorney client that I am working for that email cannot be extracted in its entirety from non-jail-broken iPhones running iOS 10.3.3.

2) Cellebrite was able to extract partial email metadata from the iPhone from the "iPhoneRecentsLog" but not any email bodies.

3) After making a logical and file system extraction of the iPhone, I created an iCloud email account using Apple's iCloud service named by my client's name. Then, I created an iCloud email account on the iPhone itself. I then selected email on the iPhone within the existing Outlook account on the iPhone and copied the selected email to the newly created iCloud email account on the iPhone itself.

4) Copying the emails from the Outlook folder on the iPhone to the iCloud email account folder on the iPhone caused the emails to be uploaded to Apple's iCloud storage.

5) I then used Fooke Software's Aid4Mail forensic edition to download the iCloud email account content in the form of an Outlook PST file.

(NOTE I explained in advance to the client that movement of the Outlook email on the iPhone to an iCloud email account is the only method I am aware of by which email content can be extracted from an iPhone.)

ANOMALY???

6) Out of the 1,300 emails and attachments within the Outlook PST file Aid4Mail Forensic downloaded and created, 1,200 emails have the original email headers and email dates intact.

7) However, there are 100 emails whose email headers only ready

Content-Type multipart/alternative; boundary="Apple-Mail-770D86AB-7CBF-4234-979F-D4BB0C9FF6E1"
Subject FW Attached Image
To "John Smith" <js@smithcompany.com>
From "Johnson, Frank" <Frank.Johnson@johnsoninc.com>

8) The date stamps for the 100 emails whose headers only reflect "boundary="Apple-Mail…." reflect the date and time the emails were uploaded to Apple's iCloud from the iPhone itself. The other 1,200 emails all reflect their original date and time stamps.

So, I am trying to explain why the 100 emails out of the total 1,300 emails moved to Apple's iCloud are missing their original headers and dates and times.

One theory is that the 100 emails did not have header values and thus Apple's iCloud service stamped the 100 emails with the "boundary="Apple-Mail…." value when the emails were uploaded to the Apple iCloud account.

I have encountered situations in which in the absence of metadata, values will be inserted into documents/email by forensic software, email clients, or e-discovery processing software as the metadata values cannot be blank (for whatever reason).

As one solution I asked my client to be allowed to analyze the original iPhone again to look at the 100 emails' metadata (although I doubt email headers can be viewed as email sits on an iPhone).

Has anyone else encountered the above situation and please provide suggestions/opinions.

 
Posted : 25/09/2017 5:43 pm
(@jasonlee)
Posts: 17
Active Member
 

I am leaning towards the emails are still syncing and have not completed.

Why not use aid4mail to get the email from the server hosting the data ? Unless it is a case based solely on the phone.

 
Posted : 28/09/2017 1:25 pm
Share: