Notifications
Clear all

iPhone 'logical'

5 Posts
3 Users
0 Likes
1,568 Views
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Out of curiosity, if you have a leading vendors tool which provides a 'logical' type ios11 extraction (3rd party apps, media etc), is this process likely to lead to the same results as any other vendors tool. Is a logical just an exploitation of the iphones available data which is the same set of protocol/process used by all vendors?

For example, I have 1 tool, and get back x amount of files from these areas - assuming this is all the tool can access. Surely all tools are exploiting the maximum volume of accessible data available that the iphone allows.

As we dont have an endless budget I am trying to work out whether the logical I have is likely the logical everyone has of a iOS 11 device?

I hope that makes sense oops oops cry cry evil

 
Posted : 08/01/2018 1:22 pm
(@bsscott012)
Posts: 4
New Member
 

I believe the short answer is no. A logical extraction/acquisition using MSAB XRY is different than Advance Logical method 1 using Cellebrite UFED PA and different than Logical using Cellebrite UFED 4PC.

Example iPhone 8 (A1905) using iOS 11.2 extracted using UFED PA - Advance Logical method 1 and that one extraction did not contain all of the videos stored on the device. It was only after I followed that up with an extraction using UFED 4PC - Logical and Filesystem that I got all of the videos.

I extracted the same device using MSAB XRY and received all of the videos under one extraction.

I am a similar situation where I have to explain to my agency why we can’t just relay on one tool or even the tool alone and that if we want to continue to provide this service within the agency, it must budgeted for more than one tool and more training.

Hope this answered your question.

 
Posted : 08/01/2018 4:43 pm
(@mcman)
Posts: 189
Estimable Member
 

In general, all the tools are accessing the files/data with the same API/connectors but it's up to the tools how it's implemented and stored. This will vary based on the phone and OS installed but generally you're going to get the same data no matter what tool you use for the latest iOS 9/10/11. File relay was an option with iOS 8 or older but Apple shut that door with 8.3 i believe.

bsscott012 mentions the method 1/2 with Cellebrite vs XRY, some tools will automatically do both pulls while other tools make it a separate process. I can't say which method is better/preferred but it's always best practices to grab both from Cellebrite as they'll give you different things.

With Magnet ACQUIRE, we'll pull everything into one extraction which sounds similar to XRY (I don't have XRY so I can't confirm). You can also just use iTunes as most tools aren't getting much more than an iTunes backup really (aside from maybe Cellebrite's CAIS services which can do a bit more than their UFED/PA I believe).

The biggest difference between what you get from iOS is whether the backup is encrypted or not (set by the user or the tool doesn't matter) but with an encrypted backup, you'll get the additional keychain which can be helpful for passwords, etc.

Extractions vary a bit more with Android but with iOS, everyone is in the same boat from an access standpoint even if the data gets processed/outputted differently.

Jamie McQuaid
Magnet Forensics

 
Posted : 08/01/2018 6:53 pm
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

i must admit, this is what I was thinking. So essentially, everyone is on a level playing field here when it comes to the latest playing field, its just the extraction process which may differ. So Cellebrites 2 forms are likely collectivly to equate to say an Axiom extraction? Everything which is available is gotten, but processing and display may vary?

 
Posted : 08/01/2018 10:00 pm
(@mcman)
Posts: 189
Estimable Member
 

Yep, when we built out ACQUIRE and then AXIOM, we combined the methods together into one extraction. Most tools are basically pulling everything from the AFC service which is what Apple leave on the phone to interact with iTunes and pull backups with. AFC2 is used for full file system dumps but you need to have a jailbroken phone for that so the use case is rare (that would be a method 3 with Cellebrite).

I'm actually just finishing up some blogs on using various images across tools. The bottom line is image the mobile devices a few different ways and then analyze the images with every tool you have available. That's the best way to ensure your tools are going to get everything you need. Even if each tool gets the same image (or same data), they're going to analyze them differently. No one tool is going to get everything all the time so diversity can be very helpful in this circumstance.

 
Posted : 09/01/2018 2:34 pm
Share: