iPhone Model 7plus....
 
Notifications
Clear all

iPhone Model 7plus...really weird...

5 Posts
4 Users
0 Likes
546 Views
(@joey2011)
Posts: 9
Active Member
Topic starter
 

So, I've done a number of cell phone forensics and this is a weird one.

It's an iPhone 7+, and the client claims hacker attack. I use Lantern and Axiom/Magnetic, well, both of them had issues imaging the device, over 37 hours and it still wasn't done. I then used Belkasoft Acquisition tool and it took 26 hours to image it.

Okay, so a few flags started to come up, but I ran it anyway with Axiom/Magnetic, and after over 21 hours it finished running, and only 2 facebook chat lines, NO photos, even though there are hundreds of them.

The only thing that Axiom/Magnetic came back with was a list of applications on the phone, 2 Facebook chat messages, and phone info. It was weird to not even have Axiom/Magnetic even copy the pictures from the phone…

I did not find any jailbreak of the device at all.

I've never seen that before. Any thoughts?

 
Posted : 27/04/2018 7:50 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Step 1 Purchase the $99.00 single phone license of Compelson's MobilEDIT Forensic Express ("MEFE").

Step 2 Download and process all available mobile backups of the iPhone 7+ using MEFE to see if historically made iCloud mobile backups of the iPhone 7+ contain more desired evidence..

 
Posted : 27/04/2018 8:03 pm
(@mcman)
Posts: 189
Estimable Member
 

Aside from it taking so long to acquire, sounds like the backup that was created was encrypted. Were you provided the user's iTunes backup password? With AXIOM you should be prompted for it when you load the image in or prompted to create one if there isn't one set. The list of installed apps comes from an unencrypted part so if you got only that, I would assume it's encrypted, would have the same problem with any tool you try to load it in without the password.

Which image did you load into AXIOM? You said it didn't complete so I'm assuming you loaded the Belkasoft image in? Maybe there was something corrupt in the acquisition and it just failed after 26 hrs? I don't have Belkasoft so I can't speak for it but if you send either me or into support the logs from AXIOM, we can take a look. Definitely sounds strange if all your tools are having issues with this device. Any chance it's an enterprise phone and there's MDM or something similar on it?

On another note, I've never seen a non-jailbroken iOS device that's been "hacked". I'm sure it's possible but I've never seen it. You usually need jailbreak to install an untrusted app.

 
Posted : 27/04/2018 8:08 pm
(@joey2011)
Posts: 9
Active Member
Topic starter
 

Yes, I have the itunes password. I've going to give Axiom another try and let it run until everything is done. But, I'm going to use a different, freshly loaded computer to see if something was causing an issue.

 
Posted : 27/04/2018 8:56 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

If the attack is true, you are trying to find some app (and maybe it's data) running at root level, doing logical acquisitions, don't expect many results…

Before anything, create a local full iTunes backup, which you could restore if needed and no data loss could occur. I don't suggest creating a cloud backup, because that would change way more logs and timestamps on the device then a local backup.

Look deeper for jailbrake tails. If there isn't any, ask for permissions to jailbrake the device yourself and if permissions are granted, then you could do your research the right way as root at block device and file system levels.

* Typos corrected.

 
Posted : 28/04/2018 7:56 am
Share: