±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 3 Visitors: 119

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Physical extraction of iPhone 5S iOS 11.2.2

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


Physical extraction of iPhone 5S iOS 11.2.2

Post Posted: Dec 19, 19 15:30


I have a client asking for evidence of copying WhatsApp messages to a separate device, as well as evidence of a user having illicit access to an email account after the password was changed (sending/receiving email on the phone, possible storage of emails locally, or uploaded to the cloud).

I've used the logical acquisition approach with both BlackLight and Cellebrite but have not found sufficient evidence of the above - other than confirmation that WhatsApp messages were deleted, however with no timestamps of deletion available that I could ascertain (I looked through plists and SQLite databases, everything for any trace of deletion timestamps but was unsuccessful).

At this stage, we don't want to tell the client they're out of luck and we would like to provide them some value. We're in the process of acquiring the native email files to analyze for sent/receipt IP addresses, which may allow the client to trace back to the email's origin at the very least.

We would like to, as a last resort, physically acquire an image of the iPhone 5S iOS v11.2.2 but I am aware that this is easier said than done. I have done extensive research and have not found a forensic tool that can do this. So, I ask the forum, are there any tools or methods I am missing to conduct a physical acquisition and create a forensic image of this device? Or any other advice towards the questions posed by our client?

Thank you,

Senior Member

Re: Physical extraction of iPhone 5S iOS 11.2.2

Post Posted: Dec 19, 19 18:10

Pretty sure you can do it now using the checkm8 and checkrain (checkr4in?) exploits.
Basically a root of the device and then most forensic tools will extract the data.  

Page 1 of 1