Just an issue which is confusing me slightly.
I've taken a physical image of an iPhone 4 with UFED PA3. When I run UFED's own picture carving utility it sits there and says initializing for a few seconds, then nothing seems to happen. I can't see any indication that a carving process is running even though the warning states that this might take some time.
I noticed the image file was a standard .img format so I reverted to my favorite tool (Xways) and loaded up the image in this and happily Xways interpreted the image file correctly and I can see the file structure of the iPhone as it should be.
However, when I use Xways filter to show only picture files I can see the names of the files and the path etc, however the internal viewer for Xways can't render the JPG pictures, they appear garbled.
So I guess I have two questions here. Firstly has anyone else had issues with UFED picture carving not working as it should? Secondly anyone had any luck viewing and carving pictures from the .img with other Forensic tools?
On a side issue why does the UFED PA software only offer picture carving, why not carve for videos, SMS, email etc etc…?
The iPhone physical image is encrypted and thus there is no point to carve the un-allocated space
Once you let UFED PA decode the physical image (and decrypt it), you should get all the images.
Ron
Thanks RonS, I half suspected this might be the case but thought it curious that Xways still saw the file structure and file names correctly.
Any thoughts as to why the PA picture carving process doesn't appear to do anything? Is there meant to be a progress bar or some other indication the process is running?
I would have expected to see some deleted photos recovered (there were 2000 existing photos) but in this case there was nothing.
Adam,
The iOS file system structure is not encrypted.
The encryption is on a file level, so this explains why you saw the file structure and file names correctly.
The curving is running on the image level and not on the file level and this is why carving did not get any results (all is encrypted).
The image carving in UFED PA main use case is for un-allocated space or on physical images that have no file system reconstruction supported (the entire image is un-allocated).
Main idea is that it can detect partial images even in cases they have no header, something that most tools that were designed for computer forensics do not support.
You will not get deleted images from un-allocated area's on your iPhone extraction since it is all encrypted and there is no way to decrypt it (except of the journal files that proved to provide minimal results - also supported by UFED PA)
The only issues I have had with carving using PA is the crashing. It seems not to matter the size, model or OS of the device. When I am carving using the Full and either unallocated or "images" option, my the program crashes. Each crash is different. It crashes @ 10k images carved and 300K images carved.
Anyone else have this issue?
My machine has 24GB RAM, duel HEX core Xeon processors and more than ample hard drive space.
I've never had any issues with PA crashing like that, sounds like a software conflict possibly..
PM RonS, he's a good line of contact for UFED and will definitely help you out )
No I've not seen any of those issues either.
As said get in touch with RonS, he'll definitely try to help you out.
Simon
beasleyjt,
sent you a PM
Well, a co-worker of mine was working with Cellebrite tech support. They requested the logs that should be generated, but if the software crashed, a log is not generated.
This happens on our MacBook Pro, Dell laptops, Super FRED, Mac Pro G4 and Dell T7500.
It doesn't appear to matter the OS, size of the image or platform it is running on.
I am guessing that I am going to engage Ron or other tech support guys to resolve the issue we are having.
Thanks for everyone's input.
Might be a silly question but you are you working in a virtual environment?
32 bit or 64bit…or both?
Are there any other pieces of hardware connected to the machines (write blockers, dongles for other software etc)
Common AV software (except for Mac of course)
I can honestly say PA has never crashed for me at all.
I'd be very interested to know the results if you and the UFED techies do manage to isolate the problem, might help us out in the future.