Hi all,
In a continuous bid to acquire the most comprehensive extraction as possible for practitioners, Cellebrite are frequently rolling out UFED and/or Physical Analyzer updates. I've paid more notice of Cellebrite's last couple of updates, whereby they mention that their Advanced Logical Data Extractions (ALDE) performed solely through Cellebrite PA supports decoding of iOS 10.2 backups, etc.
As a practitioner, how would you determine which extraction method is the best to perform for an iPhone handset? At this point I should probably add that I'm not interested in discussing about handsets older than iPhone 4s.
Typically speaking, my methodology in acquiring any data from an iPhone is 99% of the time solely relied on using just UFED; ie, I perform both File System and Logical Data Extraction, and that's it.
There have been times when I have solely used PA for ALDE, however, this has been more down circumstances whereby successfully interacting and appropriately configuring an iPhone handset has proven to be extremely difficult to achieve (ie appropriate configuration as per UFED instructions before launching File System or Logical Data Extraction).
I appreciate this is quite a general question considering the varying iOS versions, apps, app versions, as well as taking into account case circumstances.
As a practitioner, I just feel somewhat overwhelmed with the amount of extractions available. In addition, each extraction can also take a great deal of time to which I do not always have.
Hope to hear from you all.
Well it all depends on the time-frame you have, if you have a good amount of time with the phone, then I still recommend you do both and compare both extraction's (logical & file system) in PA to see the difference, that's the only way you can see what has been added on the separate files.
Then again, if you on a limited time-frame and have to choose only one method of extraction, I would go for the File System Extraction, since that does in depth memory extraction and also 99% that is logically on the device.
I do both only to compare and to get maximum amount of results and to compare the two.
It would be cool to see physical extraction added for iPhone's, but then again, apple will be ready for that.