Deleted app encrypt...
 
Notifications
Clear all

Deleted app encryption ios 13.5

14 Posts
4 Users
0 Reactions
5,159 Views
(@sevenofnine)
Active Member
Joined: 4 years ago
Posts: 17
Topic starter  

Hi,

Have looked up lots on here in the past and thought I would finally join. I am a complete novice so Ill apologise now for saying anything wrong or simplistic!

Looking at an iPhone 8 Plus running ios 13.5 with a known passcode. At some point the user has installed non work related apps such as whatsapp and facebook messenger but they have deleted (Not offloaded) the apps a month ago.

I have spent time reading up on sqlite and wal files plus what I can find on ios per file encryption however I cannot find a definitive answer.

If an app is deleted (not backed up locally or to icloud) can the data within it be carved thus allowing for analysis of the sqlite databases within them? If the device was jailbroken using checkra1n would this make any difference?

Thanks guys.


   
Quote
passcodeunlock
(@passcodeunlock)
Prominent Member
Joined: 8 years ago
Posts: 792
 

The iPhone 8 Plus device is checkm8 compatible, but iOS 13.5 might be a problem.

One way is to jailbrake with unc0ver and then do a full filesystem acquisition with any worthy forensic software.

Another way is in-lab Cellebrite CAS or GrayKey acquisition.

The chanses for having apps remnant artifacts is a yes or a no, you can't know until you try...


   
ReplyQuote
(@sevenofnine)
Active Member
Joined: 4 years ago
Posts: 17
Topic starter  

@passcodeunlock

Thanks for the reply. Appreciate this may just be down to terminology but I always assumed a full file system was not physical, ie not a bit for bit copy and therefore unallocated space would not be included? Or have crossed about three different topics and got that completely wrong? 🙂


   
ReplyQuote
passcodeunlock
(@passcodeunlock)
Prominent Member
Joined: 8 years ago
Posts: 792
 

You are right about the terminology, physical acquisition is a generic term, which is interpreted way wrong when it comes to Full Disk Encryption and File Based Encryption.

What's the catch having a bit-by-bit copy including the unallocated (and slack space) of a chip's physical content which has on it logically encrypted partitions or files ?! It's simply garbage.

With iOS 13.5 your luck is limited to have remnant artifacts in databases. Decrypted Full File System is the most you can get, if jailbroken and the passcode is known. Whatever is deleted, is gone for good, unless you know a method to recover the file's unique encryption key, which is also gone 🙂


   
ReplyQuote
(@sevenofnine)
Active Member
Joined: 4 years ago
Posts: 17
Topic starter  

@passcodeunlock

Thanks again for the detail and the education, this makes sense now.

Purely of of curiosity and unrelated to my issue, would your explanation above apply for ios 13 through 13.5? Just asking as you mentioned 13.5 being a problem.


   
ReplyQuote
passcodeunlock
(@passcodeunlock)
Prominent Member
Joined: 8 years ago
Posts: 792
 

I shouldn't try to repeat what is already written pretty well:

https://www.elcomsoft.com/eift.html

🙂

 


   
ReplyQuote
(@sevenofnine)
Active Member
Joined: 4 years ago
Posts: 17
Topic starter  

@passcodeunlock

While doing my research I have found Elcomsoft to be very open and useful, they dont appear to "hype" like some of the other companies I have read detail from, or is that my lack of experience?

When researching SQL and WAL I have also found Sanderson Forensic really good. 

Thanks again for your help, its appreciated.


   
ReplyQuote
Em-Belkasoft
(@em-belkasoft)
Eminent Member
Joined: 5 years ago
Posts: 33
 
Posted by: @sevenofnine

Hi,

Have looked up lots on here in the past and thought I would finally join. I am a complete novice so Ill apologise now for saying anything wrong or simplistic!

Looking at an iPhone 8 Plus running ios 13.5 with a known passcode. At some point the user has installed non work related apps such as whatsapp and facebook messenger but they have deleted (Not offloaded) the apps a month ago.

I have spent time reading up on sqlite and wal files plus what I can find on ios per file encryption however I cannot find a definitive answer.

If an app is deleted (not backed up locally or to icloud) can the data within it be carved thus allowing for analysis of the sqlite databases within them? If the device was jailbroken using checkra1n would this make any difference?

Thanks guys.

There is nothing wrong with being a novice. To be fair, you are unlikely to find open resources that specifically target the subject you describe. 

Why not investigate things on your own to see what you can find? Perhaps, you can even describe and publish your results for others in the forensics world to see. Well, this is how you advance from being a novice who only asks questions. 

You can get Belkasoft Evidence Center. This tool will provide the functions you need to acquire data from the iPhone 8 Plus, perform search and analysis tasks, and so on. 


   
ReplyQuote
passcodeunlock
(@passcodeunlock)
Prominent Member
Joined: 8 years ago
Posts: 792
 

@em-belkasoft: are you sure Belkasoft Evidence Center will be able to acquire anything from this device with iOS 13.5 ?! 🙂


   
ReplyQuote
(@sevenofnine)
Active Member
Joined: 4 years ago
Posts: 17
Topic starter  

@passcodeunlock

I think I could have said ios 14 and they would have still wrote the same advert! 🤣 🤣 


   
ReplyQuote
Page 1 / 2
Share: