Hi,
Have looked up lots on here in the past and thought I would finally join. I am a complete novice so Ill apologise now for saying anything wrong or simplistic!
Looking at an iPhone 8 Plus running ios 13.5 with a known passcode. At some point the user has installed non work related apps such as whatsapp and facebook messenger but they have deleted (Not offloaded) the apps a month ago.
I have spent time reading up on sqlite and wal files plus what I can find on ios per file encryption however I cannot find a definitive answer.
If an app is deleted (not backed up locally or to icloud) can the data within it be carved thus allowing for analysis of the sqlite databases within them? If the device was jailbroken using checkra1n would this make any difference?
Thanks guys.
The iPhone 8 Plus device is checkm8 compatible, but iOS 13.5 might be a problem.
One way is to jailbrake with unc0ver and then do a full filesystem acquisition with any worthy forensic software.
Another way is in-lab Cellebrite CAS or GrayKey acquisition.
The chanses for having apps remnant artifacts is a yes or a no, you can't know until you try...
Thanks for the reply. Appreciate this may just be down to terminology but I always assumed a full file system was not physical, ie not a bit for bit copy and therefore unallocated space would not be included? Or have crossed about three different topics and got that completely wrong? 🙂
You are right about the terminology, physical acquisition is a generic term, which is interpreted way wrong when it comes to Full Disk Encryption and File Based Encryption.
What's the catch having a bit-by-bit copy including the unallocated (and slack space) of a chip's physical content which has on it logically encrypted partitions or files ?! It's simply garbage.
With iOS 13.5 your luck is limited to have remnant artifacts in databases. Decrypted Full File System is the most you can get, if jailbroken and the passcode is known. Whatever is deleted, is gone for good, unless you know a method to recover the file's unique encryption key, which is also gone 🙂
Thanks again for the detail and the education, this makes sense now.
Purely of of curiosity and unrelated to my issue, would your explanation above apply for ios 13 through 13.5? Just asking as you mentioned 13.5 being a problem.
I shouldn't try to repeat what is already written pretty well:
https://www.elcomsoft.com/eift.html
🙂
Â
While doing my research I have found Elcomsoft to be very open and useful, they dont appear to "hype" like some of the other companies I have read detail from, or is that my lack of experience?
When researching SQL and WAL I have also found Sanderson Forensic really good.Â
Thanks again for your help, its appreciated.
Hi,
Have looked up lots on here in the past and thought I would finally join. I am a complete novice so Ill apologise now for saying anything wrong or simplistic!
Looking at an iPhone 8 Plus running ios 13.5 with a known passcode. At some point the user has installed non work related apps such as whatsapp and facebook messenger but they have deleted (Not offloaded) the apps a month ago.
I have spent time reading up on sqlite and wal files plus what I can find on ios per file encryption however I cannot find a definitive answer.
If an app is deleted (not backed up locally or to icloud) can the data within it be carved thus allowing for analysis of the sqlite databases within them? If the device was jailbroken using checkra1n would this make any difference?
Thanks guys.
There is nothing wrong with being a novice. To be fair, you are unlikely to find open resources that specifically target the subject you describe.Â
Why not investigate things on your own to see what you can find? Perhaps, you can even describe and publish your results for others in the forensics world to see. Well, this is how you advance from being a novice who only asks questions.Â
You can get Belkasoft Evidence Center. This tool will provide the functions you need to acquire data from the iPhone 8 Plus, perform search and analysis tasks, and so on.Â
@em-belkasoft: are you sure Belkasoft Evidence Center will be able to acquire anything from this device with iOS 13.5 ?! 🙂
I think I could have said ios 14 and they would have still wrote the same advert! 🤣 🤣Â