I see from Oxygen Forensic Suite version 5.4 release notes that passcoded iOS devices (iPhone 4S and above) can now be forced into a back-up.
Has anyone tried this yet and what are your experiences?
Thanks
Hi,
I have just tried it with an iPhone 4S running 7.0.4. The phone was password proected with a 6 figure number.
Th software extracted all the live data as if there was no password at all.
I have some more tests to do with an iPad.
I doubt that a physical acquisition will be possible but I have to say that if there is a password on the device it looks as if Oxygen is the only answer.
(I have no connections with the company)
ludlowboy,
Did it require any lockdown plist(s) or other information? My understanding was that for this to work, Oxygen required lockdown plist(s) from a computer the phone had been synced with after the password was applied.
If the device you tested had been previously synced with the analysis machine, then Oxygen may have searched the default storage path(s) for the necessary files.
Regards,
Jesse
I just connected the iPhone to my computer with Oxygen software on it and it extracted the data from the phone.
I had previously used the same computer for examining the same phone.
When I have another locked iPhone to examine I will update my findings.
ludlowboy,
Thank you for the reply. I'm reading conflicting reports about this working and requiring the necessary plist(s), so I was just trying to figure out the details of your experience.
Regards,
Jesse
Have you seen this?
http//
ludlowboy,
Yes, I had read that a few weeks ago. My colleagues were advising that they were still being prompted for the passcode or the plist(s) and the Oxygen developer was also advising that the plist(s) were required. I currently do not have the most current version of Oxygen to test and renewing it might be dependent on getting absolute confirmation that this works.
I appreciate the input!
Regards,
Jesse
Hi,
Thanks for all your replies.
This does not sound as straight forward as advertised by the software vendor.
We have known for sometime that if the computer the handset was synced with was also seized access can be gained.
I look forward to hearing if any of you have any joy with a handset that has not been synced before on the forensic workstation.
Thanks
I retried my test on a computer which had Oxygen installed but had not been been used to sync the test iPhone 4S.
This time the software requested that I enter the Passcode or navigate to the 'Lockdown plist'.
The software was able to provide the filename for the Lockdown plist and it would be easy to locate the file and proceed if you also had access to a computer that the phone had already been backed up to.
It appears that this software has improved current capability but not in the way that everyone hoped
The only other alternative is to take a backup of the phone using a restored copy of the computer that it was synced to. So it's a bit of a time saver.
In terms of getting the pass code of a locked device there has to be a way. But it would probably involved getting a signed boot loader from Apple.