IOS encryption question

I am not too sure of Elcomsofts ios toolkit, as i have never used it.

However, I know that .XRY extracts both live and deleted data from iPhone by doing a logical examination. http//www.msab.com/

The Cellibrite physical analyzer can be used to perfom a file system dump examination this basically interprets the iPhone files system. This extracts live and deleted data but also allows you to view the folder struture. This gives you more data like the apps the iPhone has installed etc.

The physical analyzer also allows you to obtain the passcode on certain iPhones.

IOS5 is not supported at this moment of time but I have herd it will be soon.

Somebody else might be able to expand on all of this, as this is just off the top of my head.

I think you would have a hell of a job and time on your hands if you was seriously thinking of opening the dump file in hex editor. Specially if it was a 64GB iPhone …. and most of the data is stored in sqlLite tables D

Also using commerical software is more forensically sound, as these have been tested throughly

Hope this helps

I'm trying to figure out if there's a difference between the free tools available and the expensive ones by elcomsoft and cellibrite.

Thanks in advance

Which free tools are you looking at?

Some clarifications to the above

The Cellebrite physical analyzer and some other tools (but not all that were mentioned above) allow you to perform a physical extraction and low level file system extraction even if the iPhone is locked and also extract protected files that are not accessible through the logical file access (like email files).

iOS4 (and iOS5) introduced few changes
1) file protection - email files are no longer accessible through regular logical methods
2) files are individually encrypted

The physical method adds these capabilities
1) Bypass a locked device
2) Perform a physical extraction of the iPhone partitions
3) Access protected files

Cellebrite UFED and only some of the other tools address these challenges and allow you to bypass user lock and perform the following actions
1) User password extraction
2) Low level file system extraction
Using this method, most tools (if not all) will still not extract protected files (next UFED PA version will)
This will give you access to protected files too in a much faster way (no need to dump many GB's of data)
3) Physical extraction and decryption of the iPhone partitions (not all devices with iOS4 are encrypted. I think there is another thread explaining this)
The entire file system is accessible and decrypted including protected file (like emails in iOS4. in iOS5 additional files are protected)
In addition, the keychain file is decrypted exposing different user passwords (like email passwords)

Regarding deleted files from unallocated space
Since when the iPhone is encrypted (all iPhone 4 devices and 3GS devices that were recovered into iOS4 and above) each file is encrypted individually and the unallocated space stores encrypted data (with different encryption keys that generally cannot be associated with the data).
One of the ways to recover deleted from unallocated space (with limited results) is using the journal files.

And, yes, UFED Physical iOS5 extraction and decryption support is around the corner.

Hope this helps clarify.

Ron Serber
Cellebrite

Ron that really helpful, thanks
I just tried UFED PA on iOS5, but not worked

Some clarifications to the above

The Cellebrite physical analyzer and some other tools (but not all that were mentioned above) allow you to perform a physical extraction and low level file system extraction even if the iPhone is locked and also extract protected files that are not accessible through the logical file access (like email files).

iOS4 (and iOS5) introduced few changes
1) file protection - email files are no longer accessible through regular logical methods
2) files are individually encrypted

The physical method adds these capabilities
1) Bypass a locked device
2) Perform a physical extraction of the iPhone partitions
3) Access protected files

Cellebrite UFED and only some of the other tools address these challenges and allow you to bypass user lock and perform the following actions
1) User password extraction
2) Low level file system extraction
Using this method, most tools (if not all) will still not extract protected files (next UFED PA version will)
This will give you access to protected files too in a much faster way (no need to dump many GB's of data)
3) Physical extraction and decryption of the iPhone partitions (not all devices with iOS4 are encrypted. I think there is another thread explaining this)
The entire file system is accessible and decrypted including protected file (like emails in iOS4. in iOS5 additional files are protected)
In addition, the keychain file is decrypted exposing different user passwords (like email passwords)

Regarding deleted files from unallocated space
Since when the iPhone is encrypted (all iPhone 4 devices and 3GS devices that were recovered into iOS4 and above) each file is encrypted individually and the unallocated space stores encrypted data (with different encryption keys that generally cannot be associated with the data).
One of the ways to recover deleted from unallocated space (with limited results) is using the journal files.

And, yes, UFED Physical iOS5 extraction and decryption support is around the corner.

Hope this helps clarify.

Ron Serber
Cellebrite

iOS5 physical support with decryption is coming soon

I have used Elcomsoft a bunch of times on iOS4/iOS5 and even A5 devices. I've been very happy with the results.

I have used Elcomsoft a bunch of times on iOS4/iOS5 and even A5 devices. I've been very happy with the results.

I would also recommend Elcomsoft. Use it all the time, very easy to use!

Is it possible to recover a deleted movie from unallocated on an iphone 4 running ios 4 oops