What is everyone's iOS forensic tool of choice? I don't have a massive budget, so I'm figuring out which one would be the best bang for my buck. In advance, thanks to all who reply.
Your poll seems a bit flawed.
What are you hoping to achieve from the software? There are two main ways to acquire an iOS device. Physically and Logically.
Some of those tools offer Physical and some only offer Logical. Some will analyse the data and present it and others will just extract the data.
For pure imaging/extraction my vote goes to the Elcomsoft iOS ToolKit.
For data examination (including extraction) my vote goes to Cellebrite/XRY
Are you a PC examiner looking to push abilities with phones or are you a phone examiner looking to expand tool kit?
Cellebrite and XRY would be more suitable to a phone examiner as they offer LOTS of support for other phones, not just the iOS devices.
Adding to Dougs comment
In terms of extraction, iOS Toolkit by elcomsoft is a little bit trickier to use (Cellebrite PA has pretty pictures and step by step instructions), but will potentially crack complex passwords, whereas other tools can only handle simple passcodes on a physical extraction.
Definitely having XRY/Cellebrite is a bonus for examinations of different types of phones; between the two of them they cover a very large majority of the models out there.
I haven't played around a lot with XRY lately, but I do know that Physical Analyser allows you to code your own custom parsers in python; which may assist your decision. Haven't really played with the others since PA/XRY seem to do a pretty decent job at getting access to the file system/parsing data etc.
So in terms of my vote, I'd go with physical analyser, but XRY is right up there too.
Regarding budget, it doesnt look like it will apply to you, but law enforcement personnel can receive Zdzarski's tools for free at iosresearch.org
Either way, I'm not aware of any tools on the market that can get a physical extraction/passcode unlocking of an iphone 4s, ipad 2/3, and im guessing that will continue with the iphone 5 in the next couple weeks. What this means for for us is that there will be fewer iphones we can handle around.
I've currently got Oxygen Forensic Suite and I'd like to get a physical acquisition device, but it seems too cost prohibitive.
I've currently got Oxygen Forensic Suite and I'd like to get a physical acquisition device, but it seems too cost prohibitive.
Why do you want to acquire phyically? What extra info will you get from iOS 4, 5 & 6 devices?
I've currently got Oxygen Forensic Suite and I'd like to get a physical acquisition device, but it seems too cost prohibitive.
Why do you want to acquire phyically? What extra info will you get from iOS 4, 5 & 6 devices?
It has more to do with accessibility and not using a jail-breaking technique to create an image.
Also, physical can be limited by device version - 4s, iPad 2/3
Device Seizure didn't get a spot on your list? I have and use that as well as Oxygen Forensic
Device Seizure didn't get a spot on your list? I have and use that as well as Oxygen Forensic
There were a couple of more I wanted to add, such as Paraben's solution, but the poll limited me to only 10 options.
My choice is not listed there. I vote for free & open source "iphone-dataprotection" tools. They are awesome but they do not have GUI. You have to be a technical person to use those tools.
I have documented the usage here - http//