trewmte is correct. Let me clarify.
BlackLight will analyze ANY iOS device or Mac device regardless of physical or logical image. BlackLight itself will make a logical collection of any iOS device include an iPad2, iPhone 4S and yes even the new iPad for analysis. It (BlackLight) will NOT make a physical image. Nothing on the market will currently "forensically" make a physical image of the iPad 2, iPhone 4S without them first being jailbroken.
The vast majority of information can be retrieved from a logical collection. However, many things we as forensic practitioners are used to getting will not be available with this method email, certain apps using class A data protection, system log files, safari cache, and unallocated data.
However, even with a full physical image NO ONE can currently recover ANY deleted data on disk from an iOS image which is of version 4.0 or higher. This is due to the way Apple encrypts the fies and the keys used to encrypt the files are lost when the file is deleted hence making is near impossible to unencrypt the file assuming you could carve for it.
Hope this helps to clarify things. If not feel free to contact me or BlackBag.
–Full disclosure I am the VP of Product Development for BlackBag
Drew
Just to throw out some possibilities-
Say you have a iPhone 4s with ioS 5.0.1 -
1) untethered jailbreak has been released for the iPhone 4 S with new Absinthe program. Redsn0w and Corona have both been updated to fix issues with iBooks and launchctl. (hackthatphone.com)
2) After jailbreak, employ Zdiarski technique to acquire keychains & run them through Python decrypto module (if that's been updated too?)
3) Now do a forensic acquisition (dd) with decrypted keychain files, where it decrypts the image at same time (at least in theory)
iPhone 4s with 5.1-
As above but with tethered jailbreak out at moment & is more buggy
However, even with a full physical image NO ONE can currently recover ANY deleted data on disk from an iOS image which is of version 4.0 or higher. This is due to the way Apple encrypts the fies and the keys used to encrypt the files are lost when the file is deleted hence making is near impossible to unencrypt the file assuming you could carve for it.
Thats not entirely true. I've used physical analyser by cellebrite to recover deleted files off a physical image running a version 4.0 or higher. But if the device is wiped on a 4+ then the encryption keys are deleted and you wont get anything back.
But It isnt yet possible to get a physical image (and hence recover deleted files) from a iphone 4s, ipad2/3 yet because of the chipset (is anyone working on this!?)
also cracking the passcode isnt possible either, which I would imagine is a major pain if you need it to catch the bad guys
However, even with a full physical image NO ONE can currently recover ANY deleted data on disk from an iOS image which is of version 4.0 or higher. This is due to the way Apple encrypts the fies and the keys used to encrypt the files are lost when the file is deleted hence making is near impossible to unencrypt the file assuming you could carve for it.
Thats not entirely true. I've used physical analyser by cellebrite to recover deleted files off a physical image running a version 4.0 or higher. But if the device is wiped on a 4+ then the encryption keys are deleted and you wont get anything back.
But It isnt yet possible to get a physical image (and hence recover deleted files) from a iphone 4s, ipad2/3 yet because of the chipset (is anyone working on this!?)
also cracking the passcode isnt possible either, which I would imagine is a major pain if you need it to catch the bad guys
I think there may be a crossover/generalisation here caused by peoples understanding of deleted data from these devices.
I think what Drew is trying to say is that unallocated files/space within an image of iOS 4+ cannot currently have anything done with them due to encryption. Hopefully a solution to this presents itself in the future.
However, deleted data (or dereferenced data if you will) CAN and DOES exist within the *live* databases. This is the deleted data which is recovered by the available forensic solutions including CelleBrite and XRY etc..
As such, while it is not possible to acquire a physical image of certain newer iDevices actually this does not prevent the recovery of deleted datam, as with a logical image a lot of databases are still recovered and can be investigated to recover both live and any available dereferenced (deleted) data.
I hope this provides some clarity on the issue for those less familiar with the examination of these devices.
Colin
My understanding is that they are not alone in the ability to image the devices, however, I wonder whether the approach offered is a clean approach with little to no footprint left. Other providers offer a solution for these devices though currently these are classed as dirty and as such we are refraining from using them.
I'd be keen to know whether Blacklight's approach would be regarded as clean or dirty? Wardy perhaps you could confirm?
Colin
By "dirty" do you mean that they install something on the device they are imaging? If so, I don't see that as an issue.
My understanding is that they are not alone in the ability to image the devices, however, I wonder whether the approach offered is a clean approach with little to no footprint left. Other providers offer a solution for these devices though currently these are classed as dirty and as such we are refraining from using them.
I'd be keen to know whether Blacklight's approach would be regarded as clean or dirty? Wardy perhaps you could confirm?
Colin
By "dirty" do you mean that they install something on the device they are imaging? If so, I don't see that as an issue.
I agree, it's not an issue that would stop me using the tool, but certainly something that I would prefer to know about if it's happening.
Unless I am overlooking it, I see nothing stating it supports "imaging" the iPad2, but rather "Device Analysis". I am guessing that is a logical approach unless someone can link me to what they are actually capable of doing.