All,
I need some help on how to explain something to our legal team. They want us to get a "forensic" acquisition of an ipad/iphone even if the device is wiped. We use Oxygen in-house, and I've tried to explain that we cannot get anything from a wiped device. When I try, it says that all of the databases are empty and doesn't acquire anything. I'm at a loss as to how to explain that mobile devices aren't like computers, and I get the feeling the legal team believes that they are. Any ideas on how I can explain my point?
Thanks!
First of all, if the data from PC was wiped correctly nothing can be restored too. Even if you perform physical extraction.The best way to wipe is just to write something to the place where another data was deleted from. And that data will be deleted forever. This is the difference between wipe and delete. The same is with encrypted disks, if you wipe them or encryption keys, you'll never be able to restore this data from PC.
iOS is very close to encrypted drives on PC. Storage and each and every file is encrypted. It is enough to wipe (not only delete) data. And not the data itself but encryption keys only. So iOS wipes these keys and data cannot be decrypted. Another issue that there is no physical access to storage, like we have on PC. This brings additional barrier because without physical access you cannot read storage directly and hope to take raw data.
Thanks for the response; I appreciate it!