What is the prefered tools for email extraction on iPhones? 4's 5's IOS 7 + Been doing some research and it appears the these phones need to be Jail broken in oreder to get XRY ver 6.7 to aquire emails.
Yet from what I can tell IOS has not been jail broken yet. I have XRY phy and logical ver 6.7
On another note
My investegators are asking me to extract iPhones and Android devices on site. How reasonable or doable it that? I have done some on site using XRY on a laptop, yet I am not alwasys sure that I am recovering all that I could because of lack of time. They want is done during the course of a search warrent. Sometimes they will be done with thier paper searches while waiting for a phone to complete extracting.
Thankyou in advance
Plaease reply to
bruce.harick@state.mn.us
What is the prefered tools for email extraction on iPhones? 4's 5's IOS 7 + Been doing some research and it appears the these phones need to be Jail broken in oreder to get XRY ver 6.7 to aquire emails.
Yet from what I can tell IOS has not been jail broken yet. I have XRY phy and logical ver 6.7
XRY is very good software, but much like Oxygen, Cellebrite etc they can only extract emails from the built in 'Mail' app if the device is jailbroken. You only have 2 options - either jailbreak the device or do a manual examination. (Very stressful i know… previously had some awful One Touch handset and had to take over 1,600 manual photos, which is currently our lab record! ;/ )
On another note
My investegators are asking me to extract iPhones and Android devices on site. How reasonable or doable it that? I have done some on site using XRY on a laptop, yet I am not alwasys sure that I am recovering all that I could because of lack of time. They want is done during the course of a search warrent. Sometimes they will be done with thier paper searches while waiting for a phone to complete extracting.
The issue you have is Smartphones are constantly getting larger internal memory. Soon to be a new iPhone with 128GB?? Cellebrites UFED Touch is pretty good, but the only issue with that is if you acquire a physical image from e.g. A Galaxy S III, your screwed on time… My choice - Cellebrite have recently released a UFED 4PC which is the same as the Touch however its cheaper and it uses your computers OS; in theory should be faster on extraction time if you have decent specs on laptop?
It all depends on what data you are looking for (live/deleted) and what types of extraction etc. )
The bottleneck currently is " USB 2" and the processing power of the mobile handset.
UFED Touch currently uses USB 2, whereas UFED Classic is still using USB 1.
Having UFED on a PC may show some speed increase but this will be negated by the speed at which the data can move from the handset to the PC, or to the UFED Touch
My experience extracting a iPhone 4s 64GB took at least 4 hours to image and then another min 45 minutes to open and process. Keep in mind this was performed on a Workstation (fully specced) as UFED Physical Analyser allows for iPhone extractions on the PC. This was a physical extraction.
I have not had an opportunity to examine a 128GB Ipad yet, but I assume it should take at least 8 hours, when physical is available for these models.
I agree that the type of data on the mobile does seem to make a difference with large videos and photo libraries taking a lot longer to process.
My experience extracting a iPhone 4s 64GB took at least 4 hours to image and then another min 45 minutes to open and process. Keep in mind this was performed on a Workstation (fully specced) as UFED Physical Analyser allows for iPhone extractions on the PC. This was a physical extraction.
It is not possible to extract a physical image on a iPhone 4s ? I'm hoping that's a typo or I'm all ears! wink
My experience extracting a iPhone 4s 64GB took at least 4 hours to image and then another min 45 minutes to open and process.
If it was me, i would only acquire images in general of all exhibits on site, then process the data in a lab environment where you have all of yours tools at the ready. There are some very fast imaging tools on market which are capable of doing this at very fast speeds. We have recently tested some for this exact purpose 'on site' work and quite impressed by the results! I know there's a demand every now and then for on site, however with devices becoming more and more like computers, it has to reach a point where certain devices need to be done 'in house' as it were.
Apologies it was a logical extraction.
DCS1094, Would be very interested to hear about your on site tests/methods
Where you are being asked to extract emails fom Iphone 4s and 5s onsite you should inform the investigators that there are currently no tools available to extract that data. This data is protected and it is not possible to extract or access it. It wouldn't make a difference if you were doing it in the lab then you still wouldn't be able to provide them.
A possible solution would be if the device was jailbroken. Dependant on the version of iOS it may not be supported to jailbreak and these days I find it is quite rare to find anyone who cares enough to jailbreak the devices these days. Jailbreaking a suspects device is not good as there is always the possiblilty of destroying or corrupting it. There may well be some users who may do so but there are too many dangers associated with it. If it was easy and it worked everyone would be using the method.
Unfortunately usually these days a number of avenues are possible. Obtain the user's email accounts from the device and serve a production order on the provider for a copy of the email. This can be more beneficial as not all email may be on the device but may be with the provider. You could always find out the Apple ID details and try to obtain a production order for backup files from the device. The other more painful option is to carry out a manual examination of the emails by photographing the screen for each page of emails and attachments. )