I would be testing this procedure on a non-evidentiary iphone first… just saying 😉
of course, so would I, if I had the budget to go buy an iPhone 4… cry
Authourisation would be requested from the investigating police officer. Necessary in case anything goes wrong and we break the phone. standard practice.
We have a similar case - used the trial version of the Elcomsoft software with an exported wordlist dictionary and got the first 2 characters of the password for the Itunes backup files. We restored the backup to another Iphone - not the one bought in for examination - and were able to look at the contents of messages and such.
The password ended up being cached on the computer containing the backup so we were quite lucky.
yeah thats why im trying to get the PC, hopefully the backup will be on it. unfortunately we cant restore to a spare iPhone4, but we can examine the backup with Oxgen Forensic Suite after the password is broken with Elcomsoft. Hopefully should be able to access everything. dont exactly know what the iTunes backup stores….? is it a full image of the handset?
It's not a full image, not even all of the allocated files, but that's not to suggest it's not valuable, lots of stuff is still there (calls, messages, addressbook, organizer, (some) application data).
The major thing missing would be emails.
http//
Further to AlexC's post here is some information about what is backed up via iTunes.
http//
* Address Book and Address Book favorites.
* App Store Application data (except the Application itself, its tmp and Caches folder).
* Application settings, preferences, and data.
* Autofill for webpages.
* CalDAV and subscribed calendar accounts.
* Calendar accounts.
* Calendar events.
* Call history.
* Camera Roll (Photos, screenshots, images saved, and videos taken. Videos greater than 2 GB are backed up with iOS 4.0 and later.)
Note For devices without a camera, Camera Roll is called Saved Photos.
* In-app purchases.
* Keychain (this includes email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications. If you encrypt the backup with iOS 4 and later, the keychain information is transferred to the new device. With an unencrypted backup, the keychain can only be restored to the same iPhone or iPod touch. If you are restoring to a new device with an unencrypted backup, you will need to enter these passwords again.)
* List of External Sync Sources (Mobile Me, Exchange ActiveSync).
* Location service preferences for apps and websites you have allowed to use your location.
* Mail accounts.
* Managed Configurations/Profiles. When restoring a backup to a different device, all settings related to the configuration profiles will not be restored (accounts, restrictions, or anything else that can be specified through a configuration profile). Note that accounts and settings that are not associated with a configuration profile will still be restored.
* Map bookmarks, recent searches, and the current location displayed in Maps.
* Microsoft Exchange account configurations.
* Network settings (saved wifi spots, VPN settings, network preferences).
* Nike + iPod saved workouts and settings.
* Notes.
* Offline web application cache/database.
* Paired Bluetooth devices (which can only be used if restored to the same phone that did the backup).
* Safari bookmarks, cookies, history, offline data, and currently open pages.
* Saved suggestion corrections (these are saved automatically as you reject suggested corrections).
* SMS and MMS (pictures and video) messages.
* Trusted hosts that have certificates that cannot be verified.
* Voice memos.
* Voicemail token (This is not the Voicemail password, but is used for validation when connecting. This is only restored to a phone with the same phone number on the SIM card).
* Wallpapers.
* Web clips.
* YouTube bookmarks and history.
If you have access to the person's computer, even if there isn't a backup on it, you can take the Lockdown file from their copy of iTunes and transfer it to your copy of iTunes, allowing you to make a backup (and in general access the device) without needing the password.
We have a chipoff process that will get RAW user data from the phone if that is of interest to you, let me know by PM. Confirm that this is a 3G phone only. 3Gs is not validates at this point. Cheers,
Bob