As of now, I have not seen ANY tool or method that can get the email due to encryption.
And yes, gh05teh, please give more information than just random crap statements.
i like random
iXam was tested by a colleague of mine.
Tested on 3 differnet 3G at i0S version 4.0 - 4.2
It manage to brick one
(recovery mode loop - that even iREB or auto-boot setting wont fix).
Read one with a whole lot of data missing and i think it just gave up on the last one.
(plus FTS have a dubious rep)
Encryption? JZ's method does hardware decryption from teh chip when you do the image ( 3GS) . Although i havent tested this on a i4 yet, but i imagine it to be the same.
As with the above comment i dont think you will get access to the email through a logical exam unless the thing has been jailbroken or afc is enabled.
At this point in time, JZ's method can only do a logical image of iOS4 because of the disk encryption. In fact his method for iOS4 images to a tar file instead of raw.
It is worth pointing out that it recovers the full logical file system from iOS4+ devices. It will recover more than a traditional (forensic tool) logical extraction!
You can recover the email folder with JZ's tools but this is not possible through iTunes for example.
Up to OS 3.1.3 you can recover a disk image. As of iOS 4.0+ you recover the file system in a TAR archive.
So is it an image of the user data partition (ie including unallocated) or just allocated files?
It's just the allocated files - but as Doug pointed out, that's much more than you'd get with a back-up style extraction.
Apologies I could have been clearer.
As AlexC has said, in iOS4.0+ devices you are recovering the allocated file system. But in devices running up to OS 3.1.3 you are recovering an image of the user partition (including unallocated)
Great, thanks for clearing that up. So we essentially only have a file system copy on IOS 4 and carving and data recovery on iDevices is pretty much dead in the water for now…
For the time being, yes.
This is also the case for iPads. As of iOS 4 on the iPads we can only recover the file system vs the .dd image from the 3.2 and 3.2.2 firmwares.
On a side note has anyone found the calls.db on an iOS 4 device?
When we perform a logical extraction (using .XRY 5.3) the database appears to be located at
private/var/wireless/library/callhistory/call_history.db
On the file system extractions we don’t get the ‘wireless’ folder so cannot seem to recover the call history database. Is this a known issue that anyone else has come across?