I saw that there is now a jailbreak available for 11.4 and was wondering if anyone is jailbreaking devices in order to get more from their extractions? Assuming you either have the passcode or there isn't one, are you taking the extra step of jailbreaking the device in order to obtain more? Elcomsoft is saying they can obtain a physical on iDevices once jailbroken which got me thinking is this a step I should be taking for devices I receive.
You better take Cellebrite for your issue.
It really depends on the task you need to do…
For example if you need to examine some malware or spyware, which probably is already at root level, you better don't destroy evidence by trying to jailbrake.
If you need to gather more information over a logical filesystem extraction, if documented in the right way, jailbrake can be ok.
Got it! This was all a hypothetical just to see the value vs risk and to see what others are doing. Obviously, the aim is to get the most evidence as possible with destroying it and the question has to be asked. Thanks as always!!
Before doing this kind of stuff on a live device, ALWAYS try it first on a similar dummy device. If that works as expected, I don't see any major problem repeating the process )
Check out Sarah Edwards' research
Some answers you will only get with a jailbreak->file system extraction
Awesome! Thanks I will check her out…seems she has a podcast on iOS forensics.
Well, there are some problems related to jailbreaking
1. This is of course not "forensically sound" – user partition is being modified.
2. Jailbreaking usually requires Internet connection (on the phone) to trust the certificate. That means that device can be remotely wiped, or at least it can sync with the cloud, so some data can be changed or deleted.
3. Potential risk to corruption of user data. It is in fact minimal for iOS 10-12 jailbreaks due to the way jailbreaks now work – in worst case, device can just reboot.
So using CAS is probably safer, but… We do not know exactly how it works. They probably sideload their "agent" (signed by enterprise certificate) into the device; in any case, "no jailbreak" is not equal to "no changes to the device" and "no risk".