I just received an iphone and it has been restored to factory settings. I was wondering if there is any software that can pull back the data, from the actual device?
Really this depends on the exact model and OS you are examining.
I have recently had a device which was remotely wiped and I have been unable to recover any deleted data.
The reason behind this is due to the file encryption which takes place on the device. When the available tools acquire an image of the device they also acquire the file encryption keys and use said keys to decrypt the files. Then of course you can examine the files using your favourite database/plist viewer and hey presto you have data.
When the files are deleted you may be able to carve them out using Scalpel for example but the files will be encrypted. You may have the encryption key, but, like all good tool developers the algorithms used to apply the key to the encrypted files are kept secret. I am also wondering whether or not the encryption keys will have changed following a remote wipe or factory reset and as such you may also need to find a way to recover the deleted encryption keys in entirety also. This is just a thought I have had, but I don't actually know how the encryption keys are selected in the first place. If they are generated using a standard algorithm using various hardware IDs from the device then you would think they would be the same. But, if they were generated using the SIM card inserted at the time, or some other piece of dynamic information then they may never be reproduceable.
If the device is running an earlier OS which didnt encrypt the file system then you may be in some luck and some simple carving may get you some data. Not to make this a sales pitch, but, if the file system is not encrypted then CCL have a tool named Epilog which can be run over an unencrypted DMG image using various data type signatures and will recover a load of data. It is also very good at getting deleted records back from databases you have already acquired.
http//
I'm sure if I have stated anything from my own observations where others have come up with different conclusions then further posts will follow. And of course, all of my comments assume that you have the requisite tools to acquire an image from the device.
Colin
hmmm….
a good idea, but I don't think you can carve anything with scalpel or any other tools, since when you carve, you search for a signature of the file. Due to the encryption there will no longer be a file signature. At least that's what I have concluded based on my understanding and my experience with it.
here is an interesting PDF not sure if it has been posted on this forum before
http//
Sogeti has written a very helpful (at a glance) breakdown involved in data protection for iOS5
http//
Thanks for sharing the link trewmte,
it doesnt' apear to make things any easier from an investigators perspective. But as usual Sogeti has done a great job in reverse engineering the process.