Hi,
i just made extraction for a iphone SE with IOS 10.
I made the logical extraction and the filesystem with UFED touch 2.
After that i made the extraction on my forensic computer with UFED software IOS extraction device. I made method 1 and method 2.
When i put all 4 extraction on UFED, it seem that i dont have the same data. I mean if a compare the logical extraction (UFED touch2) and method 1 of UFED software, i have not the same total of SMS, video, photos, etc.
I still have some of the same stuff but depend on the extraction type.
Anybody have this issue ?
I usually only use Methode 1 in Physical Analyzer (be sure to use encryption when asked). It is basically an iPhone backup.
As far as I know there's not really additional useful information included in the other extraction methods.
Method 2 was sometimes useful with older iOS versions (only way to extract pictures synced via iTunes) but got less and less important over time. It is not compatible with iOS 10 anyways as Apple has closed that loophole.
I think doing an extraction on UFED itself also extracts stuff like iTunes Music files, album covers (which Apple doesn't include in its backup service, thus it is not contained in Method 1) but no information that could be relevant.
If you want to dig deeper you need to jailbreak the device (provided the iPhone and iOS version allow it) and install the apple file service via cydia. After doing that, method 3 will magically appear in Physical Analyzer and you'll get a lot of additional information.
When i do additionnal extraction i've got more sms, more chat(imessage)…. Very strange that ufed decode more of this stuff in another type of extraction.
Right now i'm thinking doing all 4 methods, put in ufed in the same extraction to have it all.
If you want to dig deeper you need to jailbreak the device (provided the iPhone and iOS version allow it) and install the apple file service via cydia. After doing that, method 3 will magically appear in Physical Analyzer and you'll get a lot of additional information.
Method 3 for obtaining a physical will only work upto iPhone4s on jailbroken handsets.
If jailbroken you could SSH into the handset to obtain a physical.