Marec4 / Hitman,
Just wanted to bring to your attention that Cellebrite UFED Physical will soon introduce support for iPhone and iPad Physical extraction including file system reconstruction and data decoding.
This new development will be part of the UFED Physical license and without any additional charge. (UFED Physical supports physical extraction of more than 1000 different phone models and counting)
Why not rant against him, it sounds as if you've been wronged
He does this to many people, considering his background in hacking and his stance that he will only help LE, it seems rather dumb that he does this to lots and lots of people.
Marec4,
I am in LE too and if I may give you some advice, don't wait for JZ… We've sent 5 investigators to his iPhone Forensics training in the last year. His classes were correct, but the problem is that after the training, he NEVER replied to our emails when we needed help (and we've sent a bunch).
Basically, his scripts are great when you encounter an iOS device that fits exactly in the specs of his working scripts. Aside from that, you're on your own…
Also know that all his iPhone 4 scripts are all marked as "Experimental" so basically, you're even more on your own as I haven't been able to extract any data with those experimental scripts yet. His documentation available on his restricted-access website is detailed, but outdated.
Just to make things clear, my post is not just to rant against JZ. I know he's great, but before investing (lots of) time and money in learning his technique, I thought you might want to know what you're getting into. If we had known about the lack of post-training support and current documentation beforehand, we wouldn't have gone with the training.
Right now we are looking for an alternative to the JZ method and we will probably buy a licence of FTS iXAM product.
Marec4 / Hitman,
Just wanted to bring to your attention that Cellebrite UFED Physical will soon introduce support for iPhone and iPad Physical extraction including file system reconstruction and data decoding.
This new development will be part of the UFED Physical license and without any additional charge. (UFED Physical supports physical extraction of more than 1000 different phone models and counting)
RonS,
Thanks for the info.
This seems interesting, but to match JZ method and iXAM, it must be able to perform the physical extraction even if the device is passcode protected (and without needing the iTunes keychain files which we never have…) Do you know if that is the case?
yes, this is the case. It will work on passcode protected devices too.
Has anyone had any success with recovering call logs on devices running iOS4+?
I have noticed that all the iOS4+ extractions we have performed on the Linux box are failing to fully recover the file system. In particular the scripts are not recovering the "private/var/wireless/" folder, which means we are not able to recover the call logs. I have run various grep commands over the whole file system extraction searching for known phone numbers that should appear in the call_history.db but nothing is found. Is this something that other people have noticed?
I have noticed other issues such as on the Linux iOS 4.1 scripts the 'ProtectedIndex' email file is extracted (and registers as the right size) but is filled with nulls. But it seems to extract the file correctly on 4.0.2 devices. This needs further testing but appears to be an issue.
Has anyone had any success with recovering call logs on devices running iOS4+?
Call logs database can be extracted with a plain logical file system reading. What is the problem?
Has anyone had any success with recovering call logs on devices running iOS4+?
Call logs database can be extracted with a plain logical file system reading. What is the problem?
Example scenario
iPhone 4 Running 4.2.1
handset lock active (Code not known)
We take the file system read using JZ method. But we have no call database?
I was wondering if anyone else had noticed this with the file system recovery scripts?
What sort of transfer speeds are people getting?
With the Linux scripts we seem to get 4MB/s no mater which computer we use. Be it an old Dell tower or a new i5 laptop.
Does anyone have any tricks for getting faster transfer speeds?