Hello,
I have a client asking for evidence of copying WhatsApp messages to a separate device, as well as evidence of a user having illicit access to an email account after the password was changed (sending/receiving email on the phone, possible storage of emails locally, or uploaded to the cloud).
I've used the logical acquisition approach with both BlackLight and Cellebrite but have not found sufficient evidence of the above - other than confirmation that WhatsApp messages were deleted, however with no timestamps of deletion available that I could ascertain (I looked through plists and SQLite databases, everything for any trace of deletion timestamps but was unsuccessful).
At this stage, we don't want to tell the client they're out of luck and we would like to provide them some value. We're in the process of acquiring the native email files to analyze for sent/receipt IP addresses, which may allow the client to trace back to the email's origin at the very least.
We would like to, as a last resort, physically acquire an image of the iPhone 5S iOS v11.2.2 but I am aware that this is easier said than done. I have done extensive research and have not found a forensic tool that can do this. So, I ask the forum, are there any tools or methods I am missing to conduct a physical acquisition and create a forensic image of this device? Or any other advice towards the questions posed by our client?
Thank you,
Jeff
Pretty sure you can do it now using the checkm8 and checkrain (checkr4in?) exploits.
Basically a root of the device and then most forensic tools will extract the data.