Join Us!

Deleted app encrypt...
 
Notifications
Clear all

Deleted app encryption ios 13.5  

  RSS
Picard
(@sevenofnine)
New Member

Hi,

Have looked up lots on here in the past and thought I would finally join. I am a complete novice so Ill apologise now for saying anything wrong or simplistic!

Looking at an iPhone 8 Plus running ios 13.5 with a known passcode. At some point the user has installed non work related apps such as whatsapp and facebook messenger but they have deleted (Not offloaded) the apps a month ago.

I have spent time reading up on sqlite and wal files plus what I can find on ios per file encryption however I cannot find a definitive answer.

If an app is deleted (not backed up locally or to icloud) can the data within it be carved thus allowing for analysis of the sqlite databases within them? If the device was jailbroken using checkra1n would this make any difference?

Thanks guys.

Quote
Posted : 18/06/2020 7:23 pm
passcodeunlock
(@passcodeunlock)
Senior Member

The iPhone 8 Plus device is checkm8 compatible, but iOS 13.5 might be a problem.

One way is to jailbrake with unc0ver and then do a full filesystem acquisition with any worthy forensic software.

Another way is in-lab Cellebrite CAS or GrayKey acquisition.

The chanses for having apps remnant artifacts is a yes or a no, you can't know until you try...

ReplyQuote
Posted : 21/06/2020 3:44 pm
Picard
(@sevenofnine)
New Member

@passcodeunlock

Thanks for the reply. Appreciate this may just be down to terminology but I always assumed a full file system was not physical, ie not a bit for bit copy and therefore unallocated space would not be included? Or have crossed about three different topics and got that completely wrong? ๐Ÿ™‚

ReplyQuote
Posted : 21/06/2020 5:34 pm
passcodeunlock
(@passcodeunlock)
Senior Member

You are right about the terminology, physical acquisition is a generic term, which is interpreted way wrong when it comes to Full Disk Encryption and File Based Encryption.

What's the catch having a bit-by-bit copy including the unallocated (and slack space) of a chip's physical content which has on it logically encrypted partitions or files ?! It's simply garbage.

With iOS 13.5 your luck is limited to have remnant artifacts in databases. Decrypted Full File System is the most you can get, if jailbroken and the passcode is known. Whatever is deleted, is gone for good, unless you know a method to recover the file's unique encryption key, which is also gone ๐Ÿ™‚

ReplyQuote
Posted : 21/06/2020 6:28 pm
Picard
(@sevenofnine)
New Member

@passcodeunlock

Thanks again for the detail and the education, this makes sense now.

Purely of of curiosity and unrelated to my issue, would your explanation above apply for ios 13 through 13.5? Just asking as you mentioned 13.5 being a problem.

ReplyQuote
Posted : 21/06/2020 7:23 pm
passcodeunlock
(@passcodeunlock)
Senior Member

I shouldn't try to repeat what is already written pretty well:

https://www.elcomsoft.com/eift.html

๐Ÿ™‚

ย 

ReplyQuote
Posted : 21/06/2020 7:32 pm
Picard
(@sevenofnine)
New Member

@passcodeunlock

While doing my research I have found Elcomsoft to be very open and useful, they dont appear to "hype" like some of the other companies I have read detail from, or is that my lack of experience?

When researching SQL and WAL I have also found Sanderson Forensic really good.ย 

Thanks again for your help, its appreciated.

ReplyQuote
Posted : 21/06/2020 8:08 pm
Em-Belkasoft
(@em-belkasoft)
Junior Member
Posted by: @sevenofnine

Hi,

Have looked up lots on here in the past and thought I would finally join. I am a complete novice so Ill apologise now for saying anything wrong or simplistic!

Looking at an iPhone 8 Plus running ios 13.5 with a known passcode. At some point the user has installed non work related apps such as whatsapp and facebook messenger but they have deleted (Not offloaded) the apps a month ago.

I have spent time reading up on sqlite and wal files plus what I can find on ios per file encryption however I cannot find a definitive answer.

If an app is deleted (not backed up locally or to icloud) can the data within it be carved thus allowing for analysis of the sqlite databases within them? If the device was jailbroken using checkra1n would this make any difference?

Thanks guys.

There is nothing wrong with being a novice. To be fair, you are unlikely to find open resources that specifically target the subject you describe.ย 

Why not investigate things on your own to see what you can find? Perhaps, you can even describe and publish your results for others in the forensics world to see. Well, this is how you advance from being a novice who only asks questions.ย 

You can get Belkasoft Evidence Center. This tool will provide the functions you need to acquire data from the iPhone 8 Plus, perform search and analysis tasks, and so on.ย 

ReplyQuote
Posted : 22/06/2020 11:05 am
passcodeunlock
(@passcodeunlock)
Senior Member

@em-belkasoft: are you sure Belkasoft Evidence Center will be able to acquire anything from this device with iOS 13.5 ?! ๐Ÿ™‚

ReplyQuote
Posted : 22/06/2020 9:44 pm
Picard
(@sevenofnine)
New Member

@passcodeunlock

I think I could have said ios 14 and they would have still wrote the same advert! ๐Ÿคฃ ๐Ÿคฃย 

ReplyQuote
Posted : 22/06/2020 10:56 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Actually Belkasoft is very cool, they implemented checkm8 based FFS acquisition for a wide range of devices and iOS versions, but the big brother (Apple) is also watching and patching against things ๐Ÿ™‚

ReplyQuote
Posted : 22/06/2020 11:09 pm
Em-Belkasoft
(@em-belkasoft)
Junior Member
Posted by: @passcodeunlock

@em-belkasoft: are you sure Belkasoft Evidence Center will be able to acquire anything from this device with iOS 13.5 ?! ๐Ÿ™‚

Sure, Belkasoft's checkm8 works on iOS 13.5. We already implemented support for 13.5.1 (the recently released iOS version).ย 

This post was modified 1 month ago by Em-Belkasoft
ReplyQuote
Posted : 25/06/2020 4:34 pm
fissa
(@fissa)
Junior Member
passcodeunlock
(@passcodeunlock)
Senior Member
Posted by: @em-belkasoft
Posted by: @passcodeunlock

@em-belkasoft: are you sure Belkasoft Evidence Center will be able to acquire anything from this device with iOS 13.5 ?! ๐Ÿ™‚

Sure, Belkasoft's checkm8 works on iOS 13.5. We already implemented support for 13.5.1 (the recently released iOS version).ย 

I can confirm that checkm8 based acquisition from Belkasoft Evidence Center works on this device with iOS 13.5.

I didn't try 13.5.1, since the device wasn't upgraded yet to that version, but I might think it would work the same!

This post was modified 3 weeks ago by passcodeunlock
ReplyQuote
Posted : 12/07/2020 7:28 pm
Share: