iPhone 4S email ext...
 
Notifications
Clear all

iPhone 4S email extraction question.

topsirloin
(@topsirloin)
Junior Member

I need to extract an email from an Apple iPhone 4S running iOS 5.1. From what I understand, the only way to get email from an iPhone 4S is to jailbreak it? I've only jailbroken my own iOS device, but never evidence, so I'm a little hesitant on doing it. I've been given permission from the owner to proceed with the jailbreak, but I have some questions.

Does the type of jailbreak matter? Tethered vs Untethered? From what I've read, untethered is only available for iOS 5.1.1 so an upgrade would be required which would affect the data, so if I can do a tethered jailbreak on an iPhone 4S at iOS 5.1, is that sufficient to do a Cellebrite PA extraction?

Can anyone shed some light on this? Or provide some tips on getting email from this device? Ultimately I'm trying to the email to hopefully get the advanced header info from a particular email. We're trying to find the originating IP address of an email.

Thanks.

Quote
Topic starter Posted : 21/08/2012 7:50 pm
vperez387
(@vperez387)
New Member

Ooh. That is a tight one. I just did an iPad 2 that was not running the current iOS and did a jailbreak. Once I started using cellsbrite, after 1.7GB's it would hang up on me. I then tried to grab the data via ssh to no avail. Shortly after, the iPad went into a looping process only showing the apple symbol. At that point the device got hosed and I restored it back to factory settings. Luckily from what was partially extracted, I got over 800 emails. It is very tricky. If you need further assistance, let me know.
Veronica

ReplyQuote
Posted : 22/08/2012 5:15 am
topsirloin
(@topsirloin)
Junior Member

Thanks Veronica for experience. I'm hesitant on doing anything with this right now! Do you remember the iOS version your IPAD2 was at for the jailbreak?

ReplyQuote
Topic starter Posted : 22/08/2012 5:54 pm
eyez0n
(@eyez0n)
Junior Member

You may look into this product which claims to be able to do what you would like to do (especially since you have the owner's consent which, I presume, means you have the passcode) - http//www.elcomsoft.com/eift.html.

We just purchased it but have not yet received the dongle so I do not know how well it actually works. Perhaps some of the other fine folks on forensic focus could share their experience with this tool.

ReplyQuote
Posted : 22/08/2012 7:04 pm
Nate4n6
(@nate4n6)
New Member

You may look into this product which claims to be able to do what you would like to do (especially since you have the owner's consent which, I presume, means you have the passcode) - http//www.elcomsoft.com/eift.html.

We just purchased it but have not yet received the dongle so I do not know how well it actually works. Perhaps some of the other fine folks on forensic focus could share their experience with this tool.

I can confirm this tool does an excellent job of extracting physical images. It's my "go to" tool when it comes to physical imaging of any iOS device - even though I have other tools available. Elcomsoft does a fantastic job keeping it updated and the documentation is excellent. The fact that it's cross platform is a big plus to me as well. In addition, their customer support has always been quite responsive when needed. It is a tad on the pricey side, but well worth every cent for my uses.

As far as jail breaking, I have found Absinthe to be the quickest and most reliable for 4S and iPad 2 devices.

Best of luck to you good sir!

- Nate

ReplyQuote
Posted : 28/08/2012 8:48 pm
Robbo747
(@robbo747)
Junior Member

Does the type of jailbreak matter? Tethered vs Untethered? From what I've read, untethered is only available for iOS 5.1.1 so an upgrade would be required which would affect the data, so if I can do a tethered jailbreak on an iPhone 4S at iOS 5.1, is that sufficient to do a Cellebrite PA extraction?

Your talking about areas of data the commercial tools don't exactly pull out & email is one of them on a 4S. Cellebrite File System will reconstruct email for a 2G, 3G, 3Gs and 4, but if you can do a filesystem dump either in Cellebrite PA or Radio Tactics Aceso you might have to then manually inspect the files for email relevance. After this have a look in the \mobile\Library\Mail folder for starters. You may find this will be encrypted however.

ReplyQuote
Posted : 29/08/2012 11:32 am
topsirloin
(@topsirloin)
Junior Member

Thanks Robbo,

I had done a file system extraction but the emails were not included which led me to believe that those files were off limits to the extraction process.

Nate,

are you seeing physical images available for the 4S? I thought getting a physical image wasn't available yet for the 4S? Also, you have performed a jailbreak on the 4S using Absinthe? I wanted to try it, but it looks like only thethered jailbreaks are available for 5.1, and I didnt want to risk trying that.

ReplyQuote
Topic starter Posted : 29/08/2012 9:31 pm
Nate4n6
(@nate4n6)
New Member

Topsirloin,

Indeed, I am specifically stating that, with proper tools and techniques, you can acquire a physical image of an iPhone 4S. I have done so on numerous occasions and have had great success with extracting email as well as other data.

For myself, Absinthe has been the most reliable tool for jail breaking iPhone 4S devices, but your mileage may vary. That being said, there is a bit more to it than that.. Feel free to send me a message if you have more questions or need further assistance.

Cheers!

- Nate

ReplyQuote
Posted : 29/08/2012 10:33 pm
topsirloin
(@topsirloin)
Junior Member

Before I put this one to bed, just wanted to see if there was any further input on this. I'm unable to jailbreak this device because of the iOS firmware it's at (5.1), so I'm not able to get the email off of the device. I'm just trying to get the advanced header info from a particular email on the iPhone. Does anyone have any suggestions on getting this info if I can't get the full file system of the phone?

ReplyQuote
Topic starter Posted : 18/09/2012 10:01 pm
marcyu
(@marcyu)
Active Member

Topsirloin,

Indeed, I am specifically stating that, with proper tools and techniques, you can acquire a physical image of an iPhone 4S. I have done so on numerous occasions and have had great success with extracting email as well as other data.

For myself, Absinthe has been the most reliable tool for jail breaking iPhone 4S devices, but your mileage may vary. That being said, there is a bit more to it than that.. Feel free to send me a message if you have more questions or need further assistance.

Cheers!

- Nate

But can you acquire a physical image off a 4s or iPad 2/HD without jailbreaking it?

ReplyQuote
Posted : 19/09/2012 2:23 am
Share:
Share to...