Manual/Automated co...
 
Notifications
Clear all

Manual/Automated collection of Iphone E-mails  

  RSS
MrMacca
(@mrmacca)
New Member

I've currently been tasked with the manual photographing of every single e-mail that is contained on an Iphone 6s.

Cellebrite wouldn't connect to the phone so I was unable to use the tablet to take the screen shots, so i have adapted to a Nikon camera on a mount, and then manually scrolling through every e-mail, taking a picture and then rinse repeating until all of them are captured.

What methods do you use to extract e-mails from phones, especially Iphones.

Is there an automatic process I could be using? or a more efficient method?

I'm based in the UK.

Kind regards

Quote
Posted : 12/01/2018 9:50 am
mcman
(@mcman)
Active Member

You likely won't get email with a backup created from any forensic tool from iOS 8.3 or newer. Given that it's an iPhone 6s, it will have a newer file system than 8.3. The file relay service was what tools used to pull email and Apple shut that down after that version.

Unless you can jailbreak the phone or use Cellebrite's CAIS service to get a full file system dump, you're likely out of luck or stuck with photographing.

Jamie

ReplyQuote
Posted : 12/01/2018 2:24 pm
ThePM
(@thepm)
Active Member

It's not an automated method, but the results are better looking than photographs

We use AirServer on a computer to act as an AirPlay receiver. The video from the iOS device can then be mirrored on the computer. Then we can use a screen capture software such as Greenshot to capture the content on the screen .

Recently we also started using Printopia on a Mac as a PDF Printer using AirPrint.. We can then AirPrint the emails/attachments to Printopia and it ends up in PDF format. It's easy afterwards to OCR the documents and make them searchable.

Of course, you will want an isolated wifi connection with no internet access to connect the iOS device and the computer.

ReplyQuote
Posted : 15/01/2018 1:46 am
MrMacca
(@mrmacca)
New Member

Thanks for the suggestions.

Regarding the printopia method, how long does it take to do 1 email?

At the moment it's taking me 1-2 seconds an e-mail (depending on the content), which involves getting the email open on the iphone and then pressing the left mouse button to capture the image.
Then I press back, click the next email and then do the same thing over…and over…and over again.

It's a simple and primitive method that works, but I've just processed a phone that has 3500 individual photographs of the Iphone 6s, which was painstakingly boring.

Now i'm having to rotate and crop them, which isn't too bad as I just automate most of it within IRFANVIEW.

Hopefully once the new RIPA legislation comes into place, this method will be a thing of the past.

Keep the suggestions and solutions coming!

Kind regards

ReplyQuote
Posted : 15/01/2018 12:08 pm
unknow1234
(@unknow1234)
New Member

I've currently been tasked with the manual photographing of every single e-mail that is contained on an Iphone 6s.

Cellebrite wouldn't connect to the phone so I was unable to use the tablet to take the screen shots, so i have adapted to a Nikon camera on a mount, and then manually scrolling through every e-mail, taking a picture and then rinse repeating until all of them are captured.

What methods do you use to extract e-mails from phones, especially Iphones.

Is there an automatic process I could be using? or a more efficient method?

I'm based in the UK.

Kind regards

Why haven't you considered capturing the emails artifacts from directly from the server where the emails are sitting? wink But keep in mind you will need the USER_Name/Pass and then you can use the imap/pop connection bridge to capture the emails using any email client software.

ReplyQuote
Posted : 15/01/2018 2:59 pm
jaclaz
(@jaclaz)
Community Legend

Why haven't you considered capturing the emails artifacts from directly from the server where the emails are sitting? wink

Maybe because the results wouldn't be the same? roll

One thing is stating that an e-mail is on a device, and another thing is stating that an e-mail is on a server and thus it must (probably) have been downloaded and read on the device.

jaclaz

ReplyQuote
Posted : 15/01/2018 3:14 pm
gungora
(@gungora)
Junior Member

Why haven't you considered capturing the emails artifacts from directly from the server where the emails are sitting? wink But keep in mind you will need the USER_Name/Pass and then you can use the imap/pop connection bridge to capture the emails using any email client software.

Emails on the server and emails on a local device are two distinct sources of ESI. You may have access to the device, but not to the current credentials of the user to authenticate with the email server. You may not have the authority to use the user's credentials, authenticate with the server on his behalf and download his emails. Some messages found on the local device may have been deleted from the server. The email account may have been closed, etc.

The opposite can be true as well—the server may contain data that is not available on the local device.

Emails on the server and local copies on mobile devices, workstations, backup devices and other ESI sources are often used to complement each other. I would not recommend collecting emails from the server as a substitute for the email evidence on the local device.

ReplyQuote
Posted : 15/01/2018 8:07 pm
MrMacca
(@mrmacca)
New Member

Looking to get an indication of the methods you guys are using in relation to the following

Currently taking photos of the G-mail IMPORTANT Folder. At the end of it, there will be an estimated 9000 photos taken.

The next folder I am going to have to photograph is
G-mail ALL MAIL

My understanding of this folder is that it as a combination of the Sent emails as well as any received. And therefore I will be duplicating the folders I have already taken a photograph of.

What is your method where you work in such a situation?

Do you
1)Explain the folder and do not take photographs.
or
2)Take photographs of every e-mail

Or is there an alternative method? I'm seeing an abundance of Iphones that do not have the E-mails extracted by the usual tools and most of my time is now taken up by photographing emails with zero value to the case.

Please help me for my own sanity as this tedium is a nightmare.

Thanks in Advance.

ReplyQuote
Posted : 14/02/2018 10:10 am
nodecaf
(@nodecaf)
New Member

I can only speak from a criminal perspective, but without a good technical solution we've really focused on pushing back on the case agents to provide us with narrower examination perimeters when they hand us mobile devices with thousands of e-mails that our tools can't touch. We've never allowed phones to sync to an e-mail server because who knows if the owner has performed a purge? There's also the concern that you've violated the search warrant by pulling data from outside its jurisdiction. My unhelpful tips

-Ask for specific keywords and only photograph e-mails responsive to the hits.

-Extract e-mail address and account holder information and ask that they subpoena the e-mail provider.

-Sit down with the agent and the phone. He/she chooses which e-mails are relevant.

They aren't always pleased when you hand them a massive ZRT report or a huge, raw dump of photos full of Best Buy ads and vacation pictures so I'd also make it clear to them that narrowing your scope of work makes their job easier too.

(I believe you can also mirror the iPhone screen using QuickTime and a Mac if complete radio isolation is a must)

ReplyQuote
Posted : 14/02/2018 12:23 pm
Share: