Oxygen Forensics &a...
 
Notifications
Clear all

Oxygen Forensics & iOS7 Emails

13 Posts
7 Users
0 Likes
1,003 Views
(@toppock123)
Posts: 10
Active Member
Topic starter
 

I need to extract emails from a 4S, on ios7 (7.0.2 I believe). The only forensic tool I have at my disposal at the moment is Oxygen Forensic, running the most recent update.

The website claims that the newest version supports email extraction, but nothing has been pulled out.

My last resort was to pull out the SQLite files and export into a presentable format, but the location of this seems to changed changed from recent versions.

Has anybody had a similar experience? Or could give me a push in the right direction?

Thanks in advance!

 
Posted : 06/11/2013 10:17 pm
(@jonathan)
Posts: 878
Prominent Member
 

Not sure that there's a way to extract email from the Mail app on iPhones from model 4S and later. Am pretty sure Oxygen wouldn't have said otherwise.

 
Posted : 07/11/2013 1:52 am
AlanC
(@alanc)
Posts: 1
New Member
 

Hi toppock123,

Unfortunately this is handset depended rather than iOS dependent. From my understanding, iOS devices prior to the iPhone 4S and iPad 2 will support email extraction. So oxygen will be able to extract email data with an iPhone 4 running iOS7. However, newer devices (iPhone 4S, 5, 5S, 5C, iPad 2, 3, 4, Mini, Mini Retina and Air) will not support email extractions due to the hardware encryption technology used within the CPU's of the devices.

I hope that helps.

Regards,
Alan

 
Posted : 07/11/2013 3:29 am
(@dcs1094)
Posts: 146
Estimable Member
 

Is the iPhone 4S jailbroken??

 
Posted : 07/11/2013 4:10 am
(@toppock123)
Posts: 10
Active Member
Topic starter
 

That's very strange, I thought I remembered using XRY and UFED a while back on a 4S and it extracted emails. I'm also slightly annoyed that the Oxygen website states this

General user activity data

Phonebook with assigned photos
Calendar events and notes
Calls log (facetime, dialed, received and missed calls)
Messages (SMS/MMS, iMessages, e-mails)
Camera snapshots, video and music
Voice mail
Passwords
Dictionaries

If Oxygen is not the way forward, does anybody have a solution as to how I can extract these emails? We are looking to invest in a new tool anyway so buying a new tool is not completely out of the question.

No the phone is not jailbroken, and I would rather not resort to that.

Thank you for your responses.

 
Posted : 07/11/2013 2:17 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Hi toppock123,

Email extractions are supported for all jailbroken devices regardless their iOS.
If the device is not jailbroken emails from the built-in app won't be available after logical extraction.

AlanC is quite right about the encryption technology for the latest iOS devices. So physical image for those devices is useless and all forensic tools do logical only using standard iTunes backup procedure.

Emails are still accessible if there were 3rd-party applications installed into the device - Gmail, Yahoo etc.

With iOS version earlier than 7 we can decrypt a keychain file where mail box password is stored. So you can still have an access to Emails from a PC, f.ex.

Regards,
Galina Rabotenko

 
Posted : 07/11/2013 4:16 pm
(@dcs1094)
Posts: 146
Estimable Member
 

That's very strange, I thought I remembered using XRY and UFED a while back on a 4S and it extracted emails. I'm also slightly annoyed that the Oxygen website states this

General user activity data

Phonebook with assigned photos
Calendar events and notes
Calls log (facetime, dialed, received and missed calls)
Messages (SMS/MMS, iMessages, e-mails)
Camera snapshots, video and music
Voice mail
Passwords
Dictionaries

If Oxygen is not the way forward, does anybody have a solution as to how I can extract these emails? We are looking to invest in a new tool anyway so buying a new tool is not completely out of the question.

No the phone is not jailbroken, and I would rather not resort to that.

Thank you for your responses.

Cellebrite, XRY and Oxygen can only extract emails from built in 'Mail' app if the device is jailbroken. The only other option really is for a manual examination!

 
Posted : 07/11/2013 5:55 pm
(@toppock123)
Posts: 10
Active Member
Topic starter
 

Thanks again for the replies.

So it seems then that Jailbreaking is the only option. I have done this to my own devices many times but never in a forensic environment. A few issues/questions I have

1. What are the implications of Jailbreaking on an exhibit? (I.E. If it was to go to court, how would I explain the process and can I explain that the process is forensically sound?)

2. Is there actually a jailbreak available for this handset? Various wizards and sites say there isn't, essentially meaning I wont be able to get the emails off at all.

Edit The phone is a 4 not a 4S - iOS 7.0.2 - Baseband 04.12.09

Cheers

 
Posted : 07/11/2013 8:08 pm
(@jonathan)
Posts: 878
Prominent Member
 

Two points re jailbreaking; one, you invalidate the warranty, two, you may brick the phone - especially unforgivable if this happens before you've had a chance to extract any data from it.

Now that you say the phone is a 4 not a 4S, that makes a huge difference. Best to check the facts first - because everyone who has replied to you has wasted their time.

 
Posted : 07/11/2013 9:11 pm
(@toppock123)
Posts: 10
Active Member
Topic starter
 

Apologies for the incorrect information.

What difference does this make then?

 
Posted : 07/11/2013 9:34 pm
Page 1 / 2
Share: