Join Us!

Oxygen Forensics &a...
 
Notifications
Clear all

Oxygen Forensics & iOS7 Emails  

  RSS
toppock123
(@toppock123)
New Member

I need to extract emails from a 4S, on ios7 (7.0.2 I believe). The only forensic tool I have at my disposal at the moment is Oxygen Forensic, running the most recent update.

The website claims that the newest version supports email extraction, but nothing has been pulled out.

My last resort was to pull out the SQLite files and export into a presentable format, but the location of this seems to changed changed from recent versions.

Has anybody had a similar experience? Or could give me a push in the right direction?

Thanks in advance!

Quote
Posted : 06/11/2013 10:17 pm
Jonathan
(@jonathan)
Senior Member

Not sure that there's a way to extract email from the Mail app on iPhones from model 4S and later. Am pretty sure Oxygen wouldn't have said otherwise.

ReplyQuote
Posted : 07/11/2013 1:52 am
AlanC
(@alanc)
New Member

Hi toppock123,

Unfortunately this is handset depended rather than iOS dependent. From my understanding, iOS devices prior to the iPhone 4S and iPad 2 will support email extraction. So oxygen will be able to extract email data with an iPhone 4 running iOS7. However, newer devices (iPhone 4S, 5, 5S, 5C, iPad 2, 3, 4, Mini, Mini Retina and Air) will not support email extractions due to the hardware encryption technology used within the CPU's of the devices.

I hope that helps.

Regards,
Alan

ReplyQuote
Posted : 07/11/2013 3:29 am
DCS1094
(@dcs1094)
Active Member

Is the iPhone 4S jailbroken??

ReplyQuote
Posted : 07/11/2013 4:10 am
toppock123
(@toppock123)
New Member

That's very strange, I thought I remembered using XRY and UFED a while back on a 4S and it extracted emails. I'm also slightly annoyed that the Oxygen website states this

General user activity data

Phonebook with assigned photos
Calendar events and notes
Calls log (facetime, dialed, received and missed calls)
Messages (SMS/MMS, iMessages, e-mails)
Camera snapshots, video and music
Voice mail
Passwords
Dictionaries

If Oxygen is not the way forward, does anybody have a solution as to how I can extract these emails? We are looking to invest in a new tool anyway so buying a new tool is not completely out of the question.

No the phone is not jailbroken, and I would rather not resort to that.

Thank you for your responses.

ReplyQuote
Posted : 07/11/2013 2:17 pm
OxygenForensics
(@oxygenforensics)
Active Member

Hi toppock123,

Email extractions are supported for all jailbroken devices regardless their iOS.
If the device is not jailbroken emails from the built-in app won't be available after logical extraction.

AlanC is quite right about the encryption technology for the latest iOS devices. So physical image for those devices is useless and all forensic tools do logical only using standard iTunes backup procedure.

Emails are still accessible if there were 3rd-party applications installed into the device - Gmail, Yahoo etc.

With iOS version earlier than 7 we can decrypt a keychain file where mail box password is stored. So you can still have an access to Emails from a PC, f.ex.

Regards,
Galina Rabotenko

ReplyQuote
Posted : 07/11/2013 4:16 pm
DCS1094
(@dcs1094)
Active Member

That's very strange, I thought I remembered using XRY and UFED a while back on a 4S and it extracted emails. I'm also slightly annoyed that the Oxygen website states this

General user activity data

Phonebook with assigned photos
Calendar events and notes
Calls log (facetime, dialed, received and missed calls)
Messages (SMS/MMS, iMessages, e-mails)
Camera snapshots, video and music
Voice mail
Passwords
Dictionaries

If Oxygen is not the way forward, does anybody have a solution as to how I can extract these emails? We are looking to invest in a new tool anyway so buying a new tool is not completely out of the question.

No the phone is not jailbroken, and I would rather not resort to that.

Thank you for your responses.

Cellebrite, XRY and Oxygen can only extract emails from built in 'Mail' app if the device is jailbroken. The only other option really is for a manual examination!

ReplyQuote
Posted : 07/11/2013 5:55 pm
toppock123
(@toppock123)
New Member

Thanks again for the replies.

So it seems then that Jailbreaking is the only option. I have done this to my own devices many times but never in a forensic environment. A few issues/questions I have

1. What are the implications of Jailbreaking on an exhibit? (I.E. If it was to go to court, how would I explain the process and can I explain that the process is forensically sound?)

2. Is there actually a jailbreak available for this handset? Various wizards and sites say there isn't, essentially meaning I wont be able to get the emails off at all.

Edit The phone is a 4 not a 4S - iOS 7.0.2 - Baseband 04.12.09

Cheers

ReplyQuote
Posted : 07/11/2013 8:08 pm
Jonathan
(@jonathan)
Senior Member

Two points re jailbreaking; one, you invalidate the warranty, two, you may brick the phone - especially unforgivable if this happens before you've had a chance to extract any data from it.

Now that you say the phone is a 4 not a 4S, that makes a huge difference. Best to check the facts first - because everyone who has replied to you has wasted their time.

ReplyQuote
Posted : 07/11/2013 9:11 pm
toppock123
(@toppock123)
New Member

Apologies for the incorrect information.

What difference does this make then?

ReplyQuote
Posted : 07/11/2013 9:34 pm
MadRhetoric
(@madrhetoric)
New Member

The difference in model and OS can change (but not necessarily)
1) Your options for a forensic acquisition (and whether certain data can be decrypted)
2) Your options for a non-forensic acquisition (and whether certain data can be decrypted)
3) What jailbreak methods will work if that's needed
4) The file or file locations for certain data

Accurately and definitively identifying the model and OS are absolutely the first priority.

ReplyQuote
Posted : 07/11/2013 11:45 pm
toppock123
(@toppock123)
New Member

As stated, apologies.

I am aware of the implications of the change in model, but I mean for this case.

I already tried dumping a 4 with oxygen, version 7.0.3 but to no avail.

ReplyQuote
Posted : 08/11/2013 12:41 am
ludlowboy
(@ludlowboy)
Member

Most software will extract E mails from an iPhone 4. However your problem is the IOS7 software. There have been 3 releases of IOS7, I believe, and not all are supported by mobile phone software yet.

ReplyQuote
Posted : 08/11/2013 2:54 am
Share: