Unlocked iPhone 6s ...
 
Notifications
Clear all

Unlocked iPhone 6s data extraction blocked  

Page 1 / 2
  RSS
meroslave
(@meroslave)
New Member
I have an unlocked iPhone 6s v. 10.3.3 and i'm trying to extract the data using Oxygen-forensic Analyst version but unfortunately it asks for pass code to complete the data extraction process (backup method). The same happens when I create a backup using i Tunes and try to examine it.
so the questions are
1- Any definition about the problem, is it a pass code protection for the data or is it a sort of data encryption?
2- I think Oxygen-forensic Analyst is not capable to bypass this obstacle, am I right or not? so, any suggestion for other software can fix it? (I'm about to download MAGNET trial)

PS The phone had a pass code and I already turned it off using the correct pass code with no troubles.

Quote
Posted : 14/11/2017 8:15 pm
meroslave
(@meroslave)
New Member
ReplyQuote
Posted : 14/11/2017 8:18 pm
mcman
(@mcman)
Active Member

This is the iTunes backup password, not the phone passcode (2 different things). If the user has ever set a backup password, it will create an encrypted backup with that password. Apple is starting to force that by default on the latest versions so that all backups are encrypted.

You can also force an encrypted backup by setting your own password as well if one wasn't previously set. The pros of getting an encrypted backup is that you'll get the keychain and more data as a result. If no password has been set, you can get an unencrypted backup but with less data.

So if you know the iTunes backup password put it in there and it will decrypt the data for you, if not, you might just get an encrypted backup and you would have to crack the password if you don't know it.

Jamie

ReplyQuote
Posted : 14/11/2017 9:13 pm
lcherne
(@lcherne)
New Member

Try researching the iTunes backup password - is this something you can ask the user for?

Oxygen's documentation says it can assist with password recovery for a preexisting backup (for example if there is a backup that was previously made on a computer) but you're out of luck obtaining a backup.

To obtain a backup, you'll need to have the iTunes backup password or reset it using iOS 11. Check out Cindy Murphy's recent blog post at the Gillware blog for details and disclaimers upgrading to iOS 11.

ReplyQuote
Posted : 14/11/2017 9:16 pm
meroslave
(@meroslave)
New Member

This is the iTunes backup password, not the phone passcode (2 different things). If the user has ever set a backup password, it will create an encrypted backup with that password. Apple is starting to force that by default on the latest versions so that all backups are encrypted.

You can also force an encrypted backup by setting your own password as well if one wasn't previously set. The pros of getting an encrypted backup is that you'll get the keychain and more data as a result. If no password has been set, you can get an unencrypted backup but with less data.

So if you know the iTunes backup password put it in there and it will decrypt the data for you, if not, you might just get an encrypted backup and you would have to crack the password if you don't know it.

Jamie

Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
Any alternatives?

ReplyQuote
Posted : 14/11/2017 9:43 pm
meroslave
(@meroslave)
New Member

Try researching the iTunes backup password - is this something you can ask the user for?

Oxygen's documentation says it can assist with password recovery for a preexisting backup (for example if there is a backup that was previously made on a computer) but you're out of luck obtaining a backup.

To obtain a backup, you'll need to have the iTunes backup password or reset it using iOS 11. Check out Cindy Murphy's recent blog post at the Gillware blog for details and disclaimers upgrading to iOS 11.

The user denied that he made a backup password and he only gives the phone pass code.

ReplyQuote
Posted : 14/11/2017 10:05 pm
mcman
(@mcman)
Active Member

Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
Any alternatives?

For iOS, all you're getting is a iTunes backup no matter what tool you use. Oxygen, Cellebrite, XRY, Magnet ACQUIRE/AXIOM, all will only give you an iTunes backup for anything running iOS 8.3 or newer. With older versions of iOS you could get file relay data but Apple shut that door with iOS 8.3. You can't get physical extraction on anything iPhone 4S or newer due to encryption.

If you use Cellebrite's paid unlocking service (CAIS), they can unlock and dump an iPhone 6(s) running iOS 10 I believe but you're going to be paying a decent chunk of money for the ability to unlock that one single phone. Depends if the case is worth it for you I guess but there are no tools out there magically cracking the latest iOS beyond an iTunes backup, which in your case, is encrypted (the user may or may not know this password, I've come across many who had no idea, best bet, ask them for their iTunes or Apple ID password, it's often the same).

You can also try cracking it as stated by others. If you have a backup on a PC you can use the keychain to unlock. If not, try giving Passware/Elcomsoft (paid), or hashcat (free) a go at cracking the backup.

The iOS struggle is real, see Apple/FBI/San Bernardino.

Jamie

ReplyQuote
Posted : 15/11/2017 1:53 pm
meroslave
(@meroslave)
New Member

Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
Any alternatives?

For iOS, all you're getting is a iTunes backup no matter what tool you use. Oxygen, Cellebrite, XRY, Magnet ACQUIRE/AXIOM, all will only give you an iTunes backup for anything running iOS 8.3 or newer. With older versions of iOS you could get file relay data but Apple shut that door with iOS 8.3. You can't get physical extraction on anything iPhone 4S or newer due to encryption.

If you use Cellebrite's paid unlocking service (CAIS), they can unlock and dump an iPhone 6(s) running iOS 10 I believe but you're going to be paying a decent chunk of money for the ability to unlock that one single phone. Depends if the case is worth it for you I guess but there are no tools out there magically cracking the latest iOS beyond an iTunes backup, which in your case, is encrypted (the user may or may not know this password, I've come across many who had no idea, best bet, ask them for their iTunes or Apple ID password, it's often the same).

You can also try cracking it as stated by others. If you have a backup on a PC you can use the keychain to unlock. If not, try giving Passware/Elcomsoft (paid), or hashcat (free) a go at cracking the backup.

The iOS struggle is real, see Apple/FBI/San Bernardino.

Jamie

Anyway, it was a value reply mcman, really so thanks for you.

ReplyQuote
Posted : 15/11/2017 3:56 pm
OxygenForensics
(@oxygenforensics)
Active Member

Only Oxygen Forensic Detective has an ability to find the password to the encrypted iTunes backup. The built-in Passware module does it with latest algorithms including distributed processing and GPU acceleration with ATI and NVIDIA boards. The available attacks are brute-force, dictionary, Xieve, etc.
This functionality is not included in Oxygen Forensic Analyst version.

ReplyQuote
Posted : 15/11/2017 4:15 pm
meroslave
(@meroslave)
New Member

Only Oxygen Forensic Detective has an ability to find the password to the encrypted iTunes backup. The built-in Passware module does it with latest algorithms including distributed processing and GPU acceleration with ATI and NVIDIA boards. The available attacks are brute-force, dictionary, Xieve, etc.
This functionality is not included in Oxygen Forensic Analyst version.

If it's sure 100% the detective version with pasware included able to bypass the password, definitely I will upgrade my analyst. But if not, what is the percentage to success?

ReplyQuote
Posted : 15/11/2017 5:26 pm
Mreza
(@mreza)
Member

If it's sure 100% the detective version with pasware included able to bypass the password, definitely I will upgrade my analyst. But if not, what is the percentage to success?

It has an password decrypting ability. Nobody mentioned the possibility of bypassing password.

https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/encrypted-backups

https://vimeo.com/239147894

ReplyQuote
Posted : 15/11/2017 7:55 pm
meroslave
(@meroslave)
New Member

If it's sure 100% the detective version with pasware included able to bypass the password, definitely I will upgrade my analyst. But if not, what is the percentage to success?

It has an password decrypting ability. Nobody mentioned the possibility of bypassing password.

https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/encrypted-backups

https://vimeo.com/239147894

Now I get you, so thanks for your clearance.

ReplyQuote
Posted : 15/11/2017 8:04 pm
meroslave
(@meroslave)
New Member

Otherwise, All I need to extract from the iPhone is the WhatsApp voice notes, I read about softwares like wondershare and mobile go that able to extract WhatsApp files and chat, any recommendations?
PS my plane B is to record it manually using aux cable!!

ReplyQuote
Posted : 15/11/2017 8:10 pm
dandaman_24
(@dandaman_24)
Active Member

If i have read this correctly, you have the passcode for the device to unlock, you have performed a backup and the software is unable to parse the data as the backup is encrypted with a password ?

First of all, have you tried the password as 1234 ?

Have you looked for passwords stored on the handset ?

If the user has saved passwords in Safari browser / some apps they should be stored in the following locations.

iOS 11
Settings - Accounts & Passwords - App & Website Passwords - (tap your fingerprint on scanner) then enter the passcode for the device

iOS10
Settings - Safari - Passwords - (tap your fingerprint on scanner) then enter the passcode for the device

You can then write a word list of the passwords known / stored on the device to run across the encrypted backup.

Or follow the following details from Elcomsoft to reset iTunes backup password
https://blog.elcomsoft.com/2017/11/ios-11-makes-logical-acquisition-trivial-allows-resetting-itunes-backup-password/

ReplyQuote
Posted : 15/11/2017 8:11 pm
meroslave
(@meroslave)
New Member

If i have read this correctly, you have the passcode for the device to unlock, you have performed a backup and the software is unable to parse the data as the backup is encrypted with a password ?

First of all, have you tried the password as 1234 ?

Have you looked for passwords stored on the handset ?

If the user has saved passwords in Safari browser / some apps they should be stored in the following locations.

iOS 11
Settings - Accounts & Passwords - App & Website Passwords - (tap your fingerprint on scanner) then enter the passcode for the device

iOS10
Settings - Safari - Passwords - (tap your fingerprint on scanner) then enter the passcode for the device

You can then write a word list of the passwords known / stored on the device to run across the encrypted backup.

Or follow the following details from Elcomsoft to reset iTunes backup password
https://blog.elcomsoft.com/2017/11/ios-11-makes-logical-acquisition-trivial-allows-resetting-itunes-backup-password/

(
no results, but so much thanks, because it was too value information in your post.

ReplyQuote
Posted : 16/11/2017 9:43 am
Page 1 / 2
Share: