The GrayKey Difference: Logical vs File System

by

Originally posted here.

Law Enforcement agencies perform logical acquisitions of unlocked iOS devices when they do not have access to GrayKey.  The logical acquisition has been an industry-leading iOS acquisition method used by investigators and forensic examiners because of its simplicity and level of support. However, one of the biggest roadblocks for successfully completing logical acquisitions is device security. For a logical acquisition to take place, device access needs to be granted using a passcode and a trusted connection is required in most instances.

Logical acquisitions are created through use of the Apple File Connection protocol which is also used by iTunes. This method is designed to manage an iOS device and more specifically transfer user-data from one device to the next. This protocol allows an iOS device user to experience a seamless transition whenever upgrading their equipment, without the use of cloud services. For those of you involved in computer forensic extractions, a logical extraction of a mobile device is very similar to a targeted file collection on a computer hard drive. Data stored within logical collections is limited when compared to a full file system extraction.

Many limitations associated with logical extractions.

Logical extractions can be beneficial as they are generally supported directly following the release of an iOS update and you won’t have to wait too long for collection support, but unfortunately there are many limitations to them. The largest and most important limitation is the depth and quality of the data collection. These types of iTunes-style backup deliverables are negatively impacted by application developer limitations and data from third-party applications are often limited. Furthermore, never-before-seen forensic artifacts like the KnowledgeC database and supporting data like the Keychain file are rendered unrecoverable. Lastly, backup encryption passwords enforced by the end-user may create significant hurdles for digital forensic investigations by denying access to the data stored once the extraction is completed and ready for analysis.

In comparison, GrayKey is a purpose-built solution for mobile device forensics, specializing in access and extraction.  Moreover, it is powered by Grayshift’s Advanced Vulnerability Research Team, which has pioneered the development of full filesystem acquisition methods from mobile devices.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Logical acquisitions fail in comparison to the depth and quality provided by GrayKey extractions.

Digital evidence is growing in importance and proving increasingly critical. To that end, investigators and examiners must be mindful of the collection methods used in any digital investigation. While the logical acquisition is better than nothing, it fails in comparison to the depth and quality that GrayKey customers have come to expect. We encourage you to experience the GrayKey difference on all lawfully seized iOS devices and with the proper legal authority, regardless of their lock state. We know that you will be pleasantly surprised at the additional data and actionable intelligence collected via GrayKey.

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image. From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case. Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice. Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability. Useful links: Amped FIVE - https://ampedsoftware.com/five Video Evidence Principles - https://blog.ampedsoftware.com/2023/0... CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image.

From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case.

Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice.

Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability.

Useful links:

Amped FIVE - https://ampedsoftware.com/five
Video Evidence Principles - https://blog.ampedsoftware.com/2023/0...
CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_dnSPwNdMn5M

Investigating Video: The Vital First Steps

Forensic Focus 21 hours ago

Read more at https://www.forensicfocus.com/news/forensic-focus-digest-may-10-2024/ #dfir #digitalforensics

Read more at https://www.forensicfocus.com/news/forensic-focus-digest-may-10-2024/ #dfir #digitalforensics

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_QVjq2Xu_MQ8

Forensic Focus Digest, May 10 2024 #dfir #digitalforensics

Forensic Focus 10th May 2024 12:43 pm

In this webinar, Jordan Portfleet from the Oxygen Forensic Training Team introduces KeyDiver, a new module integrated into Oxygen Forensic Detective. KeyDiver is designed to find passwords to decrypt various encrypted data sources like BitLocker and FileVault2 encrypted volumes, encrypted ZIP files, Apple Notes, Telegram Desktop app, and more. Jordan provides an in-depth walkthrough of KeyDiver's features and demonstrates how to create different types of brute force attacks like mask attacks, dictionary attacks, and custom password guessing. He explains the various settings available for customizing attacks, managing GPU utilization, monitoring progress, and more. Jordan also shares tips on leveraging additional data sources and social engineering techniques to improve password guessing success rates.

In this webinar, Jordan Portfleet from the Oxygen Forensic Training Team introduces KeyDiver, a new module integrated into Oxygen Forensic Detective.

KeyDiver is designed to find passwords to decrypt various encrypted data sources like BitLocker and FileVault2 encrypted volumes, encrypted ZIP files, Apple Notes, Telegram Desktop app, and more.

Jordan provides an in-depth walkthrough of KeyDiver's features and demonstrates how to create different types of brute force attacks like mask attacks, dictionary attacks, and custom password guessing. He explains the various settings available for customizing attacks, managing GPU utilization, monitoring progress, and more.

Jordan also shares tips on leveraging additional data sources and social engineering techniques to improve password guessing success rates.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_3hDBpcA9rdw

Oxygen Forensic® KeyDiver

Forensic Focus 9th May 2024 11:08 am

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles

Investigating Video: The Vital First Steps
Webinars

Investigating Video: The Vital First Steps

ByAmpedSoftwareMay 13, 2024
Forensic Focus Digest, May 10 2024
News

Forensic Focus Digest, May 10 2024

ByForensic FocusMay 10, 2024
Oxygen Forensic® KeyDiver
Webinars

Oxygen Forensic® KeyDiver

ByOxygenForensicsMay 9, 2024
Detego Global Announces Webinar To Demonstrate The Powerful New Features Of Detego v4.16
News

Detego Global Announces Webinar To Demonstrate The Powerful New Features Of Detego v4.16

ByDetego Digital ForensicsMay 8, 2024
Digital Forensics Round-Up, May 08 2024
News

Digital Forensics Round-Up, May 08 2024

ByForensic FocusMay 8, 2024
UK Parliamentary Legislation Introduced Against Deepfakes
News

UK Parliamentary Legislation Introduced Against Deepfakes

ByForensic FocusMay 2, 2024