You're reading from Mobile Forensics Cookbook
Mobile devices from the Apple company, such as iPhones and iPads, occupy about 15% of the mobile device market. Due to this fact, they often become the object of forensic analysis.
Mobile devices from the Apple company are the most complex objects in forensic analysis. The restrictions of access to the user’s data used in the devices do not allow extracting the data in full. The encryption makes the use of all known file recovery algorithms useless. Even if you manage to recover a file in some way, its content will be unavailable, as it will remain encrypted.
The complete examination of an Apple device is possible if you jailbreak it. The file system can be extracted from such a device and via analysis of the file system, you can extract a maximum number of user data. However, this operation cannot be performed for all types of such devices.
For mobile devices up to and including the iPhone 4, you can make physical dumps. It allows you not only to fully extract user’s data from...
The Oxygen Forensics program has been already described previously in Chapter 1, SIM Cards Acquisition and Analysis in the recipe SIM cards Acquisition and Analysis with Oxygen Forensics. In this chapter, the process of making a logical copy of an Apple mobile device's data via the Oxygen Forensic program will be shown.
In order to extract data from an Apple device, you will need to install the iTunes program, which will also be described in this chapter, in the recipe Apple devices acquisition with iTunes. Without iTunes, you can not create the device's backup. The only thing that will be available is the function of copying media files from the device.
Libmobiledevice is a cross-platform software package that you can use for logical data extraction from Apple's mobile devices. There are versions of this software for Windows, macOS and Linux.
- Unlock the device and connect it to the computer.
- Click
Trust
in response to the request that appears on the screen of your mobile device. - Enter the command:
device_id.exe -l
. The-l
flag is used to get information about all Apple mobile devices connected to the computer. The device UDID was received in response to the request:1f836c8471c4e60ce771e2fdcf14d7e1b31e8b15
:
The result of the command device_id.exe -l
- The device UDID can be used to obtain more information about the connected device. Enter the command:
ideviceinfo.exe -u 1f836c8471c4e60ce771e2fdcf14d7e1b31e8b15
. The result of the command execution will be a large amount of information about the device:
The result of the command...
Elcomsoft iOS Forensic Toolkit is a commercial set of tools allowing you to make various extractions from Apple mobile devices. The following actions can be performed via Elcomsoft iOS Forensic Toolkit:
- Recovery of the password for a locked Apple mobile device (up to and including iPhone 4).
- Creation of a physical dump of an Apple mobile device (including the blocked, up to and including iPhone 4).
- Extraction of the file system of an Apple mobile device (for jailbroken devices).
- Creation of Apple mobile device backup.
- And much more.
Elcomsoft iOS Forensic Toolkit supports data extraction from 32-bit and 64-bit Apple mobile devices.
In this chapter, an example of the creation of a physical dump from an iPhone 4 via Elcomsoft iOS Forensic Toolkit will be shown.
Download the program using the link specified in your license and unpack it. Connect a hardware key of Elcomsoft iOS Forensic Toolkit to the computer.
ITunes is a free tool provided by Apple to manage data transfer from the mobile devices of this company. Using it, you can synchronize or transfer media files, create backups of mobile devices, and transfer purchases.
Now let's download iTunes. On the iTunes download page, uncheck Email me New On iTunes and special iTunes offers.
and Keep me up to date with Apple news, software updates, and the latest information on products and services
.
. Click the Download Now
button. The process of the file downloading will start. When the download is complete, double-click on the file. The installation process of the program will be started.
- Double click on the iTunes icon. When you first start iTunes, you will be prompted to accept the license agreement, the text of which is displayed in the main program window. Read it carefully and click the
Agree
button. - In the next window, also click on the
Agree
button.
- In the program menu, click
Edit
....
As was mentioned previously, using lockdown files is the easiest way to unlock any Apple mobile device. An expert can use this method if he does not know the password to unlock the device. The disadvantage of this method is that the expert has to have a computer or a laptop of the device’s owner, to which the device was connected before.
Let us now learn how to unlock locked Apple devices:
- Lockdown files are created by iTunes when an Apple mobile device is connected to a computer - for example, during synchronization of audio files. If an expert has a mobile device and a computer (or laptop) seized from the same person as the mobile device, he can find the lockdown files in the following ways:
- Mac OS X –
\private\var\db\lockdown
- Windows 2000 and XP –
C:\Documents and Settings\All Users\Application Data\Apple\Lockdown
- Windows Vista, 7, 8, and 10 –
C:\ProgramData\Apple\Lockdown
- Mac OS X –
Lockdown files
- The expert has to copy these files from the examined computer...