iphone forensics

Posted on 2014-09-01
Last Modified: 2014-09-05
Is there any free software that can analyse iphone forensics.

Also - as with PC's what hardware is required to take a replica copy of the device (are there specific write blockers just for smartphones?)
Question by:pma111

    Assisted Solution

    Yes there is one software which can be used.Please check out the link below for more details:
    LVL 3

    Author Comment

    Is it free
    LVL 60

    Accepted Solution

    there will not be an one tools for just iphone forensic and the two paper guide you through for iOS device
    (above pls do check out the "Acquisition" and "Forensic Recovery" sections to find out the logical and physical aspects - you probably have to acquire the solid state of the phone as image.)
    The iPhone (and iPad) use solid-state NAND chips to store user data. These chips act as a type of hard drive for the device. Physical chip dumps have shown that memory is stored in 512K chunks in various locations of the chip. The solid state disk firmware attempts to minimize writes to the same portions of NAND, and even attempts to move blocks of memory around on the physical chip to ensure that the entire chip is used. This process results in dormant data generally lasting longer periods of time on the
    device before it is eventually overwritten. Due to the hardware-based encryption present on the iPhone
    3G[s], iPhone 4, and iPad, chip-off forensics has proven extremely difficult.
    You can’t simply remove the hard disk out of an iPhone or iPad, connect it to a write blocker, and image it
    the way you would a desktop machine. Even if you could rip out the disk (or perform a chip-off), you’d
    have to content with an encrypted file system. Mobile forensics requires limited interaction with the device
    to extract data from it. On iOS based devices, a forensic imaging agent is instituted as a process in the
    device’s memory – a portion of remote code containing the instructions to transfer the file system,
    encryption keys, or raw disk from the device to a connected desktop machine. The agent is injected into a
    protected system area on the device, where it will not affect the user disk or any user data. This is
    necessary, especially on newer devices, to allow the device itself to handle hardware-based decryption
    transparently, or to obtain otherwise restricted information from the device, such as secret encryption keys.

    some key one (and free) include

    iphone-dataprotection -
    – Brute force PIN code on device
    – Recover device encryption keys
    – Decrypt the keychain, all dataprotection encrypted files
    – Scrape the HFS journal for deleted content
    – Decrypt the entire raw disk

    iPhone-Backup-Analyzer -

    The Sleuth Kit -
    – Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660

    Other programs can include
    – mmls – Media Management ls, generally partition info:
    • fsstat – File system info and • fls – Forensic list
    – Scalpel / Grep  / hexedit  / strings  /  exams on iPhone dmg

    Worth considering though commerical

    Check out more in this Foresnic wiki -
    LVL 38

    Assisted Solution

    by:Rich Rumble
    The forensics packages offered by companies, and Zardanski, require you to prove your are in law enforcement. They all come with special add-on dongles that control what you can and can't do with your software as well as provide an interface into the devices.I'm not sure about Oxygen however, I do see they have a dongle too, but I don't know if they sell only to law enforcement.
    ohh wait, looks like Elcomsoft changed!
    Q. Do you limit usage of this product to law enforcement agencies only?
    A. We used to, but not anymore.
    Well I'll have to look into that option again.
    I use XRY
    I've tried most tools listed here: (or tried to try them:)
    You get most information from an iTunes backup file however, the other information on the phone pertains to the apps themselves and some position/geo-location data. The iTunes backup has what most people find the most important.
    LVL 60

    Expert Comment

    thanks for sharing, indeed most required LE based, other possibilities
    iphone analyser (free) -
    as a whole, i see that mixture and commercial available is worth the investment if going to do it on a perm basis and the recognition (or credibility) of such tool is critical as part of having to present a sound chain of evidence perspective, also evidence is more likely to be admissable if it is produced by a professional computer forensic analyst.

    below is another longer list targeting free forensic software (there is mobile and MAC OS tools)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
    Stuck in voice control mode on your Amazon Firestick?  Here is how to turn it off!!!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now