Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

iphone forensics

Posted on 2014-09-01
5
Medium Priority
?
1,503 Views
Last Modified: 2014-09-05
Is there any free software that can analyse iphone forensics.

Also - as with PC's what hardware is required to take a replica copy of the device (are there specific write blockers just for smartphones?)
0
Comment
Question by:pma111
5 Comments
 

Assisted Solution

by:coke_ru
coke_ru earned 200 total points
ID: 40296416
Yes there is one software which can be used.Please check out the link below for more details:

http://www.oxygen-forensic.com/en/compare/devices/software-for-iphone
0
 
LVL 3

Author Comment

by:pma111
ID: 40296470
Is it free
0
 
LVL 65

Accepted Solution

by:
btan earned 900 total points
ID: 40296796
there will not be an one tools for just iphone forensic and the two paper guide you through for iOS device
http://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092
http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf
(above pls do check out the "Acquisition" and "Forensic Recovery" sections to find out the logical and physical aspects - you probably have to acquire the solid state of the phone as image.)
The iPhone (and iPad) use solid-state NAND chips to store user data. These chips act as a type of hard drive for the device. Physical chip dumps have shown that memory is stored in 512K chunks in various locations of the chip. The solid state disk firmware attempts to minimize writes to the same portions of NAND, and even attempts to move blocks of memory around on the physical chip to ensure that the entire chip is used. This process results in dormant data generally lasting longer periods of time on the
device before it is eventually overwritten. Due to the hardware-based encryption present on the iPhone
3G[s], iPhone 4, and iPad, chip-off forensics has proven extremely difficult.
You can’t simply remove the hard disk out of an iPhone or iPad, connect it to a write blocker, and image it
the way you would a desktop machine. Even if you could rip out the disk (or perform a chip-off), you’d
have to content with an encrypted file system. Mobile forensics requires limited interaction with the device
to extract data from it. On iOS based devices, a forensic imaging agent is instituted as a process in the
device’s memory – a portion of remote code containing the instructions to transfer the file system,
encryption keys, or raw disk from the device to a connected desktop machine. The agent is injected into a
protected system area on the device, where it will not affect the user disk or any user data. This is
necessary, especially on newer devices, to allow the device itself to handle hardware-based decryption
transparently, or to obtain otherwise restricted information from the device, such as secret encryption keys.

some key one (and free) include

iphone-dataprotection - https://code.google.com/p/iphone-dataprotection/
– Brute force PIN code on device
– Recover device encryption keys
– Decrypt the keychain, all dataprotection encrypted files
– Scrape the HFS journal for deleted content
– Decrypt the entire raw disk

iPhone-Backup-Analyzer - http://www.ipbackupanalyzer.com/

The Sleuth Kit - http://sleuthkit.org/
– Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660

Other programs can include
– mmls – Media Management ls, generally partition info:
• fsstat – File system info and • fls – Forensic list
– Scalpel / Grep  / hexedit  / strings  /  exams on iPhone dmg

Worth considering though commerical
http://www.elcomsoft.com/ios-forensic-toolkit.html
http://www.oxygen-forensic.com/en/compare/devices/software-for-iphone

Check out more in this Foresnic wiki - http://www.forensicswiki.org/wiki/Apple_iPhone
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 900 total points
ID: 40297510
The forensics packages offered by companies, and Zardanski, require you to prove your are in law enforcement. They all come with special add-on dongles that control what you can and can't do with your software as well as provide an interface into the devices.I'm not sure about Oxygen however, I do see they have a dongle too, but I don't know if they sell only to law enforcement.
ohh wait, looks like Elcomsoft changed!
Q. Do you limit usage of this product to law enforcement agencies only?
A. We used to, but not anymore.
Well I'll have to look into that option again.
I use XRY
http://forensicswiki.org/wiki/.XRY
I've tried most tools listed here: http://forensicswiki.org/wiki/Apple_iPhone (or tried to try them:)
You get most information from an iTunes backup file however, the other information on the phone pertains to the apps themselves and some position/geo-location data. The iTunes backup has what most people find the most important.
-rich
0
 
LVL 65

Expert Comment

by:btan
ID: 40297527
thanks for sharing, indeed most required LE based, other possibilities
iphone analyser (free) - http://www.crypticbit.com/zen/products/iphoneanalyzer
as a whole, i see that mixture and commercial available is worth the investment if going to do it on a perm basis and the recognition (or credibility) of such tool is critical as part of having to present a sound chain of evidence perspective, also evidence is more likely to be admissable if it is produced by a professional computer forensic analyst.

below is another longer list targeting free forensic software (there is mobile and MAC OS tools)
https://forensiccontrol.com/resources/free-software/
0

Featured Post

[Video] Oticon Case Study

Open office environments can create the dynamics for innovation, but they also bring some challenges. With over 1,000 employees in an open office, Oticon needed a solution that would preserve the environment while mitigating disruptive background noises.

Watch how they did it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question