Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

iphones and encase

1) can encase forensics image and analyze iphones?

2) if the phone is protected  by a PIN, do you require this to image/analyze the data?

3) are there specialist write blockers and software for iphones? If so who supplies them and how much do they cost?
ASKER CERTIFIED SOLUTION
Avatar of SirtenKen
SirtenKen
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan

More info (as ref elcomsoft sharing
iOS 1.x-3.x: passcode not required. All information will be accessible. The original passcode will be instantly recovered and displayed.
iOS 4.0-7.x: certain information is protected with passcode-dependent keys, including the following:
-Email messages;
-Most keychain records (stored login/password information);
-Certain third-party application data, if the application requested strong encryption.
Avatar of Pau Lo

ASKER

I looked at tthat elcomsoft tool - but my understanding was it can only obtain passwords if the phone was jailbreaked.

Is the cellebrite tool commerical or free?
Avatar of Pau Lo

ASKER

Out of interest if you do have the PIN - when acquiring it in Encase - does it request the PIN - or do you first unlock the phone (by entering the PIN) before imaging?
Elcomsoft - http://www.elcomsoft.com/eift.html
(***) iPhone 4S, iPhone 5, iPhone 5C, iPad 2+, iPad Mini and iPod Touch 5th gen support is limited to jailbroken devices only (iOS 5 ... 7). iPhone 5S, iPad Air and iPad Mini 2nd gen are NOT supported at all.
Pls see the table in the link above for the jailbroken - yes but they can also do it on backup

Cellebrite's UFED Physical Analyzer is h/w commercial based - http://www.cellebrite.com/mobile-forensics/capabilities/ios-forensics

Physical extraction reads and extracts the device's raw partition image. This recovers the device's entire file system which can then be decoded by UFED Physical Analyzer. On devices that have data encryption, the contents of the files may be encrypted. The extraction application does not load iOS, but instead loads a special forensic utility to the device. This utility is loaded to the device's memory (RAM) and runs directly from there. Therefore, it does not modify the device's storage and does not leave any footprints.

Note that Jailbreaking does not help circumvent the data encryption.
Cellebrite is commercial. They started with a unit that was used by cell phone stores to transfer contacts to new phones customers purchased. The capability was extended and the Cellebrite Ufed unit was made available to forensic practitioners. Their technology is still used by phone vendors and they have somewhat of an advantage due to this relationship, which allows them early access to some phones.
Avatar of Pau Lo

ASKER

thanks..

Out of interest if you do have the PIN - when acquiring it in Encase - does it request the PIN - or do you first unlock the phone (by entering the PIN) before imaging?
For iOS devices in particular, logical acquisition is the only way to perform acquisition without materially altering the device (i.e. jailbreaking). As for the PIN, it depends on the file to be acquired as it is protected by different class as I shared previously, so if it authenticated that will be most ideal as most will be available during acquisition...