Solved

iphones and encase

Posted on 2014-09-22
9
1,687 Views
Last Modified: 2014-10-07
1) can encase forensics image and analyze iphones?

2) if the phone is protected  by a PIN, do you require this to image/analyze the data?

3) are there specialist write blockers and software for iphones? If so who supplies them and how much do they cost?
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
9 Comments
 
LVL 9

Accepted Solution

by:
SirtenKen earned 250 total points
ID: 40337082
1) Yes,  EnCase v 7.10 can acquire a logical image unless you're using it with Win XP 64 bit, Server 2003 or Server 2008, which are not supported.
2) Physical lock can be bypassed up through version 4 of the iPhone with tools such as Cellebrite. You may also be able to bypass if a backup of the phone is available.
3) No and Yes. There are no write blockers for phones. Yes, there are other software packages that are typically used with phones. In fact, most forensic professionals choose phone-specific software rather a general-purpose tools, such as EnCase, when funding is available.

Check out these vendor Youtube channels for a better idea of the current state of phone forensics:
http://www.youtube.com/user/msabxry
http://www.youtube.com/user/CellebriteUFED
http://www.youtube.com/user/oxygenforensic/videos
http://www.youtube.com/channel/UCE8I-7OP_i1qJLhbqEP0NqQ (Katana Forensics)
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 40338187
In many cases, you will need the passcode in order to obtain a physical image or a file system dump. Depending on the iOS version, device hardware version and passcode complexity, the passcode can sometimes be obtained by the forensic tool (such as Cellebrite) using a bruteforce attack.

Depending on the type of investigation, the tools you have available and the version of the iOS phone you need to examine, you may have a choice whether to conduct a physical memory extraction, a file system dump or an Apple File Connection (AFC) backup. For example, EnCase v7 can acquire an iOS device using this technology (requires iTunes to be installed, but not running). Note depending on the version of iOS & iTunes, the backup can be protected with a password, which is used to encrypt the backed up data. This password is independent from the device passcode.

Do also note the class protection in Apple for user data by encrypting the user partition
NSFileProtectionNone - The file has no special protections associated with it. It can be read from or written to at any time.
NSFileProtectionComplete - The file is stored in an encrypted format on disk and cannot be read from or written to while the device is locked or booting.
NSFileProtectionCompleteUnlessOpen - The file is stored in an encrypted format on disk and must be opened while the device is unlocked. Once open, your file may continue to access the file normally, even if the user locks the device.
NSFileProtectionCompleteUntilFirstUserAuthentication - The file is stored in an encrypted format on disk and cannot be accessed until after the device has booted. After the user unlocks the device for the first time, your app can access the file and continue to access it even if the user subsequently locks the device.

You may want to check out also magnetforensic (Internet Evidence Finder) and elcomsoft (iOS Forensic Toolkit)
http://www.magnetforensics.com/mfsoftware/internet-evidence-finder/
http://www.elcomsoft.com/eift.html

.. and there are other candidates (including h/w)
http://www.appleexaminer.com/iPhoneiPad/iOSAnalysisTools/iOSAnalysisTools.html
0
 
LVL 63

Expert Comment

by:btan
ID: 40338189
More info (as ref elcomsoft sharing
iOS 1.x-3.x: passcode not required. All information will be accessible. The original passcode will be instantly recovered and displayed.
iOS 4.0-7.x: certain information is protected with passcode-dependent keys, including the following:
-Email messages;
-Most keychain records (stored login/password information);
-Certain third-party application data, if the application requested strong encryption.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 3

Author Comment

by:pma111
ID: 40338544
I looked at tthat elcomsoft tool - but my understanding was it can only obtain passwords if the phone was jailbreaked.

Is the cellebrite tool commerical or free?
0
 
LVL 3

Author Comment

by:pma111
ID: 40338890
Out of interest if you do have the PIN - when acquiring it in Encase - does it request the PIN - or do you first unlock the phone (by entering the PIN) before imaging?
0
 
LVL 63

Expert Comment

by:btan
ID: 40339010
Elcomsoft - http://www.elcomsoft.com/eift.html
(***) iPhone 4S, iPhone 5, iPhone 5C, iPad 2+, iPad Mini and iPod Touch 5th gen support is limited to jailbroken devices only (iOS 5 ... 7). iPhone 5S, iPad Air and iPad Mini 2nd gen are NOT supported at all.
Pls see the table in the link above for the jailbroken - yes but they can also do it on backup

Cellebrite's UFED Physical Analyzer is h/w commercial based - http://www.cellebrite.com/mobile-forensics/capabilities/ios-forensics

Physical extraction reads and extracts the device's raw partition image. This recovers the device's entire file system which can then be decoded by UFED Physical Analyzer. On devices that have data encryption, the contents of the files may be encrypted. The extraction application does not load iOS, but instead loads a special forensic utility to the device. This utility is loaded to the device's memory (RAM) and runs directly from there. Therefore, it does not modify the device's storage and does not leave any footprints.

Note that Jailbreaking does not help circumvent the data encryption.
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 40339020
Cellebrite is commercial. They started with a unit that was used by cell phone stores to transfer contacts to new phones customers purchased. The capability was extended and the Cellebrite Ufed unit was made available to forensic practitioners. Their technology is still used by phone vendors and they have somewhat of an advantage due to this relationship, which allows them early access to some phones.
0
 
LVL 3

Author Comment

by:pma111
ID: 40339163
thanks..

Out of interest if you do have the PIN - when acquiring it in Encase - does it request the PIN - or do you first unlock the phone (by entering the PIN) before imaging?
0
 
LVL 63

Expert Comment

by:btan
ID: 40339401
For iOS devices in particular, logical acquisition is the only way to perform acquisition without materially altering the device (i.e. jailbreaking). As for the PIN, it depends on the file to be acquired as it is protected by different class as I shared previously, so if it authenticated that will be most ideal as most will be available during acquisition...
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question