The main aim of any forensic acquisition is to extract as much data as possible. Every good mobile forensics examiner knows that the best way to do it is performing physical extractions. Of course, it’s not always possible, especially when we are talking about iOS devices, such as iPhones and iPads. But if the examined device is jailbroken, we can create a physical image. Recently we added a very powerful piece of software to our mobile acquisition toolkit – Elcomsoft iOS Forensic Toolkit.
Today we are going to show you how to perform a physical acquisition of a jailbroken iOS device.
In this case we are using Windows version of the toolkit, but there is also Mac version if you like. There are to scripts in the toolkit – Toolkit and Toolkit-JB:
For acquisition of jailbroken iOS devices we should use the second – Toolkit-JB. Just click it twice to start (don’t forget to plug in the hardware key into your workstation):
As you can see, there are a few options. We are going to start from imaging – so our choice is 6 – “Acquire physical image of the device filesystem”. Just type “6” and press Enter.
Elcomsoft iOS Forensic Toolkit has successfully connected to our device and now we can see common iOS device partition structure. We are going to image “User” partition, which contains all user data including chats, messages, emails, etc. Type “2” and press Enter.
Now you can choose location for the image file being created or just press Enter and the image will be saved in current working directory.
As you can see, imaging process has started successfully. Rawwrite dd for windows is used for creating the physical image.
The process has finished. We have a 6,6 GB physical image, but we have one problem – it is encrypted. Let’s extract keys from the device to decrypt it. Now we should type “4” (Extract device keys and keychain data) on main window and press Enter.
If the device being examined has passcode – type it, or you can use escrow file (can be obtained from a computer with which the device under investigation has been connected/synced). After this choose location for keys.plist, or just press Enter to create it in current working directory.
So, we have the keys, it’s time to decrypt our physical image. Go to the main menu, type “7” and press Enter.
As you can see, the decryption process has started successfully. As the result we have user-decrypted.dmg file – this is our decrypted image.
Now you can extract data from this physical image with your favourite mobile forensic suite, we prefer Oxygen Forensic Detective.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Comments are closed.