Direct iOS devices acquisitions with iFunbox

Direct acquisitions can be performed on all iDevices and iOS versions. Of course, this type of data extraction is very basic and brief, but also the fastest, so from time to time it’s worth using.

Any mobile forensics examiner must know that, due to the fact iDevice browsers are not forensic tools, he or she should be very careful in order not to delete anything from an iOS device.

There are a lot of software solutions (non-forensic) capable of browsing contents of an iDevice. Some are commercial, while others – not. Today we’ll show you how to perform direct acquisitions with a free tool called iFunbox.

Before connecting an iOS device to your forensic workstation make sure Prevent iPods, iPhones, and iPads from syncing automatically option is enabled:

Figure 1. Prevent iPods, iPhones, and iPads from syncing automatically option

Start iFunBox and connect your iDevice. If connection is successful, you see iDevice details:

Figure 2. iDevice details

The File Browser pane can be used for viewing iDevice contents:

Figure 3. Folder View

In our example the iDevice is jailbroken, so Raw File System option is very useful:

Figure 4. Raw File System

What is more, you can search for files with iFunBox:

If you find some important files during direct acquisition, you can easily cope them to your forensic workstation using Copy To PC button:

As you can see, this tool and method is quite useful, especially if you need to examine an iDevice fast.

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics