Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
The main aim of any forensic acquisition is to extract as much data as possible. Every good mobile forensics examiner knows that the best way to do it is performing physical extractions. Of course, it’s not always possible, especially when we are talking about iOS devices, such as iPhones and iPads. But if the examined device is jailbroken, we can create a physical image. Recently we added a very powerful piece of software to our mobile acquisition toolkit – Elcomsoft iOS Forensic Toolkit.
Today we are going to show you how to perform a physical acquisition of a jailbroken iOS device.
In this case we are using Windows version of the toolkit, but there is also Mac version if you like. There are to scripts in the toolkit – Toolkit and Toolkit-JB:
For acquisition of jailbroken iOS devices we should use the second – Toolkit-JB. Just click it twice to start (don’t forget to plug in the hardware key into your workstation):
As you can see, there are a few options. We are going to start from imaging – so our choice is 6 – “Acquire physical image of the device filesystem”. Just type “6” and press Enter.
Elcomsoft iOS Forensic Toolkit has successfully connected to our device and now we can see common iOS device partition structure. We are going to image “User” partition, which contains all user data including chats, messages, emails, etc. Type “2” and press Enter.
Now you can choose location for the image file being created or just press Enter and the image will be saved in current working directory.
As you can see, imaging process has started successfully. Rawwrite dd for windows is used for creating the physical image.
The process has finished. We have a 6,6 GB physical image, but we have one problem – it is encrypted. Let’s extract keys from the device to decrypt it. Now we should type “4” (Extract device keys and keychain data) on main window and press Enter.
If the device being examined has passcode – type it, or you can use escrow file (can be obtained from a computer with which the device under investigation has been connected/synced). After this choose location for keys.plist, or just press Enter to create it in current working directory.
So, we have the keys, it’s time to decrypt our physical image. Go to the main menu, type “7” and press Enter.
As you can see, the decryption process has started successfully. As the result we have user-decrypted.dmg file – this is our decrypted image.
Now you can extract data from this physical image with your favourite mobile forensic suite, we prefer Oxygen Forensic Detective.
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Oleg Skulkin
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Please enter the result of the calculation above.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now