I've currently been tasked with the manual photographing of every single e-mail that is contained on an Iphone 6s.

Cellebrite wouldn't connect to the phone so I was unable to use the tablet to take the screen shots, so i have adapted to a Nikon camera on a mount, and then manually scrolling through every e-mail, taking a picture and then rinse repeating until all of them are captured.

What methods do you use to extract e-mails from phones, especially Iphones.

Is there an automatic process I could be using? or a more efficient method?

I'm based in the UK.

Kind regards  

You likely won't get email with a backup created from any forensic tool from iOS 8.3 or newer. Given that it's an iPhone 6s, it will have a newer file system than 8.3. The file relay service was what tools used to pull email and Apple shut that down after that version.

Unless you can jailbreak the phone or use Cellebrite's CAIS service to get a full file system dump, you're likely out of luck or stuck with photographing.

Jamie  

It's not an automated method, but the results are better looking than photographs:

We use AirServer on a computer to act as an AirPlay receiver. The video from the iOS device can then be mirrored on the computer. Then we can use a screen capture software such as Greenshot to capture the content on the screen .

Recently we also started using Printopia on a Mac as a PDF Printer using AirPrint.. We can then AirPrint the emails/attachments to Printopia and it ends up in PDF format. It's easy afterwards to OCR the documents and make them searchable.

Of course, you will want an isolated wifi connection with no internet access to connect the iOS device and the computer.  

Thanks for the suggestions.

Regarding the printopia method, how long does it take to do 1 email?

At the moment it's taking me 1-2 seconds an e-mail (depending on the content), which involves getting the email open on the iphone and then pressing the left mouse button to capture the image.
Then I press back, click the next email and then do the same thing over...and over...and over again.


It's a simple and primitive method that works, but I've just processed a phone that has 3500 individual photographs of the Iphone 6s, which was painstakingly boring.

Now i'm having to rotate and crop them, which isn't too bad as I just automate most of it within IRFANVIEW.

Hopefully once the new RIPA legislation comes into place, this method will be a thing of the past.

Keep the suggestions and solutions coming!

Kind regards  

- MrMacca

I've currently been tasked with the manual photographing of every single e-mail that is contained on an Iphone 6s.

Cellebrite wouldn't connect to the phone so I was unable to use the tablet to take the screen shots, so i have adapted to a Nikon camera on a mount, and then manually scrolling through every e-mail, taking a picture and then rinse repeating until all of them are captured.

What methods do you use to extract e-mails from phones, especially Iphones.

Is there an automatic process I could be using? or a more efficient method?

I'm based in the UK.

Kind regards

Why haven't you considered capturing the emails artifacts from directly from the server where the emails are sitting? But keep in mind you will need the USER_Name/Pass and then you can use the imap/pop connection bridge to capture the emails using any email client software.  

- unknow1234

Why haven't you considered capturing the emails artifacts from directly from the server where the emails are sitting?

Maybe because the results wouldn't be the same?

One thing is stating that an e-mail is on a device, and another thing is stating that an e-mail is on a server and thus it must (probably) have been downloaded and read on the device.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

- unknow1234

Why haven't you considered capturing the emails artifacts from directly from the server where the emails are sitting? But keep in mind you will need the USER_Name/Pass and then you can use the imap/pop connection bridge to capture the emails using any email client software.

Emails on the server and emails on a local device are two distinct sources of ESI. You may have access to the device, but not to the current credentials of the user to authenticate with the email server. You may not have the authority to use the user's credentials, authenticate with the server on his behalf and download his emails. Some messages found on the local device may have been deleted from the server. The email account may have been closed, etc.

The opposite can be true as well—the server may contain data that is not available on the local device.

Emails on the server and local copies on mobile devices, workstations, backup devices and other ESI sources are often used to complement each other. I would not recommend collecting emails from the server as a substitute for the email evidence on the local device.
_________________
Arman Gungor

Metaspike
Developers of Forensic Email Collector
www.metaspike.com