Apple iPhone Missin...
 
Notifications
Clear all

Apple iPhone Missing Emails

8 Posts
5 Users
0 Likes
1,850 Views
(@louise-h)
Posts: 8
Active Member
Topic starter
 

Hi All,

I currently have a case of disappearing emails from an Apple iPhone device running iOS 10. Emails of interest were identified on the device but when an examination was performed to try to recover these emails they were found to have vanished. I was not the one who performed the initial examination but the handset is now in my possession. I have so far only completed UFED Advanced Logical and Cellebrite has pulled out email information from the iPhone Recents Log. Some dates and times displayed by Physical Analyzer show emails to have been received after point of seizure and after initial examination. I guess my questions are

1. Has anyone encountered emails vanishing from an iPhone (even when airplane mode is active)?

2. Does anyone know how accurate this recents log file is? Or at least how Cellebrite interprets it…

There are no emails on the device from after point of seizure to manually view…

I'm about to pull out the file and do my own digging but I thought I'd ask the experts 😉

Thanks for your help!
L

 
Posted : 13/03/2017 7:40 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

From memory emails are encrypted on iPhones on the more recent iOS builds.

You will get the header information but not the body of the emails, at least that's been my experience.

As far as I'm aware the only way to get the entire data set is to jailbreak the phone first, then use UFED PA or similar.

 
Posted : 14/03/2017 9:04 am
(@dandaman_24)
Posts: 172
Estimable Member
 

From memory emails are encrypted on iPhones on the more recent iOS builds.

You will get the header information but not the body of the emails, at least that's been my experience.

As far as I'm aware the only way to get the entire data set is to jailbreak the phone first, then use UFED PA or similar.

UFED PA will only obtain a jailbroken Physical upto a iphone 4S. Cellebrite CAIS is your next best bet

 
Posted : 14/03/2017 12:16 pm
Mreza
(@mreza)
Posts: 84
Trusted Member
 

Have you tried physical acquisition with Elcomsoft iOS Forensic Toolkit?

 
Posted : 14/03/2017 1:03 pm
(@louise-h)
Posts: 8
Active Member
Topic starter
 

Thanks. I am aware of the encryption etc. so will look into other methods should they be required. This is currently more of a problem solving exercise.

I was more after peoples experience of the reliability of the recents.db file which contains the log of communications (SMS and emails) from an Apple device.

I'm currently seeing reference within this file to emails being received after point of seizure (although they do not appear to be present on the device).

 
Posted : 14/03/2017 3:36 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Have you tried physical acquisition with Elcomsoft iOS Forensic Toolkit?

Direct from Elcomsoft's website

At this time, physical acquisition support is only available for legacy hardware (iPhone 4 and older) and jailbroken 32-bit devices (iPhone 4S through 5C).

I don't think any software can acquire the emails on the latest iOS builds at all, at least none that I'm aware of without jailbreaking the device.

 
Posted : 15/03/2017 11:37 am
Mreza
(@mreza)
Posts: 84
Trusted Member
 

Have you tried physical acquisition with Elcomsoft iOS Forensic Toolkit?

Direct from Elcomsoft's website

At this time, physical acquisition support is only available for legacy hardware (iPhone 4 and older) and jailbroken 32-bit devices (iPhone 4S through 5C).

I don't think any software can acquire the emails on the latest iOS builds at all, at least none that I'm aware of without jailbreaking the device.

https://www.elcomsoft.com/eift.html

64-bit Physical acquisition for jailbroken 64-bit devices running any version of iOS for which a jailbreak is available (iPhone 5S, 6, 6S and their Plus versions, iPad mini 2 through 4, iPad Air, Air 2)

iOS 10 Physical Acquisition with Yalu Jailbreak

https://blog.elcomsoft.com/2017/01/ios-10-physical-acquisition-with-yalu-jailbreak/

Physical acquisition of 64-bit devices has the following benefits over logical acquisition via option “B” (Backup)

Extracts comprehensive location history
Extracts Safari cache and temporary files
Extracts downloaded mail
Extracts data from apps that explicitly disallow backups
Offers insight into Apple Home, Apple Pay and other services that made their appearance in iOS 10

 
Posted : 15/03/2017 12:53 pm
(@mcman)
Posts: 189
Estimable Member
 

Just to clarify some terminology here.

Physical acquisition usually refers to the physical disk/chip whereas logical refers to everything else (full file system or smaller backup). Since Apple encrypted the chips in all devices since the 4S, physical extraction, while possible, gives you an encrypted image which is not useful to anyone.

The physical extraction that Elcomsoft is referencing there is actually what most other tools call a full file system extraction of a jailbroken device, not a physical extraction. Both the file system extraction and the iTunes backup are considered logical extractions as they are not a bit for bit extraction from the actual disk/chip. Copying all allocated data is still a logical acquisition.

Most of this is semantics but hopefully clears up the confusion for the OP or anyone else. I'm not saying either is wrong but most tools will get a full file system logical dump (with email) of a jailbroken device (the challenge is whether you can actually do the jailbreaking because it's rare to come across an already jailbroken device in my experience). Access to email in a logical iTunes backup was shut down in iOS 8 I believe when Apple disabled the file relay service.

Jamie

 
Posted : 15/03/2017 5:44 pm
Share: