±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35520
New Yesterday: 6 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

IOS Mobile Forensic with Axiom and Oxygen

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

asriel
Newbie
 

IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Mar 18, 19 16:18

Hi everyone,

I am trying the software Axiom to do a mobile forensic on IOS. The phone is a jailbreak iphone 7 with IOS 11.

I was asked to get facebook activity deleted, instagram and twitter activity, deleted chats (sms, imessages, whatsapp and messenger), dating apps activity (Tinder, Jswipe, Bumble) and the incognito mode for google.

I am not really successful to get any of all of this.

I thought about the facebook, instagram and twitter URLs to get the activity for these social media. The facebook URLs that axion got are not complete and I can't find a search history of profiles visited. I didn't find any way to get an instagram activity and the twitter URLs don't seem to be complete either. Does anyome know how to get search history and activity for these social media ?

I found the databases for the chats and the dating apps.

Axiom didn't get any deleted chats. I tried to load them in oxygen after it but the deleted content seem to be garbage, it's random numbers and letters. Is there something else to do to get any deleted content ?

The database for the dating apps show activity date like first use last use and last open, but what "use" mean in that case ? Is it swipping ? Send a text in a conversation ? And that doesn't seem right because sometimes these 3 dates are the same day and the app has been used during months. Is anyone know a little more about database of these dating apps ?

I thought about the KnowledgeC database to get app activity but this database stores only 1 month of data. Is it possible to get more from this database like deleted content from months before ?

I am not able to find any database or record of the incognito mode.

Is anyone could help me with any of these problems ?

Thank you very much !  
 
  

mcman
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Mar 18, 19 16:56

Ok so I'll try to break down the things you're looking for and try to help where I can.

1) A jailbroken acquisition is great, rare but great when you can get it definitely take advantage. Not a lot of devices will come jailbroken so you'll have access to most of the data if it still exists on the device. However, one note, this is still a full file system dump of the phone not a physical image. The data is still encrypted on the device so you'll only be able to carve what still exists in the files and databases and wal files remaining on the device (no unallocated space).

2) The data you'll get from the social apps (fb, instagram, twitter) will vary depending on how the app was used. I would compare what AXIOM/Oxygen recovered to the actual databases and make sure they're getting everything that are in those dbs. While you'll still get facebook data, they actually store a lot of the message data in the cloud so even with a jailbroken device, you'll only get the most recent stuff that was cached on the device. (ex. if you have the phone and it's not actual evidence, look to see if you can see the messages, then put it in airplane mode and see if you can still see the messages, many of them will no longer be accessible. This is because FB is not storing everything on the device, it's pulling stuff from the cloud as needed).

3) Dating apps - AXIOM will support Tinder but not Jswipe or Bumble so you'll have to manually search the databases for the other two and see what you can find. I'm not sure what Oxygen supports. For deleted content, are you able to see it in the app? AXIOM will carve the db for deleted content but if it's not in there, there's not much else to do. Manual review is probably best to confirm whether something is there or not.

4) Chrome incognito - you won't get much here unless you're reading straight from memory. I haven't tested incognito with iOS too much but if it's similar to incognito on the computer, not much gets written to the disk and you're limited to what can be carved out of memory for the most part (which isn't much). AXIOM's generic URL carver ("Potential Browsing Activity" artifact) should pick up any URLs it can find, might not associate it to a given browser but if it finds a URL somewhere, it will be in there.

5) KnowledgeC is a great source of info but yes it's timeframe is limited. I haven't see much outside the time range from carved data.

Hope that helps, short answer is, no data is guaranteed even with a jailbroken device. Make sure you verify the source databases to make sure your tools got everything that was there and let us know if we missed anything you found manually.

Jamie McQuaid
Magnet Forensics  
 
  

asriel
Newbie
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Mar 18, 19 17:30

Thank you very much for your answer, it is really helpful.

1) I understand better that part, I thought the softwares were carving in unallocated space. Is there a way to look in unallocated space on a jailbroken phone or it's possible only with a physical image ?
Is there other way than Graykey (we don't have it) to get a physical image ?

2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?


3) I am not able to see the deleted content in the app. I was trying to get a report for dating app usage (each time the app was installed, uninstalled, last used and last opened for each installation) thinking it was accessible in the database of the dating apps. I thought about the battery usage database and the data usage too to get that information but this has a limitation in time.  
 
  

mcman
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Mar 18, 19 18:41

- asriel

Is there other way than Graykey (we don't have it) to get a physical image ?


Even with a GrayKey, it's still a file system dump. It has to do with the data being encrypted at the chip level. No physical acquisitions after iPhone 4. Both a jailbroken phone and GrayKey will get you the best amount of data that's possible with iOS that I'm aware of.

- asriel

2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?


Yep, if you're legally authorized, both FB/Instagram and most providers have a lawful access guide and typically they'll provide what is stored in the cloud which is usually more than what is on the device.

- asriel

3) I am not able to see the deleted content in the app. I was trying to get a report for dating app usage (each time the app was installed, uninstalled, last used and last opened for each installation) thinking it was accessible in the database of the dating apps. I thought about the battery usage database and the data usage too to get that information but this has a limitation in time.


Examining app usage is a great method, you won't get much usage details from the database itself (aside from message timestamps, matches, etc.) but definitely the KnowledgeC databases, Screen time, Network Usage history keeps some good information, FSEvents, etc... all are quite helpful to map out this type of usage. KnowledgeC will track per app times, focus times, lock/unlock times, plug/unplug, etc. so you'll get a ton of really good data. The only limitation is if you have to go back too far in time, you may find some of the apps only store 30 days worth of activity. You could also grab all the native system artifacts and build out a timeline of activity across all apps if you're interested in what the user was doing at specific dates/times.

Hope that helps,
Jamie  
 
  

Mreza
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 10, 19 14:26

- asriel
2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?


Why don`t you try with data extraction from cloud?


_________________
digitalna-forenzika.com 
 
  

Thomass30
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 11, 19 13:23

- mcman
No physical acquisitions after iPhone 4.


Correct me if I'm wrong but I think that full physical acquisition could be done for iPhone 4s, 5 and 5c
There is no full physical acq. for 5s and newer.  
 
  

mcman
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 11, 19 17:18

- Thomass30
- mcman
No physical acquisitions after iPhone 4.


Correct me if I'm wrong but I think that full physical acquisition could be done for iPhone 4s, 5 and 5c
There is no full physical acq. for 5s and newer.


I always understood it as the 4s and newer, something with the A5 chip preventing it. The 64-bit chips with the 5s and newer didn't help but I was always under the impression it was before that. I could be wrong too though so don't hold me to it.

I tried to dig up a proper source for it either way but I guess my research skills are falling short today. Found Ron mentioning here on the forums a while back that anything after 4s was a no go but that was it.

www.forensicfocus.com/...c/t=10615/

- RonS
"iOS 6 is supported for physical extraction when running on devices before the 4S (4S and iPhone 5 are not supported for physical)."
 
 

Page 1 of 2
Page 1, 2  Next