±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35628
New Yesterday: 3 Visitors: 138

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

IOS Mobile Forensic with Axiom and Oxygen

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

randomaccess
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 12, 19 00:08

Up until iPhone 4 you get obtain and parse a physical extraction

Post iPhone 4 you can jailbreak/exploit and get what some people call a physical, but is really a full file system copy. This is currently the best we can get.

My issue is that some people call a "full file system" a "physical"
And others call a backup with some extra files a "file system"
and it confuses people

Either way, youre not carving deleted pictures and videos. Your best bet is getting access to icloud, hoping they transferred the files elsewhere (for ex they can text it to someone and delete the original, and the texted version still exists on their phone) or looking for thumbnails.  
 
  

Thomass30
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 12, 19 10:31

What I mean by physical is that
- on 32 bit Jailbroken devices (iPhone 4s, 5 and 5c) we can get the entire DMG image of the device (unencrypted system partition and encrypted user data partition) with keychain that can be decrypted.
- on 64 bit jailbroken devices (5S and newer) we can get TAR archive which in fact contains the same data as a DMG image however the extracted keychain cannot be decrypted (becase of secure enclave).

Am I right or Am I missing something Question Rolling Eyes

And we can also get certain types of deleted text data like messages oraz contacts stored in SQLite databases  
 
  

mcman
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 12, 19 13:25

- randomaccess

My issue is that some people call a "full file system" a "physical"
And others call a backup with some extra files a "file system"
and it confuses people

This x100. I've tried so hard to match your terminology above in any presentation I've given on mobile (iOS and Android). A backup (iTunes or ADB) is a logical extraction restricted by permissions and an API. A file system extraction (jailbroken/GK image or dm-0, etc.) is still a logical extraction, it simply has elevated privileges. Physical is when you are ripping the entire chip (JTAG/ISP/Chipoff/mmcblk0, etc...).

While I agree with most of your other comments too. I do need to separate some people's thoughts on "carving" and "carving unallocated space", they're not the same thing (not saying you made that jump but many people do). Many people just think carving means searching for deleted files in unallocated space and can only be accomplished with physical images and this adds to the confusion around the terminology above.

You can carve anything. We carve allocated data for records or data fragments in almost every artifact we support and you don't need a physical image to do that. Non-live SQLite records (could be deleted, maybe not) as already mentioned can be carved as long as you get the actual db (and WAL file usually). You can carve pictures and other data from other allocated files quite easily as well. You don't need unallocated space for that either.

I think the debate between the physical 4s and 5s probably lies in whether you consider decrypting data into a logical form still physical or does that move to a file system view. My opinion is that if you can decrypt in a stream regardless of the data that resides there (essentially maintaining unallocated space in this respect) then you're still getting a physical but if the decryption is at the file level or anything other than the stream/block level, then it's moved over to the logical realm and would be a logical/file system.

Again, not very scientific but that's my OCD way to bucket everything I can Smile Also interested in other people's thoughts, especially on my last paragraph.

Jamie  
 
  

Thomass30
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 12, 19 17:22

I agree that the iOS file system extraction is in fact just logical acqusition. (4 and later)
I was using term 'physical' in content of iOS just because I was using Elcomsoft iOS forensic toolkit and they called it 'physical' (creating dmg image for 4s,5,5c and later TAR archive).  
 
  

passcodeunlock
Senior Member
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 12, 19 20:33

Physical acquisition is the binary image of a chip.

Filesystem acquisition (encrypted or not) is a logical acquisition.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

asriel
Newbie
 

Re: IOS Mobile Forensic with Axiom and Oxygen

Post Posted: Apr 25, 19 21:40

- Mreza
- asriel
2) Is it possible to ask facebook/instagram (by simple request or subpoena) to recover for us the activity usage and the search history deleted ?


Why don`t you try with data extraction from cloud?



We tried the data extraction from Cloud for Facebook with Axiom, but there was not the option of the search history in it. Is there another software like oxygen that has the option of search history with the data cloud extraction ?

Also the whatsapp cloud extraction didn t work with axiom, we couldn t connect the account to it.  
 

Page 2 of 2
Page Previous  1, 2