Extracting Data from Apple iOS Mobile Devices

5 Warning Signs You Need a PI to Find Out If Your Spouse is Cheating
February 17, 2014
Free e-book: The Experts Guide to BYOD Security for Businesses
March 6, 2014
Show all

Extracting Data from Apple iOS Mobile Devices

These days, private investigators need advanced technology if they’re going to offer professional services such as mobile forensics.

In 2013, Prudential Associates invested in Cellebrite’s UFED Equipment which is a complete solution for any devices made by Apple that run on any iOS version. It enables data extraction that is forensically sound and decoding and analysis to obtain current and deleted data from Apple devices.

Compatible iOS Devices

The iOS devices that can have data extracted include iPhone 5, iPhone 4s, iPhone 4, iPhone 3GS, iPhone 3G and iPhone 2G. The iPods covered include the iPod Touch 5G, iPod Touch 4G, iPod Touch 3G, iPod Touch 2G and iPod Touch 1G. iPad models covered include iPad 4, iPad 3, iPad 2, iPad 1 and iPad Mini.

There are different ways in which data extraction can be performed on iOS devices. For unlocked devices, file system and logical extraction are enabled on UFED Touch. For locked devices, file system extraction and physical extraction are enabled on the UFED Physical Analyzer. There is support available for locked iOS devices, when you use the UFED Physical Analyzer.

Extracting Information on Locked Devices

You may use UFED Physical Analyzer to extract file system and physical information. Analysis and decoding can also be performed on iOS devices that are locked, whether they have a simple or a complex passcode.

Simple passcodes are recovered during the process of physical extraction, and this enables access to keychain passwords and emails. If the device is set with a complex password, then physical extraction can be done without accessing keychain and emails. If there is a known complex password, keychain passwords and emails are still available.

UFED Physical Analyzer Capabilities

The capabilities of the UFED Physical Analyzer include:

  • Access to account passwords and usernames with keychain real-time decryption
  • Decryption in real-time for the interpretation of encrypted data from devices that run iOS4, iOS5 and iOS6 – This decryption allows access to application content, files and data.
  • Support for the decrypting of emails that were saved as emlx files.
  • Extraction and presentation of cell tower IDs, Wi-Fi networks and GPS fixes – The routes and locations are viewable in Google Maps and Google Earth.

Recovering Data from SQLite Databases

Advanced decoding and decryption techniques are used to recover mobile data deleted from SQLite databases. This includes contacts, call history, apps data, messages and more.

Cellebrite’s UFED physical analyzer features an innovative physical extraction and decoding solution for iOS devices. It is important to be able to extract data from iPhones, iPods and iPads.

The Cellebrite iOS Extraction Program

The Cellebrite program is launched on the iOS device. The menu bar allows you to select the step of extracting information from the Tools menu. A support package is available at Cellebrite, if the extraction has never been done previously on the device.

In preparation to extract data, the Cellebrite connector is plugged into your computer. The iOS device should be turned off, and not connected to the cable.

The iPhone, in this case, is set to recovery mode, and the cable 110 is plugged into the iPhone. You will set the device into DFU mode, and press the home and power buttons at the same time. The iOS program will begin loading the forensics program onto the device.

Physical Extraction

At the extraction screen, you will select physical or file system extraction. Generally, a physical extraction will allow you to extract personal files like emails, texts, etc. You can also extract user and system partitions, or both. After you choose where you would like the extraction saved, you will begin the actual extraction.

After your extraction is complete, you may turn off the iOS device and exit, open a file location or open in UFED physical analyzer. Physical analyzer will allow you to view the extracted data. It will show up in its pertinent folders.

Image Source: http://sparkletechnews.com/the-history-of-apple-iphones/