iOS Forensic Toolkit full review - Page 2
Once the Tookit Ramdisk is loaded you can begin the process of forensics extraction (note that if you stop the process you’ll need to load the Toolkit Ramdisk again, it isn’t stored on the device).
The next step is to copy the image disks from the iOS devices memory to your hard drive. There are two disks to copy:
The System disk contains the iOS installation itself, and is unencrypted. This User disk is the part that contains all the iOS device owner’s information (emails, messages, and so forth) and is – understandably – encrypted.
Copying the System disk takes about 10 minutes, but copying the User disk can take anywhere from half an hour to several hours depending on the size of the disk. Our test unit took just under an hour to copy a 32GB iPhone disk. By default it copies the disks to your Home directory as .DMG files, although you can specify another location.
You can also download the user’s files as a tarball (the TAR file format combines multiple files into a single file). This is faster than copying the Image Disk as it copies just the files and not the unused space. As with copying the User file as an Image Disk this takes considerable time, but is faster than copying the entire Image file. We imagine detailed forensics will require the more thorough approach.
Once you’ve got the files you still can’t access them. Instead you have to go through the process of getting the keys (which are the internal codes used to access the User data) and the passcode (the pin number you use to access the device). Getting the keys is a matter of seconds, but requires you to either have the passcode or the Escrow file (which is stored on a Mac that is synced with the device). Escrow only works with iOS 4 or earlier and is located in / var/db/lockdown (it is the UDID number of the device followed by .plist).
It’s typically easier to the get the passcode before getting the keys, although we found it odd that Get Keys was step 4 and Get Passcode was Step 5.
Obtaining the passcode uses a brute force attack (continuously entering four digit combinations until it finds the right one – this is done at a system level so it isn’t susceptible to the 10 entry restriction that users have when physically tapping numbers into the device). It reported entering 3.2 or 3.3 p/s (which we assume means passwords per second) so can take quite a while (it took about 15 minutes to get the passcode – this is saved in a separate text file).
Finally you can reboot the device, and use the device keys to decrypt the Disk and Keychain (to access the keys). You no longer need the iOS device to be connected at this point, this enables you to access the files you have stored to your computer. This saves a separate user file (typically called User-Decrypted.DMG that you can browse.) If you are using a Jailbroken phone you might not have to decrypt the original User.dmg file (so it’s worth checking).
In all it’s by no means a simple process, but not one that is beyond somebody with a reasonable amount of computer knowledge and an ability to carefully read the instructions. There is a manual mode that enables you to do each step with a wide range of options and features, but we found the Guided Access Mode walked us fairly effortlessly through the whole process.
Once you’ve got everything off of the phone you end up with a viewable DMG user file that you can open and browse on a Mac like any other volume. Most files are found within the Mobile folder, which contains Applications, Library, and Media.
Here you’ll find everything from music, to SMS messages, Address Book Contacts, and even recorded Voice Mail messages (assuming they’re using Visual Voicemail).
A lot of the files (like the Address Book) are stored as SQL database files, so you’ll need an SQL browser to make sense of them. There’s a pretty good one for the Firefox web browser called SQLite Manger and an open source option called SQLite Database Browser . The User.dmg of an iPhone isn’t exactly a user-friendly environment (it’s not designed to be) so don’t expect to be able to find everything at once, but it’s all in there. Incidentally you can take a look at the contents of your user director from a backup using a program like iPhone / iPod Touch Backup Extractor.
We had a lot of success with our dead iPhone. In our case we found that we had to Jailbreak the device first, which managed to fix the battery problem and enable us to enter DFU mode to recover all the data. We could have just done an iTunes backup at this point, but then we wouldn’t have figured out how to extract all data from an iPhone with forensics software. And we wanted to make sure we had it all safe and sound. After we had a decent backup of everything we did a Software Update to remove the Jailbreak and re-installed everything from the iTunes backup.
There are easier options available to you for data extraction that Elcomsoft’s iOS Forensic Toolkit, and if you’re just looking to backup and extract data you might want to investigate Ecamm’s PhoneView, which has a user-friendly interface and enables you to back up images, messages, emails, music and other content from an iOS device. Although PhoneView doesn’t enable you to extract the passcode from the device, and only works if you have either the passcode or have synced the device with your computer. So it’s okay for personal use but far less interesting to serious investigators.