mrpumba wrote:
Besides Cellebrite is there an alternative to capturing data from a cell phone on the physical side (ie deleted items)? In addition to bypassing the swipe or passcode on these devices?
As usual some of my colleagues give just general answers to the question having many "if's".
The answer depends on what devices you're speaking about and on what you're assuming under "physical".
For iOS devices:
1. For some reason it's generally accepted that just file system dump currently assumed under "physical". There is currently no known solution to find deleted files (except 8Mb HFS journal) for iOS 4.x and above.
2. There is a chance to find thumbnails for deleted photos in iOS thumbnails database, and there is no need to go "physical" for that. This database is available with logical extraction too.
3. SQLite database format is the standard to store data in iOS (as well as in Android, by the way). And the only way to extract deleted items of any kind (contacts, messages, calls and so on including 3ed party apps data) - is examining so called "free pages" in SQLite file.
4. The main databases (calls, messages, contacts etc) are extracted even logically, using iTunes backup procedure. So in 99% of cases you don't need "physical" solution to extract the requred deleted items.
5. When do you need "physical", i.e. complete file systems? Only in cases where the interesting databases or files are not included into iTunes backup. Known examples are facebook and foursquare apps.
6. What you cannot do without "physical" solution is to bypass the passcode. I agree - it's very important thing and in my opinion - the main reason to use "physical" tools.
7. Does "physical" approach helps with all iOS devices? My colleagues from CB and XRY usually avoids this question :-), because the answer is "no". Currently there is no known way to bypass the passcode for iPhone 4S, iPhone 5m iPad 2,3,4 and iPad mini.
8. There is an absolutely free and open source solution, which code is actually used in all more or less expensive mobile forensic tools claiming "physical" extraction and passcode bypassing - https://code.google.com/p/iphone-dataprotection/ .
9. The main disadvantage of "iphone-dataprotection" project is it opens partitions in read-write mode. You must be warned about that since it's not a completely forensic way.
10. To sum it up, logical extraction is usually enough to find deleted items. And there is no tool that can help you with the recent iOS devices if they're passcode-locked. But in all other cases, in my opinion the optimal set is UFED (great for mobility and extracting data from a lot of devices) plus Oxygen Forensic Suite (has good visual data representation and a lot of analytical tools, and can open images of iOS devices extracted by UFED).
P.S. You can check how "Deleted items" from iOS or Android devices look in Oxygen SQLite Viewer: http://www.oxygen-forensic.com/en/features/sqliteviewer/
WBR, Oleg.
↧