tfink26 wrote:
I am currently working with an iPhone 4s from a homicide investigation. The phone is not password protected but Cellebrite Physical and Oxygen Standard are unable to process it. Each tool gives me a message stating that the iTunes Backup Files are password protected.
Cellebrite Physical acquisition on a iPhone 4S is not possible, only a Logical or File System extraction can be made on this handset model.
randomaccess wrote:
i wouldnt jailbreak to get the keychain password unless you have to
Even if you were to obtain the keychain by jailbreaking method, wouldn't the keychain be impossible to crack, with the Python "decrypto" module, as Apple changed the AES encryption algorithm when it went to iPhone 4S.
iPhone 4S shipped with iOS5, so now all attributes are now encrypted. On the encryption side, AES-GCM is used instead of AES-CBC. (AES-GCM is included in NSA Cryptography) Any partition on the phone can be encrypted and there are new protection classes- NSFileProtectionComplete.
I've found XRY will read in a iPhone 4S, that is running in encrypted mode, where it will read in the iTunes backup data first, note its encrypted & carry on to read the rest of the data on the phone. After a XRY dump, latest version has modules added in that can decrypt certain data that has been read in- SMS, MMS, Pictures, etc. Cellebrite & presumably Oxygen can't overcome this first step during the "Read Phone Info" stage.
What about syncing the exhibit to a virtual image of the computer, fire up iTunes, de-select the option to encrypt backup, re-sync the phone to iTunes with the encryption de-selected & see how this goes.
↧