Thursday, February 21, 2013

iPhone 4S Analysis with UFED Cellebrite and XRY

Today I completed a file system analysis of the iPhone 4S with the UFED Cellebrite.  I wanted to do a physical extraction of the iPhone 4S, but Cellebrite cannot do a physical extraction for the iPhone 4S.



When I analyzed the file system extraction with the Physical Analyzer software by UFED I got the same results as the Oxygen Forensic Suite.  I was not surprised by this.  Here is what the file system looked like for the Snapchat app.


The Snapchat app contained a Documents folder and a Library folder.  In the Documents folder was a plist file called user.plist.  In the Library folder there was a Preferences folder that contained a plist file called com.toyopagroup.picaboo.plist.  These two plist files were the same plist files found by the Oxygen Forensic Suite.

I also wanted to try the mobile forensics tool XRY.  I used the XRY Complete, but unfortunately it could not do a physical extraction of the iPhone 4S. So, I did a logical extraction of the phone.

In the Documents section of the extraction I was able to locate the two plists that were found with the Oxygen Forensic Suite and the UFED Cellebrite.

com.toyopagroup.picaboo.plist


user.plist

The next step I will take in this project is to jailbreak the iPhone 4S so I can then create a physical dd image of the phone, and also take a memory dump.





11 comments:

  1. I'm doing similar research on Android. So far I've managed to find both images and videos that have been loaded but not viewed. From there it's not hard to extract them without the sender knowing. If your interested in my findings let me know.

    ReplyDelete
    Replies
    1. Hi Joe, My name is Abdi I am doing similar project on Android. for about 3 different apps including snapchat, for that reason I am interesting your finding based on this please send me your findings to my email: abdisalan171@gmail.com

      Thanks

      Delete
  2. Which one has more data? XRY or UFED?

    Terry

    ReplyDelete
  3. Nice post with lovely tutorial. I really appreciate your work. Thanks for sharing. en ucuz iphone

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Hi Christine,

    Interesting analysis. I am also working on iOS Forensics / Anti-forensics and you will definitely find related material on my blog: http://binary-insecurity.blogspot.com, although it is not specifically focused on Digital Forensics.

    ReplyDelete
  6. The solution to protecting your new iPhone is actually quite simple 4s though all the talk about skins, cases, wallets, and screen protectors can be a little bewildering.

    ReplyDelete
  7. Christine, I'm curious why you used the UFED Classic machine to do the extraction. Physical Analyzer has an iOS extraction module that works better. It should pull most everything and even deleted items in some instances. Lantern is a great iOS forensic tool also. Also make sure your version is updated! There have been a few changes in PA3.

    ReplyDelete
  8. Thank you for sharing this information, I'd like to see what you think of Kik Online in one of your next posts please!

    ReplyDelete