When I analyzed the file system extraction with the Physical Analyzer software by UFED I got the same results as the Oxygen Forensic Suite. I was not surprised by this. Here is what the file system looked like for the Snapchat app.
The Snapchat app contained a Documents folder and a Library folder. In the Documents folder was a plist file called user.plist. In the Library folder there was a Preferences folder that contained a plist file called com.toyopagroup.picaboo.plist. These two plist files were the same plist files found by the Oxygen Forensic Suite.
I also wanted to try the mobile forensics tool XRY. I used the XRY Complete, but unfortunately it could not do a physical extraction of the iPhone 4S. So, I did a logical extraction of the phone.
In the Documents section of the extraction I was able to locate the two plists that were found with the Oxygen Forensic Suite and the UFED Cellebrite.
com.toyopagroup.picaboo.plist |
user.plist |
The next step I will take in this project is to jailbreak the iPhone 4S so I can then create a physical dd image of the phone, and also take a memory dump.
I'm doing similar research on Android. So far I've managed to find both images and videos that have been loaded but not viewed. From there it's not hard to extract them without the sender knowing. If your interested in my findings let me know.
ReplyDeleteHi Joe, My name is Abdi I am doing similar project on Android. for about 3 different apps including snapchat, for that reason I am interesting your finding based on this please send me your findings to my email: abdisalan171@gmail.com
DeleteThanks
Which one has more data? XRY or UFED?
ReplyDeleteTerry
Nice post with lovely tutorial. I really appreciate your work. Thanks for sharing. en ucuz iphone
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHi Christine,
ReplyDeleteInteresting analysis. I am also working on iOS Forensics / Anti-forensics and you will definitely find related material on my blog: http://binary-insecurity.blogspot.com, although it is not specifically focused on Digital Forensics.
The solution to protecting your new iPhone is actually quite simple 4s though all the talk about skins, cases, wallets, and screen protectors can be a little bewildering.
ReplyDeleteChristine, I'm curious why you used the UFED Classic machine to do the extraction. Physical Analyzer has an iOS extraction module that works better. It should pull most everything and even deleted items in some instances. Lantern is a great iOS forensic tool also. Also make sure your version is updated! There have been a few changes in PA3.
ReplyDeleteCan you evit sexting with snapchat iphone?
ReplyDeleteThank you for sharing this information, I'd like to see what you think of Kik Online in one of your next posts please!
ReplyDeleteForensic science lab in Delhi
ReplyDeleteForensic Science Laboratory
Forensic Science Laboratory
Forensic Science Laboratory
Forensic Science Laboratory