Unlocked iPhone 6s data extraction blocked

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Go to page 1 , 2 , 3 Next

Unlocked iPhone 6s data extraction blocked

Post Posted: Tue Nov 14, 2017 2:15 pm

I have an unlocked iPhone 6s v. 10.3.3 and i'm trying to extract the data using Oxygen-forensic Analyst version but unfortunately it asks for pass code to complete the data extraction process (backup method). The same happens when I create a backup using i Tunes and try to examine it.
so the questions are:
1- Any definition about the problem, is it a pass code protection for the data or is it a sort of data encryption?
2- I think Oxygen-forensic Analyst is not capable to bypass this obstacle, am I right or not? so, any suggestion for other software can fix it? (I'm about to download MAGNET trial)


PS: The phone had a pass code and I already turned it off using the correct pass code with no troubles.

meroslave
Member

    Re: Unlocked iPhone 6s data extraction blocked

    Post Posted: Tue Nov 14, 2017 2:18 pm


    meroslave
    Member

      Re: Unlocked iPhone 6s data extraction blocked

      Post Posted: Tue Nov 14, 2017 3:13 pm

      This is the iTunes backup password, not the phone passcode (2 different things). If the user has ever set a backup password, it will create an encrypted backup with that password. Apple is starting to force that by default on the latest versions so that all backups are encrypted.

      You can also force an encrypted backup by setting your own password as well if one wasn't previously set. The pros of getting an encrypted backup is that you'll get the keychain and more data as a result. If no password has been set, you can get an unencrypted backup but with less data.

      So if you know the iTunes backup password put it in there and it will decrypt the data for you, if not, you might just get an encrypted backup and you would have to crack the password if you don't know it.

      Jamie

      mcman
      Senior Member

        Re: Unlocked iPhone 6s data extraction blocked

        Post Posted: Tue Nov 14, 2017 3:16 pm

        Try researching the iTunes backup password - is this something you can ask the user for?

        Oxygen's documentation says it can assist with password recovery for a preexisting backup (for example if there is a backup that was previously made on a computer) but you're out of luck obtaining a backup.

        To obtain a backup, you'll need to have the iTunes backup password or reset it using iOS 11. Check out Cindy Murphy's recent blog post at the Gillware blog for details and disclaimers upgrading to iOS 11.

        lcherne
        Newbie

          Re: Unlocked iPhone 6s data extraction blocked

          Post Posted: Tue Nov 14, 2017 3:43 pm

          - mcman
          This is the iTunes backup password, not the phone passcode (2 different things). If the user has ever set a backup password, it will create an encrypted backup with that password. Apple is starting to force that by default on the latest versions so that all backups are encrypted.

          You can also force an encrypted backup by setting your own password as well if one wasn't previously set. The pros of getting an encrypted backup is that you'll get the keychain and more data as a result. If no password has been set, you can get an unencrypted backup but with less data.

          So if you know the iTunes backup password put it in there and it will decrypt the data for you, if not, you might just get an encrypted backup and you would have to crack the password if you don't know it.

          Jamie


          Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
          Any alternatives?

          meroslave
          Member

            Re: Unlocked iPhone 6s data extraction blocked

            Post Posted: Tue Nov 14, 2017 4:05 pm

            - lcherne
            Try researching the iTunes backup password - is this something you can ask the user for?

            Oxygen's documentation says it can assist with password recovery for a preexisting backup (for example if there is a backup that was previously made on a computer) but you're out of luck obtaining a backup.

            To obtain a backup, you'll need to have the iTunes backup password or reset it using iOS 11. Check out Cindy Murphy's recent blog post at the Gillware blog for details and disclaimers upgrading to iOS 11.

            The user denied that he made a backup password and he only gives the phone pass code.

            meroslave
            Member

              Re: Unlocked iPhone 6s data extraction blocked

              Post Posted: Wed Nov 15, 2017 7:53 am

              - meroslave


              Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
              Any alternatives?


              For iOS, all you're getting is a iTunes backup no matter what tool you use. Oxygen, Cellebrite, XRY, Magnet ACQUIRE/AXIOM, all will only give you an iTunes backup for anything running iOS 8.3 or newer. With older versions of iOS you could get file relay data but Apple shut that door with iOS 8.3. You can't get physical extraction on anything iPhone 4S or newer due to encryption.

              If you use Cellebrite's paid unlocking service (CAIS), they can unlock and dump an iPhone 6(s) running iOS 10 I believe but you're going to be paying a decent chunk of money for the ability to unlock that one single phone. Depends if the case is worth it for you I guess but there are no tools out there magically cracking the latest iOS beyond an iTunes backup, which in your case, is encrypted (the user may or may not know this password, I've come across many who had no idea, best bet, ask them for their iTunes or Apple ID password, it's often the same).

              You can also try cracking it as stated by others. If you have a backup on a PC you can use the keychain to unlock. If not, try giving Passware/Elcomsoft (paid), or hashcat (free) a go at cracking the backup.

              The iOS struggle is real, see Apple/FBI/San Bernardino.

              Jamie

              mcman
              Senior Member
                Page 1 of 3
                Go to page 1 , 2 , 3 Next




                ± Forensic Focus Partners

                ± Your Account



                Site Members:

                New Today: 0 Overall: 33043
                New Yesterday: 0 Visitors: 204

                ± Follow Forensic Focus

                Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

                RSS feeds: News Forums Articles

                ± Latest Articles

                ± Latest Webinars


                Build a Mobile Site
                View Site in Mobile | Classic
                Share by: