2
How do I mount my iphone to look at it's files forensically? I have FTK Imager (the only free program I could find) but it doesnt mount it as a drive and I can't seem to take a forensic image of the iphone. I am looking to get the cell tower logs (Cells.plist) file and I cant find a program or method to do it. The phone is not jailbroken and I do not want to do so. I have tried FTK on the windows PC with no luck. I have tried many things on my mac but no dice. Moreover, I cant seem to get the iphone to display in 'devices' on the mac either (although the Iexplorer program works but just not accessing the real good files). What am I not understanding here? Is there a way to take an image of the iphone itself (and not just its storage partition)? Edit: Tools like Oxygen, AccessData, Encase, etc supposedly allow the more in depth analysis (such as the cell tower logs) but I cannot find a solution that is not thousands of dollars! Also, Oxygen has a 'free' version but that only allows access to the crap you can find with Iexplorer anyway... Answer: You can try with iFunBox or iExplorer, but the really juicy stuff isn't available that easily. Most forensic tools go through a process which involves having the iPhone do a backup through iTunes, and then the tool will analyze the files stored in the backup. Without having forensic tools available, you can try one of many tools like this:https://code.google.com/p/iphonebackupbrowser/ This will let you browse the files inside the backup. Realize that everything might not be available because Apple is the gatekeeper. They decide what files to stuff into the backup. Edit: You cannot think about an iOS device as a drive. Android works as a drive because its design allows for us to grab a drive image. iOS is designed to only allow you access to what they decide you should. There are many forensic tools that support physical acquisition***. http://elcomsoft.com/eift.html (see the chart at bottom) http://www.oxygen-forensic.com/en/compare/devices/software-for-iphone (sta tements at bottom) http://www.cellebrite.com/mobile-forensics/capabilities/ios-forensics (exp and support section at bottom) All of these tools have exceptions that state you cannot acquire a 4S or

FTK Imager

Embed Size (px)

DESCRIPTION

FTK Imager

Citation preview

How do I mount my iphone to look at it's files forensically? I have FTK Imager (the only free program I could find) but it doesnt mount it as a drive and I can't seem to take a forensic image of the iphone. I am looking to get the cell tower logs (Cells.plist) file and I cant find a program or method to do it.

The phone is not jailbroken and I do not want to do so. I have tried FTK on the windows PC with no luck. I have tried many things on my mac but no dice. Moreover, I cant seem to get the iphone to display in 'devices' on the mac either (although the Iexplorer program works but just not accessing the real good files).

What am I not understanding here? Is there a way to take an image of the iphone itself (and not just its storage partition)?

Edit:Tools like Oxygen, AccessData, Encase, etc supposedly allow the more in depth analysis (such as the cell tower logs) but I cannot find a solution that is not thousands of dollars! Also, Oxygen has a 'free' version but that only allows access to the crap you can find with Iexplorer anyway...

Answer:

You can try with iFunBox or iExplorer, but the really juicy stuff isn't available that easily. Most forensic tools go through a process which involves having the iPhone do a backup through iTunes, and then the tool will analyze the files stored in the backup.

Without having forensic tools available, you can try one of many tools like this:https://code.google.com/p/iphonebackupbrowser/This will let you browse the files inside the backup. Realize that everything might not be available because Apple is the gatekeeper. They decide what files to stuff into the backup.

Edit: You cannot think about an iOS device as a drive. Android works as a drive because its design allows for us to grab a drive image. iOS is designed to only allow you access to what they decide you should.

There are many forensic tools that support physical acquisition***.http://elcomsoft.com/eift.html(see the chart at bottom)http://www.oxygen-forensic.com/en/compare/devices/software-for-iphone(statements at bottom)http://www.cellebrite.com/mobile-forensics/capabilities/ios-forensics(expand support section at bottom)All of these tools have exceptions that state you cannot acquire a 4S or newer. There is an exploit in the non-updatable bootloader code on the 4 that allows physical acquisition, otherwise it would be a no-go as well.

You can read through Apple's security design and see why we have such difficulties.http://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdfThe iTunes backup is the most forensicly sound method of acquiring data from iOS because it uses the phone to do what it is programmed to do naturally.


Live View: A New View on Forensic Imaging - withani.net · 2018-07-14 · software used was FTK Imager Version 3.1.0 and the version of VMware used was Version 7.0. The Microsoft

Live View: A New View on Forensic Imaging - withani.net · 2018-07-14 · software used was FTK Imager Version 3.1.0 and the version of VMware used was Version 7.0. The Microsoft

Documents
FTK Au Bureau 2013

FTK Au Bureau 2013

Documents
Hochschule Wismar, Studiengang Master „IT Sicherheit und ...auch Image genannt, zu erstellen. Für die Erstellung des Images soll das Werkzeug FTK Imager genutzt werden. Die so durchgeführte

Hochschule Wismar, Studiengang Master „IT Sicherheit und ...auch Image genannt, zu erstellen. Für die Erstellung des Images soll das Werkzeug FTK Imager genutzt werden. Die so durchgeführte

Documents
APPLICATION OF MULTIPLEscindeks-clanci.ceon.rs/data/pdf/0042-8469/2016/0042... · 2017-06-08 · X-Ways, i.e. their digital forensics software tools named EnCase, FTK (FTK Imager)

APPLICATION OF MULTIPLEscindeks-clanci.ceon.rs/data/pdf/0042-8469/2016/0042... · 2017-06-08 · X-Ways, i.e. their digital forensics software tools named EnCase, FTK (FTK Imager)

Documents
o t i u FTK Imager t a r G - reydes.com Hacking Countermeasures, Cisco CCNA Security, ... 0x11 OWASP Perú Chapter Meeting, además de Conferencista e Intructor en PERUHACK

o t i u FTK Imager t a r G - reydes.com Hacking Countermeasures, Cisco CCNA Security, ... 0x11 OWASP Perú Chapter Meeting, además de Conferencista e Intructor en PERUHACK

Documents
How-To Guide Image a Hard Disk Using FTK Imager

How-To Guide Image a Hard Disk Using FTK Imager

Documents
FTK Imager 2.6.1

FTK Imager 2.6.1

Documents
Bones & Bytes Digital Forensics Group C Summer Bridge 2015 FTK Imager Cookies Steganography

Bones & Bytes Digital Forensics Group C Summer Bridge 2015 FTK Imager Cookies Steganography

Documents
Test Results for Digital Data Acquisition Tool: FTK Imager CLI 2.9

Test Results for Digital Data Acquisition Tool: FTK Imager CLI 2.9

Documents
Evidence Acquisition Using AccessD ata FTK Imager · acquiring and analyzing computer forensic evidence. ... E01: this format is a proprietary format developed by Guidance Software’s

Evidence Acquisition Using AccessD ata FTK Imager · acquiring and analyzing computer forensic evidence. ... E01: this format is a proprietary format developed by Guidance Software’s

Documents
Laporan Pelayaran IPTEK FTK

Laporan Pelayaran IPTEK FTK

Documents
FTK Imager User Guide

FTK Imager User Guide

Documents
FTK Rear Transition Module

FTK Rear Transition Module

Documents
Ingeniería Informática · Investigación y resolución de incidentes de seguridad y análisis forense para determinar la causa raíz (FTK Imager, enCase, volatility, etc.) Extracción

Ingeniería Informática · Investigación y resolución de incidentes de seguridad y análisis forense para determinar la causa raíz (FTK Imager, enCase, volatility, etc.) Extracción

Documents
Digital Forensics Tutorials Acquiring an Image with …fortega/spring17/df/research/...Digital Forensics Tutorials – Acquiring an Image with FTK Imager Explanation Section Digital

Digital Forensics Tutorials Acquiring an Image with …fortega/spring17/df/research/...Digital Forensics Tutorials – Acquiring an Image with FTK Imager Explanation Section Digital

Documents
BORANG FTK

BORANG FTK

Documents
Test Results for Digital Data Acquisition Tool: FTK Imager ...AccessData’s FTK Imager CLI v2.9 Debian is designed to image and restore hard drives and other secondary storage. It

Test Results for Digital Data Acquisition Tool: FTK Imager ...AccessData’s FTK Imager CLI v2.9 Debian is designed to image and restore hard drives and other secondary storage. It

Documents
FM (FTK) -

FM (FTK) -

Documents
Institutional Records & Archives March 2017files.archivists.org/groups/museum/standards/8. Workflow Documen… · 2. Create image using FTK Imager. As a general rule, use Bagger to

Institutional Records & Archives March 2017files.archivists.org/groups/museum/standards/8. Workflow Documen… · 2. Create image using FTK Imager. As a general rule, use Bagger to

Documents
Flotek Industries (FTK) Memo - University of Virginia · Flotek Industries (FTK) Memo Company(Description(Flotek'Industries'[FTK]'is'a'diversified'global'supplier'of'drilling'and'production'related'products'and'services

Flotek Industries (FTK) Memo - University of Virginia · Flotek Industries (FTK) Memo Company(Description(Flotek'Industries'[FTK]'is'a'diversified'global'supplier'of'drilling'and'production'related'products'and'services

Documents
Universidad del Azuay - dspace.uazuay.edu.ecdspace.uazuay.edu.ec/bitstream/datos/2381/1/07425.pdfImagen 3.3. Selección de la unidad a través del FTK Imager 45 Imagen 3.4. Opción

Universidad del Azuay - dspace.uazuay.edu.ecdspace.uazuay.edu.ec/bitstream/datos/2381/1/07425.pdfImagen 3.3. Selección de la unidad a través del FTK Imager 45 Imagen 3.4. Opción

Documents
Zomercongres Kring van Pensioenspecialisten...• 04 2010 Brief naar 2e Kamer evaluatie FTK • 05 2012 Hoofdlijnennota herziening FTK • 07 2013 Voorontwerp FTK in consultatie •

Zomercongres Kring van Pensioenspecialisten...• 04 2010 Brief naar 2e Kamer evaluatie FTK • 05 2012 Hoofdlijnennota herziening FTK • 07 2013 Voorontwerp FTK in consultatie •

Documents
FTK Imager v3.4.2 - United States Department of … Data FTK Imager Version 3.4.2.6 Federated Testing Test Suite for Disk Imaging ..... the test case name) to an image file using a

FTK Imager v3.4.2 - United States Department of … Data FTK Imager Version 3.4.2.6 Federated Testing Test Suite for Disk Imaging ..... the test case name) to an image file using a

Documents
FTK Imager Background I. The Process for Adding Individual ...€¦ · Encase v7.09 (DHS, 2014a) *NOTE: Typo shown below from DHS. Title for results below read PhotoRec_v7.0 for results

FTK Imager Background I. The Process for Adding Individual ...€¦ · Encase v7.09 (DHS, 2014a) *NOTE: Typo shown below from DHS. Title for results below read PhotoRec_v7.0 for results

Documents
11 Ftk Construction

11 Ftk Construction

Documents
Peto prez ftk

Peto prez ftk

Education
SECHE-LINGE FTK 111

SECHE-LINGE FTK 111

Documents
FTK Heizungsfilter Low

FTK Heizungsfilter Low

Documents
Infkonyvtar prez ftk

Infkonyvtar prez ftk

Education
FTK Status – future developments

FTK Status – future developments

Documents