The method for acquiring an iOS device often depends on three variables:

  •  Is the device locked?

  •  To which tools do you have access?

  •  Is the device jailbroken? If not, can you use checkra1n or checkm8?

If the device is unlocked, you can essentially access the device using Logical, Advanced Logical, or full file system acquisition methods with your preferred smartphone forensic tool or forensic workstation. Keep in mind, you must jailbreak in order to get a full file system extraction if you don’t have the specialized tools. Physical acquisition is unlikely present day unless you come across an iPhone preceding the iPhone 5s that is not jailbroken. If you have one of these old devices, we recommend you refer to the bonus slides and lab within the media files as passcodes could be brute forced and you could simply bypass them. That is a thing of the past unless you have Cellebrite Premium, GrayKey or send your phone to CAS. I haven’t been able to physically acquire an iOS device in years. There is a bonus lab on iPhone Physical Analysis within your media files should you decide you want to examine one or even poke around to see the differences.

For locked devices containing the A5+ chip there is not a simple solution that can consistently bypass the locked device, so access to the data may not be possible.¹ If the device is locked and it is running iOS 11+, this is even more difficult. We cover methods for accessing locked devices later in this section. The exception here is jailbroken devices. Elcomsoft iOS Forensic Toolkit can physically acquire jailbroken iOS devices as long as they are not utilizing 64 bit, as the iPhone 6 and current devices implement. The other exception is leveraging BFU or before first unlock. That will be discussed in the lock section coming up.

Some Full file system extractions may be Agent based.  Elcomsoft and Belkasoft leverage the agent-based method for obtaining the FFS extraction. At  the time of writing this, supported for up to iOS 14.8.

File system acquisitions, by normal standards, provide a logical representation of the files on the device. For iOS devices, users are blocked from accessing certain areas of the file system. Forensic tools, such as Cellebrite, provide access to the file system of the device. The logical data is still obtained during a file system acquisition, but the examiner is also presented access to raw files stored within the file system.

The full file system terminology is one that is exciting everyone and is becoming the new standard! In order to obtain a full file system dump, the device must be jailbroken or acquired using GrayKey, Cellebrite Premium, or a dump created by Cellebrite Advanced Services (CAS). Keep in mind, we have a jailbreak now. We have checkra1n. We also have checkm8 built into UFED.

Physical acquisition is a full memory dump of the device. Tools such as Cellebrite use custom bootloaders to access the areas of flash memory storing data. This is why locked devices can be brute forced into accessing the full flash memory. Most devices are not supported for Physical Acquisition. Physical acquisition of iOS devices is not a true physical dump in that the encrypted areas of unallocated space are not provided to the examiner and are simply not captured. Cellebrite’s CAIS may be able to access locked iOS devices and provide physical dumps of the data for a fee.

Free methods for acquiring iOS devices are possible if the device is unlocked and/or jailbroken. Sarah Edwards, the author of FOR518, released a blog on acquiring iOS devices for free, which can be found at mac4n6.com.

Several tools are available commercially that support Logical, Advanced Logical/File System, Full file system and Physical acquisition of iOS devices. The table shown on the slide in this section titled "iOS Forensic Acquisition Support" remains true for all commercial tools when it comes to device locks and passcodes. Some of the most popular iOS acquisition tools include Cellebrite UFED, Cellebrite Physical Analyzer, Oxygen, Magnet Acquire, Elcomsoft iOS Forensic Toolkit, Belkasoft, MSAB XRY, and more.

To determine the best tool for your investigation, make sure to test all aspects of the tool, not just acquisition, but also analysis.

Reference:

[1] https://for585.com/models