This password is independent from the device passcode.
OSX: ~/Library/Application Support/MobilSync/Backupĭepending on the version of iOS & iTunes, the backup can be protected with a password, which is used to encrypt the backed up data. Windows Vista/7/8: c:users\AppDataRoamingApple ComputerMobileSyncBackup Windows XP: c:Documents and Settings\Application DataApple ComputerMobileSyncBackup An examiner can also look for backups on a computer the device has previously been connected to as another step to analyze data from the device without having access to the device itself. For example, EnCase v7 can acquire an iOS device using this technology (requires iTunes to be installed, but not running). The result of using one of these tools would either be a bit stream (dd) or a DMG image file that could then be analyzed manually or using a forensic analysis tool.Ī file system dump, which is a subset of a physical image, could be performed by several well-known tools such as Cellebrite, Blacklight, Oxygen or XRY.Īpple file connection (AFC) is used with iTunes to conduct a device backup and can be used to perform a backup of data from the device. This would typically be accomplished using a tool such as Cellebrite, XRY, Lantern, Elcomsoft, MPE or the Zdziarski method 1.
When possible, it would be recommended to obtain a full physical memory extraction since that will likely contain data that the file system dump & AFC backup does not (deleted file system data, etc.). file dump vs AFC file backupĭepending on the type of investigation, the tools you have available and the version of the iOS phone you need to examine, you may have a choice whether to conduct a physical memory extraction, a file system dump or an Apple File Connection (AFC) backup. Depending on the iOS version, device hardware version and passcode complexity, the passcode can sometimes be obtained by the forensic tool (such as Cellebrite) using a bruteforce attack.
In many cases, you will need the passcode in order to obtain a physical image or a file system dump.
While iOS seems to be the leading operating system for tablets worldwide, Android continues to be the leading operating system for mobile phones worldwide.
Mobile device, cloud and CDR extractions are merged together in a single intuitive GUI with rich analytical capabilities: determine common locations and contacts for several devices, view all events in a chronological order and much more. Leading edge technologies deployed by Oxygen Forensics allow forensic experts to bypass screen lock passcodes, locate passwords to backups, extract data from encrypted applications and recover deleted information. Multiple sources: mobile devices, their backups, media and SIM cards, cloud services and call data records.
Oxygen Forensic® Detective is all-in-one forensic software to extract and analyze data from Análisis forense de dispositivos móviles / Computer Forensics.