1. Which method is best for extracting data from iOS devices?

This question has come up so many times over the last few years and I am happy to say, the answer is simple. UFED Touch 2 and UFED 4PC have all the extraction options built into one platform. There is no longer the need to worry about multiple methods, which is best and how do they differ. Within UFED, you have the option to conduct multiple iOS extractions.

When it comes to iOS device extraction, a Full File System is best and checkm8 wins the prize here. If you can obtain a checkm8 extraction of an iOS device, that’s all you need. If a device arrives in your labs in a jailbroken state, simply leverage the UFED and get your Full File System image of the device. If a Full File System with checkm8 isn’t possible and the device you wish to acquire isn’t already jailbroken, the next best method is to get an Advanced Logical extraction.

To get an Advanced Logical on UFED, you must first go to Advanced Logical

And then into File System.

Once you select the path to save your extraction, the UFED will provide you instructions to successfully connect to the iOS device. Make sure you read them as they are helpful and necessary., After Trusting the device, the UFED prompt will alert you if the device is encrypted or not. This means encrypted with an iTunes passcode. Even on MacOS, where Finder is used to create backups, this encryption is tracked. Below we can see that iTunes backup encryption is NOT set on the device.

This means you need to enable UFED to encrypt the extraction with a temporary password to grab certain artifacts from the device.

Bottom line, you MUST encrypt the backup extraction if the user has not previously set one. If the device owner has a password in place, you will need that iTunes passcode, not the device passcode, to parse the image in Physical Analyzer or any other forensic tool.

In summary, my recommendations for non-jailbroken iOS devices:

  1. Try checkm8 on UFED
  2. Use either UFED to obtain an Advanced Logical Extraction with backup encryption enabled

For those wondering if the extraction you obtained with these recommended steps is enough, keep reading this blog.

2. Is it possible to obtain a physical extraction of Android devices that have Full Disk Encryption (FDE)?

I could take the easy way out on this one and say, “it depends” but I will try to explain why. First, let us discuss the differences between FDE and FBE. Full Disk Encryption (FDE) has one encryption key for the entire memory range, or data storage area. If UFED can leverage that key, a physical acquisition can be obtained, and the data will be decrypted for analysis. File Based Encryption (FBE) is more complex as each file has its own encryption key.

So, in short, it is possible to obtain physical acquisition from Android devices that leverage FDE. Please refer to the resources at the end of this blog for webinar links and blogs that may help solidify this knowledge and terminology in your mind.

3. Is the UFED adapter needed for Qualcomm Live on UFED4PC or Touch 2 as well?

This question was asked several times after the first webinar in the series. I showed the UFED adapter needed to connect my Android to the PC to complete extractions leveraging Qualcomm Live. Many were concerned that they didn’t have the adapter and I am happy to inform you that the UFED adapter is only needed for UFED4PC. When I conduct Qualcomm Live extractions on my UFED Touch 2, the prompt to connect the adapter is not presented as it’s not required on the Cellebrite hardware.

4. Can you damage a device by selecting the incorrect profile?

Yes! Many manufacturers have a variety of models for their handsets. For example, the Samsung S8 can have up to 12 different variants that are supported for different acquisitions. To avoid any issues or cause any harm to the device, you need to make sure you are selecting the correct version. UFED has built-in procedures for helping you identify the correct profile for your connected device. One of the most common starting points is to select Auto Detect where the UFED will present you with the correct make and model of the attached device or with a Suggested Profile. If you remember the webinar, both options were shown. Below, you’ll see the correct make and model. For Suggested Profile, the screenshot will include these words.

When Browse Devices is selected, there are several tabs across the top of UFED that enable the examiner or investigator handling the device to Search Device or browse through the Vendors, Generic Profiles, or Recently Used devices. Make sure you are in the All tab if you are trying to type in specific makes and/or models.

Under Generic profiles, you will see many options for different manufacturers and chipsets. Here is where you will find support for Qualcomm- and Exynos-based devices. If you aren’t sure which chipset is leveraged in the phone you are extracting, simply look it up to ensure you make the proper choice under the Generic profiles.

Rest assured, you will not be able to physically acquire Android devices that are NOT previously rooted and harm the handset. The UFED will just fail to proceed. Make sure you read the information provided with the tooltip “I” on each option. Again, educating yourself is helpful as you can manage your own expectations and those of your team.

Now things can go wrong. For example, if I try to acquire my Samsung S10E (FBE) as a Samsung Galaxy S3 (FDE) device and UFED attempts to conduct a physical extraction leveraging built-in mechanisms, it might not end well. I could damage the device by selecting random profiles to access the handset.

If you are unsure, simply contact Cellebrite support. Your SEs and our product team are here to help you.

5. Do you recommend running as many data extractions as possible?

This is a tough question to answer. I would recommend always opening your extractions prior to returning the device involved in your investigation. This way, you will be able to quickly triage what you were able to obtain using your selected methods. I find that I do more extractions on Android if I do NOT get a Full File System extraction. For iOS, if I get a checkm8 extraction I am happy. I have spent years testing, validating, and testing again to compare what each extraction obtains. I recommend you do the same or review the work that those of us have provided for you.

A blog Paul Lorentz and I wrote ‘Android Data Collection Simplified‘ that’ll help set expectations. Since then, we’ve introduced more features like Chat Capture, which is a great add-on to any extraction and it shows how the messages, settings, and more, will appear to the user on the device.

I’ll be happy if I get a Full File System of Android, and might even add on Chat Capture. If I get a checkm8 of an iOS device, I won’t need to obtain any further extractions. If I do not get a Full File System of the iOS or Android, I’d refer to the blog we wrote and extract as much as I can from the device.

Cellebrite’s here to support you, your devices and make sure data collection is as easy as possible. Stay tuned for an upcoming series where we’ll feature blogs, webinars, and cheat sheets to you manage your examinations and investigations with ease.

Suggested Resources:
1. https://cellebrite.com/en/android-data-collection-simplified/

2. https://cellebrite.com/en/how-to-properly-handle-phones-seized-for-investigation/
3. https://cellebrite.com/en/ufed-data-collection-checkm8-and-dar-files-shahar-tal-vp-srl-and-gil-kaminker-head-of-android-research-at-cellebrite/
4. https://cellebrite.com/en/accessing-the-inaccessible-overcoming-the-challenge-of-encryption/
5. https://cellebrite.com/en/webinar-understand-emergency-download-mode-edl-to-get-forensically-sound-access-to-mobile-devices/
6. https://cellebrite.com/en/episode-12-i-beg-to-dfir-if-you-cant-extract-it-capture-it/
7. https://cellebrite.com/en/understanding-different-types-of-encryption-on-mobile-devices/  

Share this post