iOS Forensics - Physical extraction, decoding and analysis from iOS devices

Device Support

iOS Forensics - Physical extraction, decoding and analysis from iOS devices

Cellebrite's UFED Series enables forensically sound data extraction, decoding and analysis techniques to obtain existing and deleted data from these devices. 

iOS Devices: iPhone 2G,iPhone 3G, iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5,iPhone 5S, iPhone 5C,  iPhone 6, iPhone 6Plus, iPod Touch 1G, iPod Touch 2G, iPod Touch 3G, iPod Touch 4G, iPod Touch 5G, iPad Mini, iPad 1, iPad 2, iPad3, iPad 4

For a full list of devices, go to My.Cellebrite


Different ways to perform data extraction:

• Logical and file system (for unlocked devices) extraction is enabled on the UFED Touch

• Physical extraction and file system extraction (for locked devices) is enabled on the UFED Physical Analyzer


Support for Locked iOS Devices Using UFED Physical Analyzer

Using UFED Physical Analyzer, physical and file system extractions, decoding and analysis can be performed on locked iOS devices with a simple or complex passcode. Simple passcodes will be recovered during the physical extraction process and enable access to emails and keychain passwords. If a complex password is set on the device, physical extraction can be performed without access to emails and keychain. However, if the complex password is known, emails and keychain passwords will be available.

UFED Physical Analyzer capabilities include:

•Keychain real-time decryption enables access to account usernames and passwords

•Real-time decryption to interpret encrypted data from devices running iOS4.x, iOS5.x and iOS6.x. Decryption is performed on-the-fly, obtaining access to data, files and application content

•Support for decrypting emails saved as emlx files

•Extract and present GPS fixes, Wi-Fi networks and cell towers IDs. Locations and routes can be viewed in Google Earth and Google Maps


Data Recovery from SQLite Databases

Advanced decryption and decoding techniques to recover deleted mobile data from SQLite databases such as messages, apps data, calls history, contacts and much more.

iPhone Content Decoding via UFED Physical Analyzer

Decoding is enabled for existing and deleted data.

Decoded data: Call logs, Voicemails, Contact lists, Locations (WiFi, cell towers and GPS fixes), Images, Video files, Text messages (SMS), MMS, Emails, Notes, Installed applications and their usage, User dictionary, Calendar, Bluetooth devices pairing history, Maps cache

Applications: Skype, Whatsapp, Viber, Fring, MotionX, AIM, TigerText, Facebook Messenger, Twitterrific, Textfree, Google+, Facebook, Foursquare, Garmin, TomTom, Waze, TextNow, Dropbox, Yahoo Messenger, Ping Chat, Twitter, Touch (new ping chat), Find My iPhone, LinkedIn, iCQ, Kik Messenger, Google Maps, Kakaotalk, QIP, Evernote, Vkontakte,

Internet browser data: Safari, Opera Mini - bookmarks, history and cookies