Mobiledit Forensic Lite
Pavido Scalf
With the advances in iOS security, it is becoming commonplace that you need to know the PIN code to extract data successfully from iOS devices. The Lockdown method can bypass the screen lock with some iOS versions if the PIN code is unknown.
For successful extraction from iPhone is required to know the iTunes backup password. Without the iTunes backup password, the final result will not show much data, such as data from WhatsApp, Contacts, Photos, etc.
If you are not able to obtain the iTunes backup password and don't need to analyze data from the old iTunes backup, with iOS 11 or later, you can make a new encrypted backup of your device by resetting the password.
Follow the steps to reset your settings. This won't affect your user data or passwords, but it will reset settings like display brightness, Home Screen layout, and wallpaper. It also removes your encrypted backup password.
It is not always necessary for the iTunes Windows application to be installed to use MOBILedit, which is usually required by other mobile forensic solutions. MOBILedit can communicate directly with iPhones or iPads using our direct Apple device driver, which can be downloaded from our website. But please remember, iTunes needs to be installed if you wish to communicate with an Apple Watch or a jailbroken iOS or iPadOS device.
Do not turn off the Apple Mobile Device Service while the iOS device is connected to MOBILedit Forensic. If the service is stopped it will disconnect the device and communication with MOBILedit Forensic. MOBILedit Forensic will repeatedly try to regain communication yet will be unable to.
If the iPhone is jailbroken, MOBILedit can extract all files, including application sandboxes or system files. To achieve this, MOBILedit needs iTunes installed, so please follow the above instructions. You can jailbreak iPhones using the USB drive in the MOBILedit Connection Kit. It is a small Linux live distribution that contains the Bootra1n software used to deploy Checkra1n.
Even with jailbreak, device encryption is still working, e.g., if the device was not unlocked after reboot, a limited set of data is available for extraction. Also, some applications protect files, when the phone is locked, so for full filesystem extraction, you still need to unlock the phone.
When extracting data from WhatsApp you may encounter a problem that not all expected data such as messages, call logs was included in the final report due to these data being end-to-end encrypted by developer/manufacturer. Globally, encrypted applications have become a challenge for mobile forensic science.
WhatsApp's end-to-end encryption ensures only the sender and the receiver can read or listen to what was sent, and nobody in between, not even WhatsApp. This is because, with end-to-end encryption, messages are secured with a lock, and only the recipient and sender have the special key needed to unlock and read them.
If we speak within the limits of forensic analysis there are a few steps we need to follow to get the best result as much as possible. There are a few ways how to extract your needed information and that is by:
Most Android devices should be able to be rooted. However, the process of rooting is specific to each phone model, version of Android, and build number, so you always need to find the right tool according to your phone model.
You can root a majority of older Android phones using an app called KingoRoot, if for some reason this method doesn't work for you (locked bootloader, Knox, etc.), you may be able to find help on how to root your phone at XDA Developers, which is a website with a large active user community dedicated entirely to Android smartphones.
Please note that sometimes it is necessary to unlock your phone's bootloader in order to root it. You can find a step-by-step tutorial on how to unlock the bootloader on your phone manufacturer's webpage.
Rooting your phone may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.Rooting a Samsung device will trip the Knox Warranty void flag which will make the data stored in Knox permanently inaccessible.
Tethered - This method requires you to connect your iPhone to your computer and use an external application to jailbreak it. Once you restart your iPhone, the jailbreak is undone, but please note: your device will not be usable until you jailbreak it again using the same method.
Semi-tethered - This method doesn't require you to connect your iPhone to a computer in order to jailbreak it, however, the jailbreak is still undone every time you reboot your device, or, after a certain amount of time passes.
Untethered - This method doesn't necessarily require a computer to perform a jailbreak on your device and also modifies the iOS on a deeper level which means that no matter how many times you reboot your device, it stays jailbroken until you manually "un-jailbreak" it.
There are specific known ways to jailbreak almost every iPhone, iPad, or iPod Touch running on almost every iOS, except the latest releases - as it usually takes a few months to find a way of jailbreaking the newest version of iOS.
However, currently, the most often used apps for jailbreaking iOS devices are Pangu or Cydia Impactor. You can learn more about how Cydia works on the app developer's official website at this link, or you can read this article which describes a simplified process of iOS jailbreaking.
There are many ways how to create a physical image from a device. You can, of course, use some tools of your own and use our software for extraction but our product MOBILedit Forensic does offer some tools as well:
This exploit method does not work on all MTK-equipped devices, but sometimes it is the only way of acquiring the physical image because the phone does not have to be booted up or unlocked in order to perform this operation; which means you can try even if the phone is off or locked.
The "LG Hack" feature works on all LG smartphones with the new version of the LG LAF protocol (this is a service download mode similar to Samsung Odin download mode). One of the first devices to feature this version was the first LG G flagship.
TWRP even comes with a built-in file manager with unlimited root access so you can modify, add or delete any system files manually. This process allows you to gain physical images, therefore bypassing the otherwise locked devices protection.
In MOBILedit Forensic there are several methods allowing you to temporarily root the Android device. If rooting the device is successful, then our communication service with root privileges will be running on the device.
At last but not least there is always an option to simply capture screenshots of your mobile screen - for example, while having the WhatsApp chat open. This method might be lengthy, however, it is a very effective way how to get your desired conversation into the final report if every other method fails.
MOBILedit Forensic is an all-in-one solution for data extraction from phones, smartwatches and clouds. It utilizes both physical and logical data acquisition, has excellent application analysis, deleted data recovery, a wide range of supported devices, fine-tuned reports, concurrent processing, and easy-to-use interface. With a brand new approach, MOBILedit Forensic is much stronger in security bypassing than ever before.
MOBILedit Forensic offers maximum functionality at a fraction of the price of other tools. It can be used as the only tool in a lab or as an enhancement to other tools with its data compatibility. When integrated with Camera Ballistics it scientifically analyzes camera photo origins.
With MOBILedit Forensic, you can extract all the data from a phone with only a few clicks. This includes deleted data, call history, contacts, text messages, multimedia messages, photos, videos, recordings, calendar items, reminders, notes, data files, passwords, and data from apps such as Skype, Dropbox, Evernote, Facebook, WhatsApp, Viber, Signal, WeChat and many others.
MOBILedit Forensic automatically uses multiple communication protocols and advanced techniques to get maximum data from each phone and operating system. Then it combines all data found, removes any duplicates and presents it all in a complete, easily readable report.
Since 1996 we have supported an extremely wide range of phones manufactured over two decades. The software supports thousands of handsets including popular operating systems such as iOS, Android , Blackberry, Windows Phone, Windows Mobile, Bada, Symbian, Meego, Mediatek, Chinese phones, and CDMA phones. The software can handle many feature phones without an OS. This includes older models from as far back as 1996, when development began and was the first of its kind in the world.
MOBILedit Forensic extracts all data from phones also into open data format, so you get all the files directly as they are in the phone. This allows you to use other tools, including open source tools, to further analyze data and get even more evidence.
MOBILedit Forensic collects both standard and deleted message information sent by phone and displays it as a timeline. See all message information including who sent message text, what messenger program they used, and any attached media files.
Get exactly what you are looking for by filtering extracted data by keyword, specific contacts, time, application or file name. Apply these filters to different data types and radically minimize the report size.
Smartwatch Kit
The MOBILedit Smartwatch Kit is an essential tool to use alongside MOBILedit Forensic. This complete kit provides the user with all connectivity required and includes unique Apple Watch readers, along with hard-to-find readers for other smartwatch brands.
Using the connectors found in the MOBILedit Smartwatch Kit, the extraction and analysis are performed by MOBILedit Forensic. The results can be professionally presented in PDF, Excel, or HTML or exported as UFDR files. Backups of the data can even be created for examination at a later date.
c80f0f1006