This is a list of tools I found to be usefull during my steps through this new area of mobile forensics.
iPhone Research Tool
This FREE research tool, developed in 2014 by researchers at University of New Haven (UNH) Cyber Forensics Research & Education Group / Lab, LiFE (Logical iOS Forensic Examiner) is an open source tool for iOS backup examination.
Well, the real good tools are available (as usual) for linux. So belowlist should be the first choice if (first choice as well) youre using Linux. For below sample installation of the software. I'm using Ubuntu 17.04 on VMWare (4GB RAM, 50GB HD) with installed vmware tools.
idb on Ubuntu or Kali install howto:
sudo apt-get install cmake libqt4-dev git-core libimobiledevice-utils libplist-utils usbmuxd libxml2-dev libsqlite3-dev -y
curl -sSL https://get.rvm.io -o rvm.sh
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
cat ./rvm.sh | bash -s stable --rails ## this takes quite a while
rvm install 2.1 --enable-sharedgit
git clone https://github.com/dmayer/idb && cd idb
gem install idb
add the corrects ruby setting from the "env" of your session to the ~/.bashrc
Done... idb should run now.
Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device.
A (not complete) list of tools that will enable and/or help doing your job.
Elcomsoft iOS Forensic Toolkit 1495€
- An all-in-one, complete acquisition solution
- Physical acquisition (32-bit devices): acquire complete, bit-precise device images
- Physical acquisition (64-bit devices): extract more information compared to logical or cloud acquisition
- Logical acquisition: extract iTunes-style backups including the keychain
- Extract information from locked devices (limitations apply)
- Decrypt keychain items, extract, device keys (32-bit devices only)
- Quick file system acquisition: 20-40 minutes for 32 GB models
- Zero-footprint operation leaves no traces and no alterations to devices’ contents (32-bit legacy devices only)
- Fully accountable: every step of investigation is logged and recorded
- Supports iOS up to 9.3.4 (physical acquisition), up to 10.x (logical acquisition)
- Passcode is not required
- Simple 4-digit passcodes recovered in 10-40 minutes
- Mac and Windows versions available
- Automatic and manual modes available
MSAB Office ? €
- XRY Application Software and 12 month License
- XRY Briefcase with Cable Organizer
- XRY Communication Unit
- XRY Office Mobile Phone Cable Kit
- SIM id-Cloner Device with 12 month License
- 5 Rewritable SIM id-Cloner Examination Cards
- Write Protected Universal Memory Card Reader
- Cleaning Brush & Accessories
- New cable support for 12 months
MOBILedit Forensic Express is a phone extractor, data analyzer and report generator all in one solution. A powerful 64-bit application using both the physical and logical data acquisition methods, Forensic Express is excellent for its advanced application analyzer, deleted data recovery, wide range of supported phones including most feature phones, fine-tuned reports, concurrent phone processing, and easy-to-use user interface. With the password and PIN breaker you can gain access to locked ADB or iTunes backups with GPU acceleration and multi-threaded operations for maximum speed.
206 x 167 x 90 mm
For a secure transport of devices from the victim to the analyst and/or around.
To secure "unchanged" evidence while transporting or storing the device. Espacially use it while transporting with above peli case.
To ensure that the device has not been tampered or destroyed while transporting, and to ensure it does not communicate while transporting or storing.
Well, some device do need power. :-)