Advanced techniques to get more information from the device

Some applications do not provide the information that you need (e.g. messages, call logs) by themselves since the information is encrypted by the developer/manufacturer.

There are a few ways how to extract the information you need:

1. Rooting / Jailbreaking your device

2. Creating a physical image of your device

3. Using an App downgrade function in our software MOBILedit Forensic

Rooting / Jailbreaking

Rooting

Most Android devices should be able to be rooted. However, the process of rooting is specific to each phone model, version of Android, and build number, so you always need to find the right tool according to your phone model. 

You can root a majority of modern Android phones using an app called KingoRoot, if for some reason this method doesn't work for you (locked bootloader, Knox, etc.), you may be able to find help on how to root your phone at XDA Developers, which is a website with a large active user community dedicated entirely to Android smartphones.

Please note that sometimes it is necessary to unlock your phone's bootloader in order to root it. You can find a step-by-step tutorial on how to unlock the bootloader on your phone manufacturer's webpage.

Once rooting has been completed successfully the phone is then switched to so-called "rooted mode", and you then will be able to extract and analyze the deleted data.

If you are in need of further assistance please let us know and we will look further to help resolve any issue you are experiencing.

Rooting your phone may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.
Rooting a Samsung device will trip the Knox Warranty void flag which will make the data stored in Knox permanently inaccessible. 

Jailbreaking

There are three ways of jailbreaking your iOS:

1. Tethered - This method requires you to connect your iPhone to your computer and use an external application to jailbreak it. Once you restart your iPhone, the jailbreak is undone, but please note: your device will not be usable until you jailbreak it again using the same method. 

2. Semi-tethered - This method doesn't require you to connect your iPhone to a computer in order to jailbreak it, however, the jailbreak is still undone every time you reboot your device, or, after a certain amount of time passes.

3. Untethered - This method doesn't necessarily require a computer to perform a jailbreak on your device and also modifies the iOS on a deeper level which means that no matter how many times you reboot your device, it stays jailbroken until you manually "un-jailbreak" it.

There are specific known ways to jailbreak almost every iPhone, iPad or iPod Touch running on almost every iOS, except the latest releases - as it usually takes a few months to find a way of jailbreaking the newest version of iOS. 

This means that there is no way of describing them all in a single article.

Currently, the most often used apps for jailbreaking iOS devices are Pangu or Cydia Impactor. You can learn more about how Cydia works on the app developer's official website here, or you can read this article which describes a simplified process of iOS jailbreaking.

You can see a full list of available jailbreaks for each device and version here.

Jailbreaking a device may void the manufacturer's warranty and could cause security risks.
Please take this into consideration before performing this process.

Creating a physical image of your device

There are many ways to create a physical image from a device. You can, of course, use some tools of your own and use our software for extraction, but our product MOBILedit Forensic does offer some tools as well; however, these methods are exclusively available in MOBILedit Forensic ULTRA due to dual-use regulations:

TWRP Method

The device has to have its bootloader unlocked in order to proceed with this method. Please be aware that unlocking the bootloader will delete ALL the user data.

Additionally, you need to be able to decrypt the physical image which is not possible in MOBILedit Forensic PRO and only possible in MOBILedit Forensic ULTRA.

Therefore, TWRP is not a suitable method for forensic investigations yet, can be useful for setting up test devices.

Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools with third-party recovery tools such as TWRP.

These recoveries are (unlike the stock ones) capable of modifying all the internal system partitions of your phone or tablet (they need this capability in order to flash custom firmware).

TWRP even comes with a built-in file manager with unlimited root access so you can modify, add or delete any system files manually. This process allows you to gain a physical image, therefore bypassing the otherwise locked device´s protection.

However, if the image is encrypted by the system itself, we are only able to get the encrypted physical image.

More information about how to use the TWRP method can be found here.

Rooting

In MOBILedit Forensic there are 5 methods for temporary rooting.

The root access is removed once the device is restarted or by pressing “Stop Communication service”. 

More information about how to use the Rooting exploits in MOBILedit Forensic can be found here.

Using an App downgrade function in our software MOBILedit Forensic

Due to better security, some application manufacturers made restrictions on what data can be acquired from their apps. This is especially relevant for non-rooted phones.

To bypass this we have introduced the App downgrade, feature in MOBILedit Forensic, which will downgrade the apps to a version, in which there was no problem in obtaining the data from them directly.

Please note that only some apps support this feature as of yet, although we are working on expanding their list.

More information about how to use the App downgrade in MOBILedit Forensic can be found here.