iOS

The following article will explain everything you need to know in order to successfully connect an iPhone to MOBILedit Forensic. iPhone can be connected either by cable or via Wi-Fi. All iOS versions are supported.

For successful extraction from iPhone is required to know the iTunes backup password. Without the iTunes backup password, the final result will not show much data, such as data from WhatsApp, Contacts, Photos, etc.

Since the launch of the new iOS 16.1, you must enter your phone passcode when creating an iTunes backup. This is not required in iOS 16.0 and below.

If you are not able to obtain the iTunes backup password and don't need to analyze data from the old iTunes backup, with iOS 11 or later, you can make a new encrypted backup of your device by resetting the password.

1. On your device, go to Settings > General > Transfer or Reset [Device] > Reset.

2. Tap Reset Network Settings and enter your device passcode.

3. Follow the steps to reset your settings. This won't affect your user data or passwords, but it will reset settings like display brightness, Home Screen layout, and wallpaper. It also removes your encrypted backup password.

However, this operation:

• requires to enter the passcode

• deletes some evidence

The advantage of MOBILedit Forensic is that it can extract data from the iPhone from a computer with iTunes for Windows installed or without, which are very different ways of communication.

iTunes for Windows not installed

There is no need to install the iTunes Windows application to use MOBILedit (it is usually required by other mobile forensic solutions). MOBILedit is able to communicate directly with iPhones or iPads by using the Apple Mobile Device driver which can be downloaded from our website.

1. Install correct Apple drivers.

2. Connect the device to a USB

3. Enable device communication

   1. If you know the passcode
      I. Unlock the device screen.
      II. Disable the “Auto-Lock” option.
      III. Confirm the trust message on the device screen.

   2. If you don’t know the passcode use the Lockdown method
      

If you want to use the checkra1n Jailbreak, the installation of iTunes is still required, since the communication requires Apple mobile device service rather than our direct driver.

iTunes for Windows installed

If you already have the iTunes Windows application installed, MOBILedit can communicate with the iPhone. In this case, MOBILedit uses protocols of Apple Mobile Device Service, which is already part of the iTunes installation.

You can follow the same procedure as above, starting from point 2.

Do not turn off the Apple Mobile Device Service while the iOS device is connected to MOBILedit Forensic. If the service is stopped it will disconnect the device and communication with MOBILedit Forensic. MOBILedit Forensic will repeatedly try to regain communication yet will be unable to.

Jailbroken iPhone and full file system extraction

If the iPhone is jailbroken, MOBILedit is able to extract all files, including application sandboxes or system files. To achieve this, MOBILedit needs iTunes installed, so please follow the above instructions. You can jailbreak iPhones by using the USB live distribution in the MOBILedit Connection Kit, as it contains the Bootra1n software used to deploy Checkra1n.

Even with jailbreak, device encryption is still working, e.g., if the device was not unlocked after reboot, a very limited set of data is available for extraction. Also, some applications protect files, when the phone is locked, so for full filesystem extraction, you still need to unlock the phone.