iOS
The following article will explain everything you need to know to connect an iPhone with MOBILedit Forensic. iPhone can be connected either by cable or via Wi-Fi. All iOS versions are supported.
With the advances in iOS security, it is becoming commonplace that you need to know the PIN code to extract data successfully from iOS devices. The Lockdown method can bypass the screen lock with some iOS versions if the PIN code is unknown.
For successful extraction from iPhone is required to know the iTunes backup password. Without the iTunes backup password, the final result will not show much data, such as data from WhatsApp, Contacts, Photos, etc.
With iOS 15.7.6 and 16.1 or later, you must enter your phone passcode when creating an iTunes backup. This is not required in iOS 16.0 and below (excluding iOS 15.7.6).
If you are not able to obtain the iTunes backup password and don't need to analyze data from the old iTunes backup, with iOS 11 or later, you can make a new encrypted backup of your device by resetting the password.
On your device, go to Settings > General > Transfer or Reset [Device] > Reset.
Tap Reset Network Settings and enter your device passcode.
Follow the steps to reset your settings. This won't affect your user data or passwords, but it will reset settings like display brightness, Home Screen layout, and wallpaper. It also removes your encrypted backup password.
However, this operation:
requires to enter the passcode
deletes some evidence
The advantage of MOBILedit Forensic is that it can extract data from the iPhone from a computer with iTunes for Windows installed or without, which are very different ways of communication.
iTunes for Windows not installed
It is not always necessary for the iTunes Windows application to be installed to use MOBILedit, which is usually required by other mobile forensic solutions. MOBILedit can communicate directly with iPhones or iPads using our direct Apple device driver, which can be downloaded from our website. But please remember, iTunes needs to be installed if you wish to communicate with an Apple Watch or a jailbroken iOS or iPadOS device.
Connection steps:
Install the correct Apple drivers.
Connect the device to a USB
Enable device communication
If you know the passcode
I. Unlock the device screen.
II. Disable the “Auto-Lock” option.
III. Confirm the trust message on the device screen.If you don’t know the passcode, use the Lockdown method
If you want to use the checkra1n Jailbreak, the installation of iTunes is still required, since the communication requires Apple mobile device service rather than our direct driver.
iTunes for Windows installed
If the iTunes Windows application is installed, MOBILedit will communicate with the iPhone using the Apple Mobile Device Service, which is already part of the iTunes installation.
You can follow the same connection step procedures above, starting from point 2.
Do not turn off the Apple Mobile Device Service while the iOS device is connected to MOBILedit Forensic. If the service is stopped it will disconnect the device and communication with MOBILedit Forensic. MOBILedit Forensic will repeatedly try to regain communication yet will be unable to.
Jailbroken iPhone and Full file system extraction
If the iPhone is jailbroken, MOBILedit can extract all files, including application sandboxes or system files. To achieve this, MOBILedit needs iTunes installed, so please follow the above instructions. You can jailbreak iPhones using the USB drive in the MOBILedit Connection Kit. It is a small Linux live distribution that contains the Bootra1n software used to deploy Checkra1n.
Even with jailbreak, device encryption is still working, e.g., if the device was not unlocked after reboot, a limited set of data is available for extraction. Also, some applications protect files, when the phone is locked, so for full filesystem extraction, you still need to unlock the phone.
Here is a handy decision making chart to guide you through iOS extraction and analysis:
There were errors rendering macro:
- An unknown error occurred.