The following article will explain everything you need to know to connect an iPhone to MOBILedit Forensic successfully. iPhone can be connected either by cable or via Wi-Fi. All iOS versions are supported.
With the advances in iOS security, it is becoming commonplace that you need to know the PIN code to extract data successfully from iOS devices. The Lockdown method can bypass the screen lock with some iOS versions if the PIN code is unknown.
For successful extraction from iPhone is required to know the iTunes backup password. Without the iTunes backup password, the final result will not show much data, such as data from WhatsApp, Contacts, Photos, etc.
With iOS 15.7.6 and 16.1 or later, you must enter your phone passcode when creating an iTunes backup. This is not required in iOS 16.0 and below (excluding iOS 15.7.6).
If you are not able to obtain the iTunes backup password and don't need to analyze data from the old iTunes backup, with iOS 11 or later, you can make a new encrypted backup of your device by resetting the password.
On your device, go to Settings > General > Transfer or Reset [Device] > Reset.
Tap Reset Network Settings and enter your device passcode.
Follow the steps to reset your settings. This won't affect your user data or passwords, but it will reset settings like display brightness, Home Screen layout, and wallpaper. It also removes your encrypted backup password.
However, this operation:
requires to enter the passcode
deletes some evidence
The advantage of MOBILedit Forensic is that it can extract data from the iPhone from a computer with iTunes for Windows installed or without, which are very different ways of communication.
iTunes for Windows not installed
There is no need to install the iTunes Windows application to use MOBILedit, which is usually required by other mobile forensic solutions. MOBILedit can communicate directly with iPhones or iPads using our direct Apple device driver, which can be downloaded from our website.
Install the correct Apple drivers.
Connect the device to a USB
Enable device communication
If you want to use the checkra1n Jailbreak, the installation of iTunes is still required, since the communication requires Apple mobile device service rather than our direct driver.
iTunes for Windows installed
If you already have the iTunes Windows application installed, MOBILedit can communicate with the iPhone. In this case, MOBILedit uses protocols of Apple Mobile Device Service, which is already part of the iTunes installation.
You can follow the same connection step procedures above, starting from point 2.
Do not turn off the Apple Mobile Device Service while the iOS device is connected to MOBILedit Forensic. If the service is stopped it will disconnect the device and communication with MOBILedit Forensic. MOBILedit Forensic will repeatedly try to regain communication yet will be unable to.
Jailbroken iPhone and Full file system extraction
If the iPhone is jailbroken, MOBILedit can extract all files, including application sandboxes or system files. To achieve this, MOBILedit needs iTunes installed, so please follow the above instructions. You can jailbreak iPhones using the USB live distribution in the MOBILedit Connection Kit, as it contains the Bootra1n software used to deploy Checkra1n.
Even with jailbreak, device encryption is still working, e.g., if the device was not unlocked after reboot, a very limited set of data is available for extraction. Also, some applications protect files, when the phone is locked, so for full filesystem extraction, you still need to unlock the phone.