“Wait until you get it right, then release it” This is exactly what Cellebrite is doing, getting it right!

For the past two weeks, I have had the privilege to Beta test the upcoming version of the Physical Analyzer that supports the Physical and File System acquisitions of most any iPad and iPhone iOS and models. I have acquired everything from the iPhone 2G right up to my newer iPhone 4 with the newest iOS release of 4.3.3. Both Physical and File System acquisitions. BEST OF ALL, most of them were passcode locked by the users and myself. The software unlocked all the phones to recover the data.

Even better, the user data from the file system dumps were all decrypted and we are able to read: SMS Text; MMS; Calendar; Application Usage; Call Logs; Chats; Contacts; Emails; Installed Applications; locations; Notes; User Account info; User Dictionary; Web Bookmarks; Web History; Wireless Networks; Images; Videos; Audio; and Text items. This includes my newer iPhone 4.3.3 that was tested.

Some items that I like about the new P.A. software includes:

– the walk though screens are very easy to follow, fool-proof I would say!

– no jailbreak is required

– you never power the iPhone on to the user interface, the process involves Recovery and DFU modes only

– the decoding data carving is outstanding

– you can get a physical dump, work on it while you are getting a second file system dump

– runs on most Windows OS’s, I am running Windows 7 64 Bit

– the whole process is clicking on an icon, wait for instructions, when the iPhone is ready to proceed, the screen changes and walks you through it

– it is a free upgrade to existing P.A. users with up to date licensing (release is soon)

– supports phones that are not even supported by the jailbreak process (example: iPhone 3G 4.2.1 MC)

– iTunes is not an issue; specific version or uninstalling is not a concern

Issues that I have found so far that are being worked on by Cellebrite:

– no support for the iTouch yet

– some issues with viewing some image formats

– some issues with certain USB ports

In the past few days I have acquired both Physical and Filesystem dumps from the following phones:

iPhone 3Gs with 4.2.1, no password active

iPhone 4, password protected, 4.3.3, 8J2, MC605C

iPhone 3G password protected, 4.2.1 8C148, 931.71.16, A1241

iPhone 3G, password protected, 3.1.2 7C146, 636.66, A1241

iPad 1 with 4.3.3 (8J3) 16GB Model MC349C

iPhone 3Gs iBoot 889.24, password protected

The process is fast and easy. A 16 GB device took about 20 minutes to get a physical dump.

I am now doing some validation with one of the dumps I got from the iPhone 3GS 4.2.1 to see if the physical dump acquired and recovered the same amount of pictures that another tool obtained. I am in the process of validating the iPhone 4 4.3.3 PW locked phone as well to see if the P.A. obtained and decrypted all the important user data.

Too many projects on the table, need to focus on one and get r’ done! More to follow……must fly to Myrtle Beach for Techo and MFW, network, network, network!

Posted with permission of R. S. /Cellebrite.