Scenario #2 - What happens when a photo is captured within native iOS messenger, sent as an attachment message and the message that contained the attachment is later deleted from the conversation thread (/private/var/mobile/Library/SMS/Attachments/)? The native iOS messenger () and sent as an attachment? Scenario #1 – What happens when a photo / live photo is captured () within I formulated a few scenarios that might help demonstrate and explain what happened: While examining the suspect’s device and analyzing the data, I had a few questions about the data being displayed and how it was created. I only mention this so you are aware there could be additional differences that have not been discussed.Īfter First Unlock (AFU) Full File System (FFS) (Suspect’s device and test device).Ĭellebrite UFED 4PC Advanced Logical and Logical extraction (Suspect’s device only). Mainly, iOS 13 devices contained more data in /private/var/mobile/Containers/Data/PluginKitPlugin//tmp/ locations than iOS 12 devices. Important to note: While working on cases after this blog was initially written I noticed there were some difference between iOS 12 and iOS 13. Was it because I haven’t been paying close enough attention during my exams?Įither way, I set out to test and validate what I discovered.ĭuring testing, I did not find any significant changes between 13.4.1 and 13.5.1 that would make the testing invalid. Was this because I was examining a full file system extraction? As a result of photos being captured, several files were created that I have not observed during my past examinations and I had a few questions. ![]() After the examination of an Apple iPhone 7, I discovered some photos were captured using the camera application () from within the native iPhone messaging application (). I came to the conclusion editing the original and reposting the entire blog was the best method to get you all of the information.ĭuring an examination and analysis, I learned some interesting things and would like to share them with you. I debated over rewriting it or just following up with an additional blog. It was my first research blog and after it was posted, I felt it was missing a few things. I must apologize if you have already taken the time to read through this blog. It’s an honor! Additionally, thanks to Jared Barnhart for his assistance with research and with testing. ![]() ![]() Tools: Cellebrite UFED 4PC (7.34.0.116) Cellebrite Physical Analyzer (PA) (7.35.00.33 – 7.36.0.35) Magnet AXIOM (4.4) Artifact Examiner (1.3.6.1) Mushy Plist Viewer (1.2.7.0) iLEAPP (1.2) APOLLO (1.1) Zimmerman Hasher (1.9.2.0) Navicat for SQLite (15.0.1) DB Browser (3.12.0)įirst, I would like to thank Heather Mahalik for her help with this process and for allowing me to post something on her blog.
0 Comments
Leave a Reply. |