I'm looking for a way to copy all of the data from my iPhone to a Windows PC, with accuracy down to the byte that could be used for forensic purposes. The iPhone in question is an iPhone 6 running iOS 9.3 and is not jailbroken.

Is there any software (the cost of which is not important) that would do just that? Basically, I'm wondering how the FBI did it.

The output file is NOT important. Even if it's all encrypted, it's ok—it just must be every single byte that can be taken off the phone (a complete copy of the iPhone's hard disk).

Could iTunes do this based on the presumption that nothing is left behind when iTunes+Windows makes an iPhone backup?


Solution 1:

In a sense there are multiple answers to your question.

Law Enforcement

You asked how the FBI did it. In a nutshell you won't get an answer here as they paid a huge sum of money to obtain the vulnerability, which in itself only applied to a particular model of iPhone running a specific version of iOS. So the approach the FBI used most likely wouldn't work for you, but even if it did, no-one is going to be able to tell you how they did it.

Law enforcement also uses a tool developed by Zdziarski five or so years back, however current versions are not available to the public. Even if you could source one of the earlier versions originally available to the public, this is not likely to work with iOS 9.3.

Forensic options

There are a number of forensic options available, none of which are cheap. However, since you stated that the cost isn't important, here's a few you may find of interest:

  • Lantern 4 - US$1,999 up front, US$800 annual maintenance
  • Spotlight - US$2,000 up front, plus the cost of compulsory training
  • UFED - There are a whole range of options/versions available

'Disk Image'

Once you have your disk image of the iPhone you will need analysis tools that are capable of connecting to and analysing a mounted iOS image. In your case you're likely to find that some of the open source community tools are powerful enough for a search and retrieval investigation. Here is a list of some of these tools for you to research:

  • Scalpel
  • DD
  • Find
  • Stings

iTunes backups

In terms of whether iTunes will perform a full bit-by-bit backup, the answer is no. Even selecting the "Encrypt local backup" option will not result in a full backup, although it will capture account passwords, Health data, HomeKit data and various other additional files not usually included in the backup.