One of the most common questions I got asked during presentations and conferences is: “During a search and seizure we found a wiped iPhone, what can we do next?“
First and foremost: you cannot recover data stored on the device before wiping occurred.
The encryption keys you need to decrypt the data are gone forever.
Full stop 🙂
If you are aware of any method, technique, tool or magic box that can do that, please let me know 🙂
You have three options to recover data:
- Data stored on computer(s) (Windows or Mac)
- On Windows you can search for
- Lockdown certificates
- C:ProgramDataAppleLockdown
- iOS Backups
- C:Users<username>AppDataRoamingApple ComputerMobileSyncBackup
- C:Users<username>AppleMobileSyncBackup
- Synced CrashLogs
- C:Users<username>AppDataRoamingApple ComputerLogsCrashReporterMobileDevice
- MediaStream
- C:Users<username>AppDataRoamingApple ComputerMediaStream
- iPodDevices.xml
- C:Users<username>AppDataLocalApple ComputeriTunesiPodDevices.xml
- Data stored on iCloud
- iCloud backup
- Synced data (e.g. Contacts, Photos, Messages, and so on)
- Keychain
- Data stored on synced devices:
- iPad
- Apple Watch
- Apple TV
- Apple HomePod
- “Apple Watch Forensics: Is It Ever Possible, And What Is The Profit?” at DFRWS EU 2019
- “Apple Watch Forensic Analysis” on Elcomsoft Blog
- “Forensicating the Apple TV” at DFRWS EU 2018
- “Apple TV Forensic Analysis” on Elcomsoft Blog
- “A journey into IoT Forensics – Episode 5 – Analysis of the Apple HomePod and the Apple Home Kit Environment” on our Blog
- “Forensic Analysis of Apple HomePod & Apple HomeKit Environment” at the SANS DFIR Summit 2020
- Is there any general method that I can use to extract some data from an iOS device in a reset state (“Hello” screen), before setting it up?
- Which kind of information can I recover?
- Product Type
- Sales Model
- Model Number
- IMEI
- Serial Number
- ECID
- iOS Version
- CPU
- Charge Times
- Battery Life
- Bluetooth Address
- Wi-Fi Address
- Cellular Address
- Disk size
- Disk Usage information
- logsMobileInstallationmobile_installation.log.0 (or mobile_installation.log.1): specifically search for the string “Did not find last build info; we must be upgrading from pre-8.0 or this is an erase install.“.
The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
- logsMobileLockdownlockdown.log: specifically search for the string “_load_dict: Failed to load /private/var/root/Library/Lockdown/data_ark.plist.“.
The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
- logsMobileLockdownlockdown.log: specifically search for the string “_load_dict: Failed to load /private/var/root/Library/Lockdown/data_ark.plist.“.
The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
- logsMobileContainerManagercontainermanagerd.log.0: specifically search for the string “containermanagerd performing first boot initialization“.
The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
- logspowerlogspowerlog_YYY-MM-HH_MM_SS_XXXXXXXX.PLSQL, that has the internal structure of a PowerLog file (just rename it as CurrentPowerLog.PLSQL). It can contain, for example, information about Battery Level and so discover if and when the device was on charge
- WiFiwifi_scan_cache.txt: containing Wi-Fi networks “seen” by the device. It includes SSID and BSSID.
In conclusion, you cannot recover user data, but you can at least understand precisely when the device was wiped and what happened on it before you generate the sysdiagnose. If you are lucky enough you could find SSID and BSSID in the WiFi cache.