Apple iPhone 7 Quick Acquisition with Magnet AXIOM
Summary
TLDRIn this video, Jamie from Magnet Forensics demonstrates the process of acquiring data from an iPhone 7 using Magnet AXIOM. The tutorial covers setting up a case, connecting the unlocked iPhone to a computer, and initiating an acquisition. Jamie explains the importance of checking for privileged access and the limitations of acquiring data from non-jailbroken iOS devices. The video highlights the option to create an encrypted backup for extracting additional evidence like the iOS keychain and concludes with the start of the acquisition and processing.
Takeaways
- ๐ฑ The video demonstrates how to use Magnet Axiom for forensic analysis on an iPhone 7.
- ๐ The iPhone 7 is unlocked and trusted to the computer before starting the acquisition process.
- ๐พ The presenter emphasizes the importance of case details and organizes evidence in different folders for efficiency.
- ๐ฑ The iPhone model is identified as A1778 running iOS 11, which is not jailbroken.
- ๐ซ Due to the device not being jailbroken, full filesystem acquisition is not possible.
- ๐ The presenter discusses the implications of privileged access and the limitations it poses on data acquisition.
- ๐ The option to create an encrypted or unencrypted iTunes backup is presented, with encrypted backups providing additional data like iOS keychain.
- ๐ The presenter sets a password for the encrypted backup, which Magnet Axiom will remember for processing.
- ๐ฑ The video mentions that iOS 11 or later allows disabling the requirement for an iTunes backup password.
- ๐ The presenter configures processing details, including keywords, hashes, and artifacts, and initiates the analysis of evidence.
- ๐ The acquisition process begins with a backup of the iPhone, which will be automatically processed once completed.
Q & A
What is the main topic of the video?
-The main topic of the video is demonstrating the process of acquiring data from an iPhone 7 using Magnet AXIOM, a digital forensics tool.
Why is it important to have the iPhone unlocked and trusted to the computer before starting the acquisition?
-Having the iPhone unlocked and trusted to the computer is important because it allows Magnet AXIOM to establish a connection and access the device for data acquisition without any barriers.
What does the term 'privileged access' mean in the context of the video?
-In the context of the video, 'privileged access' refers to the ability to access data on the iPhone that is typically restricted, such as the iOS keychain. It indicates that the device is not jailbroken, which is a common scenario in most investigations.
Why is it beneficial to store case data and acquired evidence on different drives?
-Storing case data and acquired evidence on different drives is beneficial because it can make processing and acquisitions faster by preventing the drives from working harder and potentially slowing down the overall process.
What is the difference between an encrypted and unencrypted backup in the context of iOS device acquisition?
-An encrypted backup includes the iOS keychain, which provides additional user passwords and tokens that can be used for further investigation. An unencrypted backup does not include this information and is easier to use but may not provide as much evidence.
What is the significance of the iOS version (11) mentioned in the video?
-The iOS version 11 is significant because it allows for disabling the backup password requirement, which is a feature not available in iOS versions 9 and 10. This can impact the type of data that can be acquired during the forensic process.
Why might an investigator choose to create an encrypted backup during the acquisition process?
-An investigator might choose to create an encrypted backup to obtain the iOS keychain, which includes sensitive data like user passwords and tokens that can be crucial for further investigation.
What is the purpose of the 'analyze evidence' step in the acquisition process?
-The 'analyze evidence' step is where Magnet AXIOM connects to the device, initiates a backup, and begins processing the data. This step is crucial for extracting and analyzing the acquired data for the investigation.
What does the video suggest about the typical limitations when acquiring data from iOS devices?
-The video suggests that the typical limitation when acquiring data from iOS devices is that investigators are often limited to getting an iTunes backup, which may not include all the data present on the device, especially if the device is not jailbroken.
How does the video demonstrate the process of setting up a case in Magnet AXIOM?
-The video demonstrates setting up a case in Magnet AXIOM by showing the creation of a case name, selecting the type of device (iOS), choosing the 'acquire evidence' option, and then proceeding to configure the acquisition settings.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
Getting Started with Magnet AXIOM - File System and Registry
Getting Started with Magnet AXIOM Examine - Search and Filters
Getting into a pass code protected iPhone using checkm8 and Cellebrite
Performing a basic extraction with XRY
Kuliah Lapangan Geofisika 2020 - Metode Geolistrik
[Linux] Android Acquisition using ADB, root, netcat and DD
5.0 / 5 (0 votes)