The Future of Mobile Forensics: November 2015 Follow-up

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things have changed already. Three months after the publication a lot of things have changed. Our publication was published on Forensic Focus and discussed in online forums, with readers pointing to certain inaccuracies in our article. In this follow-up, we will use up-to-date information to address the issues of concern in the original article.

iOS 8.4 Forensics

Little changed in iOS 8.x forensics since publishing our original article. Some advances have been made though. iOS 8.4 was successfully jailbroken by the TaiG team (, and physical acquisition is once again available for jailbroken 32-bit iOS devices (e.g. with Elcomsoft iOS Forensic Toolkit). However, 64-bit Apple hardware (including iPad mini Retina, iPhone 5s and all newer models) successfully resists physical acquisition attempts. Full-disk encryption still rules out chip-off, and there were never JTAG ports in Apple hardware. Unallocated space is still not recoverable as iOS does not keep decryption keys for unallocated areas.

One of our readers drew our attention to an acquisition method often referred as “Advanced Logical”. Besides physical acquisition, this was the only method allowing to extract mail. As far as we know, Apple shut the door to advanced logical acquisition in iOS 8.3, so only older devices remain susceptible to this method. Since Apple does not publish detailed iOS version breakdown (counting iOS 8 in general without giving any insight on how many users switched to the latest release), we do not know what percentage of devices running iOS 8 is still susceptible to advanced logical acquisition.

Apple constantly tweaks iCloud security, making adjustments to lifespan of binary authentication tokens that can be used by experts instead of the user’s login and password (and bypassing two-factor authentication).

iOS 9 Forensics

The latest version of iOS is a hot topic in the world of mobile forensics. With as many as 61% of eligible iOS devices running the latest version of the OS by the 19th of October 2015, iOS 9 is a major concern to forensic crowd.

Please register to access full versions of Belkasoft articles

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research