As you may recall, the most common acquisition for modern iOS devices is a logical type. Here is how you would acquire an iOS device with Magnet AXIOM:
- Start by creating a new case:
Creating a new case
- Since we are dealing with an iOS device, we will choose the MOBILE option:
Selecting the evidence source
- There are a number of options to choose from, but in our case, the iOS option is the right one:
Selecting the evidence source
- There are three options for acquiring evidence – we can choose an already acquired image (for example, a iTunes backup or a filesystem image acquired by a third-party tool), extract data from the device, or use GrayKey for acquisition. Let's choose the second option:
Choosing to acquire evidence
- Our device is recognized and ready to be imaged. If you don't see your device, use the UNKNOWN option:
Selecting the device
- There are two types of extraction – Quick and Full. The Full option will only be available if the device you want to acquire is jailbroken. In our case, it's not:
Choosing the image type
- You will be prompted to enter the password for the backup. As you may recall, this way, you can get more data, so it's highly recommended:
Encrypting the backup
- Before acquisition and processing are started, you can, for example, choose keywords of interest, use Magnet.AI to categorize chats, or configure Dynamic App Finder:
Processing details
Dynamic App Finder is a Magnet IEF and AXIOM feature that's capable of finding potential mobile chat app databases located in images. You can read more about this feature at: https://www.magnetforensics.com/mobile-forensics/using-dynamic-app-finder-to-recover-more-mobile-artifacts/.
- You can customize MOBILE ARTIFACTS from here. For example, if you are only interested in chats artifacts, it's better to choose only these types of artifacts as they will shorten the processing time:
Selecting mobile artifacts
- The ANALYZE EVIDENCE button will start the acquisition and analysis process:
Imaging the evidence source
- There are two windows for Magnet AXIOM – Process and Examine. The first can be used to monitor the process of acquiring and processing the evidence source, while the second can be used to analyze the extracted and parsed data. As we mentioned previously, you can start the analysis before the processing phase has ended. All you need to do is click on LOAD NEW RESULTS in Magnet Examine:
Loading new results
- Once the processing stage is over, you can find the parsed data in the MOBILE section of Magnet Examine:
The MOBILE section
But, of course, it won't include everything; there are other valuable sections that you can find evidence that has been extracted from the iOS device, such as CHAT, MEDIA, and DOCUMENTS.