In this chapter, we'll review some typical scenarios that call for different approaches and tools when handling mobile acquisition.
I have a ton of iPhones in my lab. Only get to spend about 40 minutes on each. What can you get me in 40 minutes?
This is a typical question coming from a police officer working in a busy environment. What can be done on these iPhones in such a restricted timeframe?
It depends on what's available. If all you have is a working but locked iPhone, and the passcode is not known, the only chance of extracting anything off the phone is to attempt physical acquisition. If the phone falls within the compatibility matrix, you can follow these steps to extract information out of the device. With its characteristic-guaranteed timeframe, physical acquisition is the only way to obtain information out of a locked device.
If you know the user's Apple ID and password, you can use Elcomsoft Phone Breaker to perform a selective download of essential...