#11 – When Things Go Awry

Scenario: A user connects an iPhone to a Windows 7 computer. The computer prompts the user with options of how to view the contents, sync contents, etc. The user chooses to view the files, browses to the DCIM folder, and begins to copy the photos to the computer. A few minutes into the file copy, iTunes opens on the computer and interrupts the connection to begin creating a backup. The user stops the iTunes backup, closes iTunes, and ejects the iPhone. The user unplugs the iPhone from the computer and plugs it back in to restart the DCIM file copy. Oddly, there are no photos to copy. On the iPhone, the Photos folder is empty, and there are no Recently Deleted photos. Add to this, iCloud Photo Sharing and iCloud Sync are disabled, and Photo Stream is turned off. What would you do to recover the photos?

This is what I tried when presented with this problem.

  1. Create a forensic image of the iPhone. I used Cellebrite Physical Analyzer, Method 1 and Method 2, to capture the contents. Jailbreaking the iPhone was not an option due to MDM settings (and I wasn’t going to risk losing everything).
  2. Carve for images. I again used Cellebrite Physical Analyzer for this. This method located 595 images, with all but two recovered images being junk portions of possible images. The two recovered images were application thumbnails and not the missing photos.
  3. Create a forensic image of the memory on the Windows 7 computer. I used FTK Imager for this because it was already installed on the machine. It made a copy of the pagefile.sys and created a memdump.mem file. I analyzed both of these with X-Ways — still no missing photos.
  4. Create a forensic image of the hard drive from the Windows 7 computer. I used a Logicube Falcon for the image creation, decrypted the image with EnCase, then analyzed the image in X-Ways. After carving for photos, no such luck.

What else would you have tried?