Universal Forensic Apple Device Extractor
This is a python script written for my masters thesis in IT-Security and Forensics at the Wismar University.
It utilizes the awesome projects: pymobiledevice3 and iOSbackup to automate the acquisition of Apple mobile devices. Options can be selected via a dialog. The SSH access is realized via Paramiko.
The interface is based on CustomTkinter. You can also load the Windows version from the release page.
Requires Python == 3.11.
More features may follow.
UFADE has been selected as a finalist for the Sans Difference Makers Award 2024 in the category “Innovation of the Year (Open-Source or Product Tool)”.
Clone the repo:
git clone https://github.com/prosch88/UFADE
To use the developer features you need to mount a DeveloperDisk image on the device. A submodule with images can be loaded while cloning:
git clone https://github.com/prosch88/UFADE --recurse-submodules
Install dependencies:
Arch / Manjaro:
sudo pacman -S tk
Debian / Ubuntu:
sudo apt-get install python3-tk libasound2-dev
CentOS / Red Hat:
sudo yum install tkinter
MacOS:
brew install [email protected] [email protected]
Install the requirements:
pip install -r requirements.txt
Windows:
install Apple-Devices
Highly recommended: Disable the Maximum Path Length Limitation
Connect an Apple device (iPhone, iPad) to your workstation, unlock and pair the device. Start the script:
python ufade_gui.py
Possibly the trust-message is shown on the device screen. Confirm with "trust". Now you should see the device information screen and will be prompted to choose a working directory. By default, the script is setting this to the directory from which it has been called.
In the main menu you have the options:
Save device information to text
Save device information and a list of user-installed apps to a textfile.
Backup Options
including:
Logical (iTunes-Style) Backup
Perform a backup as iTunes would do (with an option to bruteforce an unknown backup-password)
Logical+ Backup
Perform and decrypt an iTunes backup, gather AFC-media files, shared App folders and crash reports. Creates a TAR-archive.
Logical+ Backup (UFED-Style)
Creates an "advanced Logical Backup" as ZIP-archive with an UFD file to load in the Cellebrite Physical Analyzer©
PRFS Backup
Perform and decrypt an iTunes backup, gather AFC-media files, shared App folders and crash reports. Creates a TAR-archive structured like the filesystem on the device.
Filesystem Backup (jailbroken)
Creates a full filesystem backup from an already jailbroken device.
Collect Unified Logs
Collects the AUL from the device and saves them as a logarchive.
Developer Options
Try to mount a suitable DeveloperDiskImage. Gives further options for screenshots and filesystem views.
Advanced Options
Gives options like network-sniffing and various Logging functions .
Like this tool?
This script utilizes the following projects:
CustomTkinter by TomSchimansky