Paraben’s iRecovery Stick Review
Paraben's iRecovery Stick is a USB flash drive designed to recover deleted data from Apple iOS devices like the iPhone, iPad and iPod touch. The product allows investigators to recover data either directly from the device or from iTunes back-up files. It is designed to support all iOS versions ranging from 1.x to 6.x and it works with iPhone 3GS, 4, 4S, 5 & other iOS devices. The iRecovery stick will not only recover the deleted data, it will also download all the contents of the device. The article explains the usage of the iRecovery Stick and covers its pros and cons.
iRecovery stick features
Learn Digital Forensics
- Downloads phone contents – downloads all user data like photos, contacts, calendar, etc.
- Recovers deleted data – recovers deleted text messages, contacts, call history, etc.
- Easy to use – simply connect the iPhone and the iRecovery stick to the computer, and then click the start button in the recovery software.
- Portable – It is an easy to carry USB thumb device.
-
Inconspicuous – It resembles a commonly used USB thumb drive, so it can be used as a spy device and no one would suspect that the device is used to recover data from the iPhone.
-
Works on backup files – recovers data from iTunes backup files.
Setup
The iRecovery Stick shipment box contains the iRecovery Stick and a USB cable that is compatible with the iPhone 3GS, 4 & 4S.The iRecovery Stick is compatible with Windows XP and 7, and provides an easy-to-use user interface. The iRecovery Stick does not support vmware/virtualbox environment and Linux &Mac OS X operating systems. Also, it is mandatory to turn off the antivirus software running on the Windows OS for better data recovery. The iRecovery Stick is a portable and simple-to-use USB flash drive which contains the recovery software iRecoveryStick.exe. Recovery software included in the iRecovery Stick can be installed on to the hard drive or it can be executed directly from the USB drive. The image below displays the contents of the iRecovery Stick USB drive.
[caption id="" align="alignnone" width="601"]
Click to view larger image[/caption]
Installation of the iRecovery software is well documented in the iRecovery Getting Started manual located in the USB flash drive.
Data Acquisition and Recovery from the device
The iRecovery Stick is very simple to use. Simply connect the iPhone to a Windows-based computer with the USB cable and then connect the iRecovery stick to the same computer through a USB port. Once the two devices are connected, run the iRecoveryStick.exe program. The Welcome screen of the iRecovery stick software is shown in the image below:
[caption id="" align="alignnone" width="604"]
Click to view larger image[/caption]
Once open, click on the Start Recovery button (highlighted in the above image). Then the recovery software prompts to choose connected device as shown in the image below.
[caption id="" align="alignnone" width="602"]
Click to view larger image[/caption]
Click on the device to start the recovery process (shown in the image below). The data recovery process will take several minutes to a few hours to complete based on the size of the iPhone disk. During a test on an Intel i5 2nd generation processor laptop, it took 14 minutes to recover 256MB data from the iPhone 4.
[caption id="" align="alignnone" width="602"]
Click to view larger image[/caption]
The recovery process acquires existing data and recovers deleted data from the iPhone, but the majority of the data will be the normal user's data which has never been deleted. Once the recovery process is completed, then it immediately displays all the data recovered from the iPhone (shown in the image below). The recovery process downloads the existing contents of the phone such as contacts, call history, text messages, calendars, notes, pictures, multimedia and all other data like Safari history, Safari bookmarks, GPS history and application cookies. It also recovers different types of deleted data including text messages, contacts, call history, and calendar entries. The iRecovery Stick is not capable of carving the file system, so it can only recover the deleted data from the Sqlite database files and does not recover the deleted files from the file system, i.e. it does not recover deleted photos.
[caption id="" align="alignnone" width="608"]
Click to view larger image[/caption]
The user interface also provides an option to generate an easily readable report or to export the recovered data to Excel sheets. During a test, the export to Excel option took more time than the actual recovery process.
[caption id="" align="alignnone" width="601"]
Click to view larger image[/caption]
The iRecovery Stick does not have the capability to bypass the iPhone passcode. So if the device is protected with a passcode, unlock it before connecting it to the computer for recovery.
Data Acquisition and Recovery from the backup
The iRecovery Stick can also recover data from the iTunes backups. In general, the iTunes backup contains a copy of everything on the device like contacts, SMS, photos, calendar, music, call history, notes, network settings, Safari bookmarks, cookies and application data, etc., so the iRecovery stick recovers the same types of data that it can recover from the iPhone itself. To recover data from the backups, run iRecoveryStick.exe and load the iTunes backup files created in Windows. The Welcome screen of the iRecovery Stick software is shown in the image below.
[caption id="" align="alignnone" width="604"]
Click to view larger image[/caption]
Click on Start Import from iTunes Backup button (highlighted in the above image). Then the recovery software prompts you to choose the specific iOS version as shown in the image below.
[caption id="" align="alignnone" width="602"]
Click to view larger image[/caption]
Clicking on the specific iOS version prompts the user to open the existing iTunes backup as shown in the image below. In general, iTunes backup gets stored in these locations:
Windows XP - C:Documents and Settings[user name]Application DataApple ComputerMobileSyncBackup
Windows 7 - C:Users[user name]AppDataRoamingApple ComputerMobileSyncBackup
Once the backup is selected, the recovery process starts. The data recovery process will take several minutes to a few hours to complete based on the size of the backup files. During a test on an Intel i5 2nd generation processor laptop, it took 15 minutes to recover 300MB data from the iTunes backup.
Once the recovery process is completed, it immediately displays all the data recovered from the backup files. The recovery process extracts the existing contents from the backup such as contacts, call history, text messages, pictures, multimedia and all other user data like internet browsing history & application cookies. It also recovers different types of deleted data from the backup including text messages, contacts, call history, calendar entries and notes.
The iRecovery stick can only recover data from the iTunes normal backups and it does not work with the iTunes encrypted backups.
What Data is Recovered
Once the recovery process is completed, the iRecoveryStick displays the recovered data in an easy-to-read format as shown in the image below:
[caption id="" align="alignnone" width="604"]
Click to view larger image[/caption]
The recovery process recovers these existing data from the device/backup:
- Messages - sent/received SMS messages including the exact date and time.
- Contacts - phonebook data with creation and modification dates.
- Call history - call logs including the exact duration time.
- Graphics – photos and thumbnail images.
- Organizer – calendar and notes.
- Multimedia – mp3 files and recorded videos.
- Internet data – Safari history, Safari bookmarks, Safari suspend state, Safari cookies, email accounts, YouTube bookmarks and application cookies.
- Tracking history – geographical locations. It contains longitude and latitude coordinates along with a timestamp and is displayed in the Google Earth viewer.
- Other data – this data includes Maps history, Maps bookmarks, Maps directions and other properties.
The recovery process recovers these deleted data from the device/backup:
-
Recovered data
- Contacts
- SMS
- iMessages
- Notes
- Call history
- Calendar data
- Internet data
- Tracking history
The iRecovery stick does not recover data from the iOS keychain file. Also, it does not recover deleted files and photos.
Learn Digital Forensics
Conclusion:
Paraben's iRecovery stick is a simple to use tool for data recovery for iOS devices. It recovers most of the data from the device; however, it does not recover deleted files from the file system. Due to this limitation, it may not be a great tool for forensic investigators. However this is the perfect device for employees, parents, spouses, boyfriends and girlfriends who want to spy or recover deleted SMS, contacts, call history and web history from iOS devices.
Learn Digital Forensics
Build your digital forensics skills with hands-on training in Infosec Skills. What you'll learn- Forensics concepts
- Computer forensics
- Mobile forensics
- Network forensics
- And more
In this Series
- Paraben’s iRecovery Stick Review
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics