iPhone 15 (iOS 17) - Agent-based FFS and Snapchat cache recovery England

Hi all,
I’m trying to understand the current forensic capabilities for a modern iPhone.
Scenario:
iPhone 15
iOS 17
Device unlocked with the correct passcode available
Would you generally expect an agent-based full file system (FFS) extraction to be performed on this type of device, assuming the lab has current Cellebrite/Magnet capability?
If an FFS was obtained, what Snapchat artefacts would you realistically expect to recover?
Message content?
Cached images/videos?
SQLite databases?
Metadata only?

interested in the technical forensic capability and what practitioners are seeing with modern iPhones.
Thanks.

reddit.com
u/No-Substance953 — 7 days ago

Capabilities of cellibrite and magnet axiom on third party app recovery of iphone 15 onwards in England

I am carrying out a research project on a case study for my degree on the following information I’m trying to understand the current capabilities and limitations of Cellebrite UFED/Premium and Magnet AXIOM when examining an iPhone 15 (iOS 17/18) in England.
Specifically, I’m interested in what investigators can realistically recover from a passcode-unlocked device during a standard police forensic examination.
Some questions I have:
Can deleted Snapchat chats or disappearing messages be recovered, or is only metadata (timestamps, contacts, etc.) typically available?
What Instagram data is usually recoverable (deleted messages, media, notifications, cached data)?
How much app cache remains available on modern iPhones compared with older devices?
What is normally obtainable from iCloud versus the physical handset?
Are there significant differences between what Cellebrite and Magnet AXIOM can extract on iPhone 15 models?
Are there any recent white papers, webinars, or real-world forensic experiences covering iPhone 15/iOS 17–18?
I’m looking for technically accurate information from digital forensic practitioners rather than speculation. Any insight or links to current documentation would be greatly appreciated.

reddit.com
u/No-Substance953 — 10 days ago
▲ 0 r/Smartphoneforensics+2 crossposts

Forensic download of iPhone 15 with passcode — deleted ephemeral app data from Snapchat, Instagram and WhatsApp

Hi everyone,

I am conducting a case study for University and have been given and assignment to complete on the following. I have read through case studies, whitepapers and forensic blogs so I do have a good understanding of up to date protocol's and outcomes but I thought I would open this up to public experiences and knowledge.

I’m trying to understand what can realistically be recovered from a modern iPhone during a forensic download when the passcode is known/provided.

The device is an iPhone 15 and investigators would have lawful access to the phone and passcode. I’m particularly interested in how tools such as Cellebrite, Magnet AXIOM, GrayKey, etc., deal with third-party app data and ephemeral/deleted content.

The apps I’m mainly thinking about are:

  • Snapchat
  • Instagram
  • WhatsApp

My questions are:

  1. If messages/images/videos were sent through apps like Snapchat or Instagram and later deleted, or were set to disappear/ephemeral, what is usually recoverable from the handset itself?
  2. With a known passcode on a modern iPhone, is a full file system extraction normally possible, or are there still major limits because of iOS encryption, app sandboxing, and deleted database records?
  3. For Snapchat specifically, if chats were not saved and were set to delete after viewing or after 24 hours, would forensic tools usually recover the actual message/image/video content weeks later, or mainly metadata/cache artefacts?
  4. What sort of artefacts might remain from these apps? For example:
    • timestamps
    • usernames/user IDs
    • conversation lists
    • message status metadata
    • thumbnails/cache files
    • notification previews
    • call logs
    • database remnants
    • media cache
  5. How reliable is recovery of deleted SQLite records from apps like Snapchat, Instagram and WhatsApp on newer iPhones?
  6. If the phone has continued being used after deletion, does that make recovery of ephemeral/deleted app content much less likely due to database cleanup, cache clearing, overwriting, or encryption key destruction?
  7. Are WhatsApp messages different because they are stored in local databases and backups, compared with Snapchat/Instagram where much more data may be server-side or ephemeral?

I’m not looking for legal advice or advice on bypassing anything. I’m just trying to understand, from a digital forensics perspective, what the realistic limits are when examining a modern iPhone with the passcode available, especially where the target data comes from disappearing-message apps.

Any insight from people who work with mobile forensics would be appreciated.
Thanks.

reddit.com
u/No-Substance953 — 17 days ago

Enhanced DBS - Will an employer be told if information has been disclosed? England

Hi all,
I’m currently going through an Enhanced DBS check for a role working with adults.
The employer is using an online DBS portal (EmploymentCheck / DBS Services Online) to track the application. At the moment it just shows status updates such as “Receipt Received” and application progress.
My question is:
If information is disclosed on the Enhanced DBS certificate (for example local police information or “other relevant information”), will the employer automatically be told through the portal that something has been disclosed?
Or do they simply get notified that the DBS has been completed and then need to see the physical certificate before knowing whether anything is on it?
I’m trying to understand the process rather than the content of any disclosure. Specifically:
Can employers see whether a certificate is clear or not through their online portal?
Do employers receive a notification saying a certificate contains information?
Or is the certificate only sent to the applicant, with the employer finding out only when they review it?
I’m interested in hearing from anyone who works in HR, recruitment, safeguarding, or who has experience with EmploymentCheck/Cantium DBS systems.
Thanks.

reddit.com
u/No-Substance953 — 25 days ago