Grizzly Digital Data performs onsite, remote, and offsite digital forensic collections.   We harvest data from mobile devices, desktops, laptops, external hard drives, flash drives, and cloud accounts.   Based in Los Angeles, we serve the greater Los Angeles/OC area.  

Our expert technicians collect evidence for criminal cases, civil actions, and internal business processes.

Our extraction method bypasses Apple’s implementation of the secure boot process. Collect full physical images of Macs containing Apple’s T2 Security Chip. 

Our technicians are familiar with acquiring T2 chipped Macs and imaging devices with File Vault encryption. Data recovery from APFS fusion drives is now supported.  

Cellebrite’s Checkm8 exploit now allows examiners to obtain Full File System extractions on iPhones 5s through iPhone X.  

Since the phone’s processor is needed to decrypt data, keeping the processor available is important after seizure for maximum effectiveness of Checkm8 method. As the decryption keys are still present in RAM, we can exploit phone and access decrypted data. If the phone has been turned off or battery died, phone is in cold state, and only unencrypted data within the file system is available. 

Live - After First Unlock (AFU) “Hot” 

• The phone has been kept on since it was unlocked (not powered off)

• Encryption keys are still in RAM

Restart - Before First Unlock (BFU) “Cold” 

• The phone has been turned off/battery died/stored

• iOS provides some data