±Forensic Focus Partners
New Today: 0
New Yesterday: 6
±Follow Forensic Focus
· Project Spartan Forensics
· FT Cyber Security Summit Europe – London 22nd September
· The Future of Mobile Forensics
· TSFIC 2015 – Recap
· Evidence Acquisition and Analysis from Live Exchange
· TDFCon 2015 – Recap
· Acquiring Windows PCs
· Evidence Acquisition and Analysis from iCloud
· TSFIC 2015 – Myrtle Beach 31st May – 3rd June
iPhone 4 + iOS 6
Subforums: Mobile Telephone Case Law
Firstly, let me say hi, and thanks for having me on this forum.
Secondly, a bit of background information. A colleague of mine has had her kids update her phone to iOS 6. Subsequently all the photos of her kids have gone. Her partner tried to restore from backup and used Dr Fone from wondershare to try recover her photos, however this did not work.
The phone does not have a pin and also, unfortunately she does not have any backups.
So, I have a little experience with PhotoRec & dd etc so offered to see if I could recover the photos (well, the ones that haven't been overwritten anyway). I have recovered information for some other colleagues (and my own) laptops and external hard drives after failures and accidental formats.
Thus far, I have successfully jailbroken and established an SSH connection to the phone and from the phone to my Linux box
However when I try to dd the drives 2nd partition, I get dd: opening `/dev/disk0s1s2': Resource busy.
Also, I have tried to un-mount the drive so that I can dd it and as soon as I have unmounted it the phones screen starts wheeling until my SSH session closes and the phone restarts.
Finally, my question, is there anyone here who would be able to point me in the right direction? Or even better tell me how I can successfully un-mount the drive/load into a hacked dfu mode to allow me to dd the drive without the resource busy error?. Any help would be appreciated! Essentially I would like to parse over the disk with photorec and recover what I can or confidently tell her that her photos are long-gone (although this is looking more and more likely).
Thanks & Regards
When I updated an iPhone 4 to iOS6 and also iPhone 5 to iOS6 the devices ended up being wiped clean, new OS installed and then my data was restored from the previous backups. This sounds like it may be what happened to her device.
The issue here is that if the device reinstalled a new OS rather than updating the previous there is a good chance that the encryption keys for the old OS were dumped during the process and new ones generated upon installation of the updated OS.
If this is the case, unfortunately that means that you will not have any luck recovering any of the data which has been lost.
- Senior Member
May they have at some point charged their phone in another persons laptop or tower to charge? If so there computer may have made a backup without them even realsing
- Senior Member