Is it possible to k...
 
Notifications
Clear all

Is it possible to know if an iPhone has been ever jailbroken

20 Posts
11 Users
0 Likes
3,467 Views
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

I have an iPhone's Advanced Logical Extraction using UFED and I want to know if it was ever jailbroken.

I'm looking for "fstab" file in order to check its properties but I cannot find it. What could I do?

Thanks and regards!

 
Posted : 04/01/2017 12:24 am
4n6art
(@4n6art)
Posts: 208
Reputable Member
 

The fstab file is in the system partition under
/private/etc/fstab

The offsets you are looking for are 19-20 - not the "properties" of the file as you mentioned.

Not sure if they will tell you if the phone was *EVER* jailbroken but will tell you if the phone is currently jailbroken or not.

-=Art=-

 
Posted : 04/01/2017 1:12 am
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

But the only way to remove a jailbreak is to restore the iOS device. This would remove all evidence of a previous jailbreak. So no, it is not possible to tell if an iPhone has been jailbroken before.

 
Posted : 09/01/2017 12:48 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

But the only way to remove a jailbreak is to restore the iOS device. This would remove all evidence of a previous jailbreak. So no, it is not possible to tell if an iPhone has been jailbroken before.

Are you sure of that?

 
Posted : 14/01/2017 3:46 am
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

Pretty sure. If you search on google for how to remove a jailbreak the instructions will always tell you to restore the device.

You can apparently try to hide a jailbreak by deleting the Cydia App but the jailbreak itself is a non reversible process. During the jailbreak the iOS system itself is modified and there's no known method to undo these modification other than restoring.

 
Posted : 15/01/2017 12:04 am
(@jeremyd)
Posts: 1
New Member
 

In my testing, there were some artifacts left over after a unjailbreak event (iOS update or restore).

Searching the keyword "cydia" revealed several hits within my testing.

Jeremy

 
Posted : 30/01/2017 11:00 pm
(@giuseppem)
Posts: 24
Eminent Member
 

The fstab file is in the system partition under
/private/etc/fstab

The offsets you are looking for are 19-20 - not the "properties" of the file as you mentioned.

Not sure if they will tell you if the phone was *EVER* jailbroken but will tell you if the phone is currently jailbroken or not.

-=Art=-

I don't find the path you gave. Are you sure that in iPhone's Advanced Logical Extraction we can find that path?

Thank you

 
Posted : 09/06/2017 1:37 am
CopyRight
(@copyright)
Posts: 184
Estimable Member
 

Okay, here is an interesting thought, try to take an encrypted backup from iTunes, then use any mobile forensic tool preferably UFED, it will ask you for the encryption password, once you you enter it the backup will contain a whole lot of information than a normal acquisition, such as user credentials, notes, delete items.

You can then search for any jail breaking artefacts such as searching for Cydia , or you can create your own word list those that are associated with the jail breaking process.

 
Posted : 11/06/2017 1:52 pm
Vesalius
(@vesalius)
Posts: 66
Estimable Member
 

You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.

factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.

 
Posted : 12/06/2017 2:51 pm
(@giuseppem)
Posts: 24
Eminent Member
 

You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.

factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.

Thank you for your answer.
So the question is if the iPhone is jailbroken, with a iPhone's Advanced Logical Extraction am I able to find the fstab file in the system partition under /private/etc/fstab?

 
Posted : 12/06/2017 9:47 pm
Page 1 / 2
Share: