±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36303
New Yesterday: 1 Visitors: 194

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Is it possible to know if an iPhone has been ever jailbroken

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

CopyRight
Senior Member
 

Re: Is it possible to know if an iPhone has been ever jailbr

Post Posted: Jun 11, 17 13:52

Okay, here is an interesting thought, try to take an encrypted backup from iTunes, then use any mobile forensic tool preferably UFED, it will ask you for the encryption password, once you you enter it the backup will contain a whole lot of information than a normal acquisition, such as user credentials, notes, delete items.

You can then search for any jail breaking artefacts such as searching for Cydia , or you can create your own word list those that are associated with the jail breaking process.  
 
  

Vesalius
Senior Member
 

Re: Is it possible to know if an iPhone has been ever jailbr

Post Posted: Jun 12, 17 14:51

You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.

factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.
_________________
Digital Forensics is an Exact science, not the procedures, but the results. 
 
  

giuseppem
Member
 

Re: Is it possible to know if an iPhone has been ever jailbr

Post Posted: Jun 12, 17 21:47

- Vesalius
You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.

factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.


Thank you for your answer.
So the question is: if the iPhone is jailbroken, with a iPhone's Advanced Logical Extraction am I able to find the fstab file in the system partition under /private/etc/fstab?  
 
  

passcodeunlock
Senior Member
 

Re: Is it possible to know if an iPhone has been ever jailbr

Post Posted: Jun 12, 17 23:13

Yes, if the iPhone is jailbroken, you can find modified fstab and also parts of the Cydia app.

I wonder what traces remain on a PC or MAC when you connect and jailbrake a device Smile Maybe the proof you are looking for are not the device itself, but the device which it was synced with. Smile
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

giuseppem
Member
 

Re: Is it possible to know if an iPhone has been ever jailbr

Post Posted: Jun 12, 17 23:24

- passcodeunlock
Yes, if the iPhone is jailbroken, you can find modified fstab and also parts of the Cydia app.


Yes, that's clear. But, Is the iPhone's Advanced Logical Extraction (performed with UFED) sufficient? Or do I need some kind of more deep acquisition?

Thank you  
 
  

passcodeunlock
Senior Member
 

Re: Is it possible to know if an iPhone has been ever jailbr

Post Posted: Jun 12, 17 23:30

It is enough, you should have the Cydia App or at least artifacts of it, if it was removed.

Other simple test: if you can create a Physical Acquisition of a device with Secure Enclave, the device is jailbroken. Maybe somebody else could confirm this ?!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

trewmte
Senior Member
 

Re: Is it possible to know if an iPhone has been ever jailbr

Post Posted: Jun 15, 17 12:40

Useful replies in this thread so far. To add additional observations if you are intending to search for artifacts/artefacts try and get a brand new iPhone and then jailbreak to see what you find.

iPhone - TDEL034 Tool Testing - trewmte.blogspot.co.uk...sting.html
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 

Page 2 of 3
Page Previous  1, 2, 3  Next