Forums
Main Category
General (Technical,...
ipad A1337 jailbrea...
 
Notifications
Clear all

ipad A1337 jailbreaked , but no data recovery !!

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
19 Posts
5 Users
0 Reactions
1,671 Views
RSS
 evilcode1
(@evilcode1)
Estimable Member
Joined: 10 years ago
Posts: 157
Topic starter 30/11/2016 4:19 pm  

hello all
this is my first time i do forensic on jailbreaked apple device

the device info
ipad model A1337
ios version 5.1.1

jailbreak done with 3utool ! then i connect it via ssh over usb D

then i make raw image by
dd if=/dev/rdisk0 bs=1M | dd of=ios-root.img

then i transfer the image from ipad to my local linux machine i then i try to use testdisk to recover deleted files nothing restored !!

is this steps rights or what ??


   
Quote
nightworker
 nightworker
(@nightworker)
Estimable Member
Joined: 16 years ago
Posts: 134
30/11/2016 7:51 pm  

could you give us more detail prh


   
ReplyQuote
 evilcode1
(@evilcode1)
Estimable Member
Joined: 10 years ago
Posts: 157
Topic starter 30/11/2016 10:13 pm  

could you give us more detail prh

If you create a DD image of say a 16 GB Ipad and outputted that on the same Ipad, any deleted data will have been over written by the 16 GB image file now stored on the Ipad.

Hopefully this was student project and not actual work |

Recommended reading – >>

"Jonathan Zdziarski - https://cryptome.org/isp-spy/iphone-spy4.pdf"
"https://www.safaribooksonline.com/library/view/iphone-forensics/9780596153588/ch04.html"

damn !! that's what i did ( anyway it's just a test
so thats mean all my steps are right except this dd if=/dev/rdisk0 bs=1M | dd of=ios-root.img
so ehat is the right command to write it from ssh session to local machine ?


   
ReplyQuote
Igor_Michailov
 Igor_Michailov
(@igor_michailov)
Honorable Member
Joined: 20 years ago
Posts: 529
01/12/2016 10:30 am  

i try to use testdisk to recover deleted files nothing restored !!

May be, it happened because files of the device are encrypted. wink


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
01/12/2016 4:42 pm  

echo ios-root.img > /dev/null lol

I thought we were NOT on Reddit.

jaclaz


   
ReplyQuote
 evilcode1
(@evilcode1)
Estimable Member
Joined: 10 years ago
Posts: 157
Topic starter 02/12/2016 6:25 pm  

i try to use testdisk to recover deleted files nothing restored !!

May be, it happened because files of the device are encrypted. wink

how can i know if they encrypted or not ??


   
ReplyQuote
Igor_Michailov
 Igor_Michailov
(@igor_michailov)
Honorable Member
Joined: 20 years ago
Posts: 529
02/12/2016 8:44 pm  

Open them in Hex Viewer.


   
ReplyQuote
 evilcode1
(@evilcode1)
Estimable Member
Joined: 10 years ago
Posts: 157
Topic starter 04/12/2016 12:14 pm  

Open them in Hex Viewer.

open what ?? the raw image ( .img ) ?


   
ReplyQuote
Igor_Michailov
 Igor_Michailov
(@igor_michailov)
Honorable Member
Joined: 20 years ago
Posts: 529
04/12/2016 12:52 pm  

Open one of the files with known header. E.g. JPG file.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
04/12/2016 3:07 pm  

Open one of the files with known header. E.g. JPG file.

Well, since he recovered 0 files, that would be hard, but wouldn't anyway the header be also encrypted? ?

@qassam
Yes, the raw .img files.
Can you find the (HFS+) structures?
But more generally, if you just scroll a little bit, you will see if you can see readable text here and there or just a bunch of "random" hex values.

jaclaz


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: