Hello everyone,
as thread title says, i'm trying to find a way to perform a raw dd image of the user partition of an iphone 3G with iOS 3.1.3.
i've searched around but still couldn't find anything that could lead me to success..
all tutorials around are saying different things.
can anyone help me out and point me to the right direction?
thanks in advice
Rampage, have you tried to image it with FTK Imager and put it into FTK? I recently did that, and was able to pull all sorts of deleted items, except for text messages.
afaik SMSs are stored in sqlite databases, you can look at them for recovering fragments of deleted SMSs.
i didn't know it was possible to image an iphone using ftk imager….
Hello everyone,
as thread title says, i'm trying to find a way to perform a raw dd image of the user partition of an iphone 3G with iOS 3.1.3.i've searched around but still couldn't find anything that could lead me to success..
all tutorials around are saying different things.
can anyone help me out and point me to the right direction?
thanks in advice
I've been researching this topic too only for a 3GS with iOS 4.1. Have looked at the JZ methods but the downloadable software tools only go up to v2.0+. I get the general impression that you jailbreak the iPhone install OpenSSH, *nix dd and other tools to get the image. I've found an OS tool
f()recast which offers suggestions as to the best software to do the jailbreaking with for the particular iPhone. Haven't got any further than this so can't guarantee success I'm afraid
i'm now putting my effort in trying to decode SMSs in sqlite slack space…
message text + phone number with which the message was exchanged is in place and human readable.. al the rest is screwed up, can't find a way to determine timestamps
Cellebrite UFED Physical supports iPhone/iPad and iPod extraction bypassing user code and decrypting iOS4 images.
In addition it will decode the extracted image (including encrypted) and extract you deleted SMS entries.
RonS
Cellebrite UFED Physical supports iPhone/iPad and iPod extraction bypassing user code and decrypting iOS4 images.
In addition it will decode the extracted image (including encrypted) and extract you deleted SMS entries.
RonS
i don't have an UFED, and since it's not for a forensics job (or anything i get paid for) renting/buying/investing in it is not an option.
thanks tho )
still, if someone minds helping me out in decoding stuff, here is an hex dump of a couple of SMSs i extracted as sample
# cat sms.bin | xxd
0000000 0101 01ba 0127 043d 0101 0102 0101 0101 .....'.=........
0000010 0111 0101 012b 3131 3131 3131 3131 3131 .....+1111111111
0000020 3131 4c98 ea8f 2078 7878 7878 7878 7878 11L... xxxxxxxxx
0000030 7878 7878 7878 7878 7878 7878 7878 0301 xxxxxxxxxxxxxx..
0000040 01a3 0101 0401 6974 0101 0101 ac13 0127 ......it.......'
0000050 0481 7f01 0101 0201 0101 0101 1101 0101 ................
0000060 2b31 3131 3131 3131 3131 3131 314c 98eb +111111111111L..
0000070 1378 7878 7878 7878 7878 7878 7878 7878 .xxxxxxxxxxxxxxx
0000080 7878 7878 7878 7878 7878 7878 7878 7878 xxxxxxxxxxxxxxxx
0000090 7878 7878 7878 7878 7878 7878 7878 7878 xxxxxxxxxxxxxxxx
00000a0 7878 7878 7878 7878 7878 7878 7878 7878 xxxxxxxxxxxxxxxx
00000b0 7878 7878 7878 7878 7878 7878 7878 7878 xxxxxxxxxxxxxxxx
00000c0 7878 7878 7878 7878 7878 7878 7878 7878 xxxxxxxxxxxxxxxx
00000d0 7878 7878 7878 7878 7878 7878 7878 7878 xxxxxxxxxxxxxxxx
00000e0 7878 7878 7878 7878 7878 0201 01a3 0101 xxxxxxxxxx......
00000f0 0401 6974 0101 0101 4001 2704 2b01 0101 ..it....@.'.+...
0000100 0201 0101 0101 1101 0101 2b31 3131 3131 ..........+11111
0000110 3131 3131 3131 314c c9b0 0478 7878 7878 1111111L...xxxxx
0000120 7878 7878 7878 7878 7878 0301 01a3 0101 xxxxxxxxxx......
0000130 0401 6974 0101 0101 4801 2704 3b01 0101 ..it....H.'.;...
0000140 0201 0101 0101 1101 0101 2b31 3131 3131 ..........+11111
0000150 3131 3131 3131 314c c9b0 9f78 7878 7878 1111111L...xxxxx
0000160 7878 7878 7878 7878 7878 7878 7878 7878 xxxxxxxxxxxxxxxx
0000170 7878 0201 01a3 0101 0401 6974 0101 0101 xx........it....
0000180 3d01 2704 2501 0101 0201 0101 0101 1101 =.'.%...........
0000190 0101 2b31 3131 3131 3131 3131 3131 314c ..+111111111111L
00001a0 c9b0 8478 7878 7878 7878 7878 7878 2003 ...xxxxxxxxxxx .
00001b0 0101 a301 0104 0169 7401 .......it.
obvioysly 0x31 is the phonenumber while 0x78 is the obfuscated text message
still there are repeating signatures that i would like to try to decode.. maybe informations like timestamps may come out
You will need to export the image to a hex viewer and change the HX to a H+. Using a tool like FTK imager mount the image as a HFS+ volume. Using that then go to Var/Mobile/Library/SMS/sms.db. Open the file using a SQLite Viewer, view the SMS you want, put any time date stamps using Digital Detectives DCode, MAC date/time. Should find it is an epoch ofset from 1990 if memory serves right
I have a UFED, and it does not appear to support a 3.1.3 physical acquisition, nor does it parse a 3.1.3 image that was otherwise acquired.
I have a UFED, and it does not appear to support a 3.1.3 physical acquisition, nor does it parse a 3.1.3 image that was otherwise acquired.
crazyrudy, acquisition of all supported iOS devices (iPhone, iPod Touch, iPad) is done using the Physical Analyzer application, which is also used for decoding. it is under "Tools -> iOS Device Physical Extraction". Did you not find the application, or have you ran into a problem during the acquisition process?
The application supports and was tested on iPhone (Original), iPhone 3G, iPhone 3GS, iPhone 4 (GSM and CDMA), iPod Touch 3G, iPod Touch 4G and iPad 1, running iOS 3.0 and above (currently up to 4.3.5 and 4.2.10). An iPhone 3G running iOS 3.1.3 was re-tested at Cellebrite and aquisition is working like a charm. Please try to explain the problem in more detail so we can help you solve it.
You should also be able to easily open an image that was acquired in other methods using the "Open Advanced" option, and in "Select Device" choose "Apple iPhone (Physical)".