Hello,
I am currently doing my dissertation on iphone forensics and after gathering some information I have started with the practical work.
I am student and I dont have the possibility of working with law enforcement software therefore I have use open tools following Jonathan Zdziarski methodology.
I own a Jailbroken iPhone 4 and the tests are been done on this device. The first thing I did was installing OpenSSH and netcat on the device for been able to connect from my macbook.
The first issue I found is that the iphone 4 didnt have the command "umount". Therefore I wasn't able to dismount the partition for mounting it just in "Read mode".
The second problem I found is that doesn't exist the command "md5" either on the device. Thu, I wasn't able to do a hash before imaging the device with the consequences that after doing the image I can't verify if it is correctly done.
I manage to do the image with the tool "dd" after 5 hours (16 gigas) with .dd format although I change it to .dmg. In spite of my efforts, I haven't been able to mount it on my laptop. The reason could be because iOS4 is encrypted?
I hope you could help me with these 3 issues.
Another thing that I will start investigating is the logical backups from itunes. I thing that doesn't save the deleted information like the bit-to-bit image no?
Thanks in advance for your help.
I wouldn't discount getting deleted data from a backup. iOS uses two main formats for data storage duties, the first, Property Lists are unlikely to give you any deleted data true (although they can give up lots of interesting data which you can't see examining the iPhone manually).
The other format is SQLite, and you can definitely get deleted data back from the Database Images. There are a bunch of variables which will affect your success, in iOS4 a lot of the Apple databases are "auto-vacuum" enabled, which means that unused space is removed after deletions - but this doesn't mean that all deleted records go away. Luckily a lot of the 3rd party apps don't have auto-vacuum on their databases so you can still recover a glut of deleted data there.
If you're interested in recovering deleted records a good place to start is the file spec documents here
http//
http//
Also if you have specific questions feel free to PM me.
Hello, I was hoping you could help me. I have an iphone backup stored on my mac and need help regarding the dynamic keyboard dat file. Is there anyway this can be reordered chronologically? At the moment the top portion of the file, when viewed in a text app, is in date order, but the bottom portion appears to have been dumped alphabetically once the top portion becomes full. Any help would be gratefully appreciated, thanks Stuart
I have an iphone backup stored on my mac and need help regarding the dynamic keyboard dat file.
Have you tried iPhone Backup Extractor, then Expert mode to firstly extract the file & second look at this in a hex viewer or text viewer?
Hi, thanks for your reply. I already have the file which was extracted with backup extractor. However, when viewing in a text format or hex edit format, the text is split. The top half is in order (time wise) and when this portion becomes full, it is then dumped into the bottom half, but put roughly into alphabetical order. There are bytes separating each letter inputted but I don't understand that part. What I want to achieve is to put all word
s back into the top portion, in alphabetical order.