I have an iPhone's Advanced Logical Extraction using UFED and I want to know if it was ever jailbroken.
I'm looking for "fstab" file in order to check its properties but I cannot find it. What could I do?
Thanks and regards!
The fstab file is in the system partition under
/private/etc/fstab
The offsets you are looking for are 19-20 - not the "properties" of the file as you mentioned.
Not sure if they will tell you if the phone was *EVER* jailbroken but will tell you if the phone is currently jailbroken or not.
-=Art=-
But the only way to remove a jailbreak is to restore the iOS device. This would remove all evidence of a previous jailbreak. So no, it is not possible to tell if an iPhone has been jailbroken before.
But the only way to remove a jailbreak is to restore the iOS device. This would remove all evidence of a previous jailbreak. So no, it is not possible to tell if an iPhone has been jailbroken before.
Are you sure of that?
Pretty sure. If you search on google for how to remove a jailbreak the instructions will always tell you to restore the device.
You can apparently try to hide a jailbreak by deleting the Cydia App but the jailbreak itself is a non reversible process. During the jailbreak the iOS system itself is modified and there's no known method to undo these modification other than restoring.
In my testing, there were some artifacts left over after a unjailbreak event (iOS update or restore).
Searching the keyword "cydia" revealed several hits within my testing.
Jeremy
The fstab file is in the system partition under
/private/etc/fstabThe offsets you are looking for are 19-20 - not the "properties" of the file as you mentioned.
Not sure if they will tell you if the phone was *EVER* jailbroken but will tell you if the phone is currently jailbroken or not.
-=Art=-
I don't find the path you gave. Are you sure that in iPhone's Advanced Logical Extraction we can find that path?
Thank you
Okay, here is an interesting thought, try to take an encrypted backup from iTunes, then use any mobile forensic tool preferably UFED, it will ask you for the encryption password, once you you enter it the backup will contain a whole lot of information than a normal acquisition, such as user credentials, notes, delete items.
You can then search for any jail breaking artefacts such as searching for Cydia , or you can create your own word list those that are associated with the jail breaking process.
You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.
factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.
You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.
factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.
Thank you for your answer.
So the question is if the iPhone is jailbroken, with a iPhone's Advanced Logical Extraction am I able to find the fstab file in the system partition under /private/etc/fstab?