Yes, if the iPhone is jailbroken, you can find modified fstab and also parts of the Cydia app.
I wonder what traces remain on a PC or MAC when you connect and jailbrake a device ) Maybe the proof you are looking for are not the device itself, but the device which it was synced with. )
Yes, if the iPhone is jailbroken, you can find modified fstab and also parts of the Cydia app.
Yes, that's clear. But, Is the iPhone's Advanced Logical Extraction (performed with UFED) sufficient? Or do I need some kind of more deep acquisition?
Thank you
It is enough, you should have the Cydia App or at least artifacts of it, if it was removed.
Other simple test if you can create a Physical Acquisition of a device with Secure Enclave, the device is jailbroken. Maybe somebody else could confirm this ?!
Useful replies in this thread so far. To add additional observations if you are intending to search for artifacts/artefacts try and get a brand new iPhone and then jailbreak to see what you find.
iPhone - TDEL034 Tool Testing - http//
That directory is located in the System folder, and as such, is unavailable to you…
That directory is located in the System folder, and as such, is unavailable to you…
So, let's say that if the system folder is unavailable, then the iPhone is not jailbroken, on the contrary if the iphone is Jailbroken then I will get access to /private/etc/fstab. Is it right?
I've just checked 2 iPhone extraction (advanced logical) of the same device one was performed with backup cryptography and one without. There is no trace of that directory.
giuseppem, your answer has nothing to do with the original poster question, from what is available now, you won't get any hint if the device was jailbroken before or not.
JB - reset - JB - reset … current situation. Was it ever jailbraked ?! How many times ?! How many times was it reset to factory defaults again ? Who knows ?! NOBODY! (maybe Apple, if they got an internal var for this…)
As some wise people already wrote it before, a factory reset kills all trails to the past, you should better close this thread, it is misleading readers that figuring this might be possible. Currently IT IS NOT!
Dear passcodeunlock, thank you for your zealous response.
My answer does not give new information, but it takes up responses from other users If you read carefully the whole thread is talking also (for the most part) of the possibility to understand if an iPhone is or not jailbroken.
My clarification request underlined the answers already given by others in order to clarify whether an iPhone is currently jailbroken or not.
I do not think there is any chance of misunderstanding, since it was repeated throughout the whole thread that you cannot determine if an iphone has ever been jailbroken or not.
My is a constructive request, useful to everyone. I do not understand this useless polemic tone.
you should better close this thread, it is misleading readers that figuring this might be possible.
My is a constructive request, useful to everyone. I do not understand this useless polemic tone.
you should better close this thread, it is misleading readers that figuring this might be possible.
Don't worry, nothing personal, it is seemingly a "close this thread weekend" wink
https://www.forensicfocus.com/Forums/viewtopic/p=6589733/#6589733
Overestimating forensic capabilities is not a problem, move on and please close this useless topic!
jaclaz
Ah ah ah. Ok. Thank you jaclaz.