Jonathan Zdziarski iPhone Tools [Discussion]

I have been able to perform a file system dump on an iPhone 3Gs and an iPhone 4 both running iOS 4.3.1. However, I did not use JZ tools as they aren't up to date but the methodology used is pretty much the same as JZ has implemented in his automated tools.

I created a recovery ramdisk that has SSH on it. I then booted the iPhones from this ramdisk and used the secure copy command (scp) to download the filesystem from the devices. You can also use SFTP to perform the download operation, but the great thing with scp is that you can use some options to preserve permissions and timestamps.

You can find the procedure I used to do this here http//www.hackint0sh.org/f128/132063-6.htm

However, using this procedure, you won't be able to download emails from the device as it results in permission errors. I believe it's either a bug in the SSH binary that was packed in the ramdisk or it's a security feature from the Apple crypto API. The only way I was able to retrieve the emails was to jailbreak the iPhones, install Cydia and then install OpenSSH. After that, I was able to download the Mail folder without any issue.

Now (before I get flamed on this forum), I know that jailbreaking a device is not a forensic process, but in this case, we had written consent from the owner, we really needed the emails and we are ready to testify in court what has been done and why.

Hope this helps.

Cheers for the link Hitman!

the main reason for the file system recovery is to recover the Mail folder. Without JB'ing the device is there any way that we can get the Mail electronically from a 4.3.x device?

I assumed that the multiplatform iOS4 scripts would work once you had downloaded the firmware and updated the firmware.txt file. Sadly this does not seem to be the case.

As per my original post regarding this error I am still able to succesfully fun boot-liverecovery.sh and boot-kernel.sh. I then cd to the recovery module and attempt recover-fs.sh. The script initiates but then says that there is an error with usbmuxd (Error code=3).

At first I thought it may have been an issue with outdated usb connectivity elements so I have updated to 10.10 and then 11.04 (Neither of which have helped. Although on 11.04 the phone did not need to be manually powered on on during 'boot live-recovery' like it did on 10.04)
Is it worth updating this
http//www.libimobiledevice.org/

As they suggest that they offer support upto iOS 4.3.1 in version 1.0.6 and they are working towards full support for 4.3.3 in version 1.2.0

I refuse to be beaten, but I want to keep using a forensic approach rather than uploading custom firmware/JB'ing devices.

Does anyone have any tips?

Doug,

Can I suggest that you take a look at these tools that were released last week, http//code.google.com/p/iphone-dataprotection/

It is important that you read the PDF, it explains everything about how and why the tools work.

I have been using these tools to analyse iOS 4 devices, including 3Gs, iPhone4 and iPad 1. It works in exactly the same way as the JZ tools do but makes slight modification to the kernel to allow for further analysis of the iDevice crypto services. The bruteforce passcode cracking capability is very efficient and has worked on every device I have tried it on to date. You can use it to dump passwords and wifi keys stored on the device, very handy.

You can do a dump of the slice2 file system using these tools and use a modified HFSExplorer tool to help analyse the filesystem.

This imho is the way to go forward if you want to take a look at the contents of the mail.

On a slightly different note has anyone carried out any analysis on the capability and effectiveness of these "picture hiding" apps that are available in the appstore?

If you need further help please PM me.