Is it possible to k...
 
Notifications
Clear all

Is it possible to know if an iPhone has been ever jailbroken  

Page 1 / 2
  RSS
Skywalker
(@skywalker)
Active Member

I have an iPhone's Advanced Logical Extraction using UFED and I want to know if it was ever jailbroken.

I'm looking for "fstab" file in order to check its properties but I cannot find it. What could I do?

Thanks and regards!

Quote
Posted : 04/01/2017 12:24 am
4n6art
(@4n6art)
Active Member

The fstab file is in the system partition under
/private/etc/fstab

The offsets you are looking for are 19-20 - not the "properties" of the file as you mentioned.

Not sure if they will tell you if the phone was *EVER* jailbroken but will tell you if the phone is currently jailbroken or not.

-=Art=-

ReplyQuote
Posted : 04/01/2017 1:12 am
SamBrown
(@sambrown)
Member

But the only way to remove a jailbreak is to restore the iOS device. This would remove all evidence of a previous jailbreak. So no, it is not possible to tell if an iPhone has been jailbroken before.

ReplyQuote
Posted : 09/01/2017 12:48 pm
Skywalker
(@skywalker)
Active Member

But the only way to remove a jailbreak is to restore the iOS device. This would remove all evidence of a previous jailbreak. So no, it is not possible to tell if an iPhone has been jailbroken before.

Are you sure of that?

ReplyQuote
Posted : 14/01/2017 3:46 am
SamBrown
(@sambrown)
Member

Pretty sure. If you search on google for how to remove a jailbreak the instructions will always tell you to restore the device.

You can apparently try to hide a jailbreak by deleting the Cydia App but the jailbreak itself is a non reversible process. During the jailbreak the iOS system itself is modified and there's no known method to undo these modification other than restoring.

ReplyQuote
Posted : 15/01/2017 12:04 am
JeremyD
(@jeremyd)
New Member

In my testing, there were some artifacts left over after a unjailbreak event (iOS update or restore).

Searching the keyword "cydia" revealed several hits within my testing.

Jeremy

ReplyQuote
Posted : 30/01/2017 11:00 pm
giuseppem
(@giuseppem)
New Member

The fstab file is in the system partition under
/private/etc/fstab

The offsets you are looking for are 19-20 - not the "properties" of the file as you mentioned.

Not sure if they will tell you if the phone was *EVER* jailbroken but will tell you if the phone is currently jailbroken or not.

-=Art=-

I don't find the path you gave. Are you sure that in iPhone's Advanced Logical Extraction we can find that path?

Thank you

ReplyQuote
Posted : 09/06/2017 2:37 am
CopyRight
(@copyright)
Active Member

Okay, here is an interesting thought, try to take an encrypted backup from iTunes, then use any mobile forensic tool preferably UFED, it will ask you for the encryption password, once you you enter it the backup will contain a whole lot of information than a normal acquisition, such as user credentials, notes, delete items.

You can then search for any jail breaking artefacts such as searching for Cydia , or you can create your own word list those that are associated with the jail breaking process.

ReplyQuote
Posted : 11/06/2017 2:52 pm
Vesalius
(@vesalius)
Member

You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.

factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.

ReplyQuote
Posted : 12/06/2017 3:51 pm
giuseppem
(@giuseppem)
New Member

You can only tell if the iPhone is jail broken or not in the directory you mentioned, not if any past one's have occurred.

factory resetting the iPhone will remove everything that has even been on the device, it is practically a 99.9% wipe of the device so it will be almost impossible to determine if anything has ever been done on the device.

Thank you for your answer.
So the question is if the iPhone is jailbroken, with a iPhone's Advanced Logical Extraction am I able to find the fstab file in the system partition under /private/etc/fstab?

ReplyQuote
Posted : 12/06/2017 10:47 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Yes, if the iPhone is jailbroken, you can find modified fstab and also parts of the Cydia app.

I wonder what traces remain on a PC or MAC when you connect and jailbrake a device ) Maybe the proof you are looking for are not the device itself, but the device which it was synced with. )

ReplyQuote
Posted : 13/06/2017 12:13 am
giuseppem
(@giuseppem)
New Member

Yes, if the iPhone is jailbroken, you can find modified fstab and also parts of the Cydia app.

Yes, that's clear. But, Is the iPhone's Advanced Logical Extraction (performed with UFED) sufficient? Or do I need some kind of more deep acquisition?

Thank you

ReplyQuote
Posted : 13/06/2017 12:24 am
passcodeunlock
(@passcodeunlock)
Senior Member

It is enough, you should have the Cydia App or at least artifacts of it, if it was removed.

Other simple test if you can create a Physical Acquisition of a device with Secure Enclave, the device is jailbroken. Maybe somebody else could confirm this ?!

ReplyQuote
Posted : 13/06/2017 12:30 am
trewmte
(@trewmte)
Community Legend

Useful replies in this thread so far. To add additional observations if you are intending to search for artifacts/artefacts try and get a brand new iPhone and then jailbreak to see what you find.

iPhone - TDEL034 Tool Testing - http//trewmte.blogspot.co.uk/2017/06/iphone-tdel034-tool-testing.html

ReplyQuote
Posted : 15/06/2017 1:40 pm
Azarius
(@azarius)
New Member

That directory is located in the System folder, and as such, is unavailable to you…

ReplyQuote
Posted : 22/06/2017 2:03 am
Page 1 / 2
Share: