Information Technology Reference
In-Depth Information
Imaging the data partition
logical disk partitions: system partition and user data partition. On a non-jailbroken device,
the system partition will be kept in the read-only format. The user data partition contains all
the user-installed applications and data. For full forensic analysis, it is preferred that both
the system and data partition are acquired. Most forensic tools will capture both partitions
in one image. If the examiner has a time crunch, at the minimum, they should dump the en-
tire data partition. To acquire a disk image of the user data partition, run the
dump_data_partition.sh
shell script, as shown in the following command lines:
$sudo ./dump_data_partition.sh
Warning: Permanently added '[localhost]:2222' (RSA) to the
list of known hosts.
root@localhost's password:
Enter
alpine
as the password, which is the default SSH password on iOS devices, and hit
Enter
on the keyboard:
Device UDID : b716de79051ef093a98fc3ff1c46ca5e36faabc3
Dumping data partition in
b716de79051ef093a98fc3ff1c46ca5e36faabc3/
data_20131209-1956.dmg ...
Warning: Permanently added '[localhost]:2222' (RSA) to the
list of known hosts.
[...]
The raw disk image will begin transferring, as shown in the following command lines,
which should also be reflected by a gradual increase in the size of the file on the desktop.
The script runs for several minutes to hours depending on the size of the file system. For
example, acquiring an image from an 8 GB iPhone 4 roughly takes 30 minutes.
1801554+0 records in
1801554+0 records out
14758330368 bytes (15 GB) copied, 2463.01 s, 6.0 MB/s
The script dumps the entire user data partition and places it into a directory named
UDID
of
the target device in a
DMG
format that can be mounted directly onto Mac OS X. Only the
