Information Technology Reference
In-Depth Information
Recovering the deleted data
Once a raw image of the device is obtained, you can recover the deleted files in the unal-
located space by carving the HFS journal using the
emf_undelete.py
script. This
script recovers only a limited number of files, as shown in the following command:
$sudo python python_scripts/emf_undelete.py UDID/
data_20131209-1956.dmg
To recover more deleted files or photos, acquire a low-level NAND image using
ios_examiner.py
and run the
undelete
command.
To acquire a low-level NAND image, boot the custom ramdisk and the patched kernel onto
the iPhone with the
nand-disable
boot flag, as shown in the following command:
$sudo ./redsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/
redsn0w -i iPhone3,1_5.1.1_9B208_Restore.ipsw -r
myramdisk_n90ap.dmg -k kernelcache.release.n90.patched -a
"-v rd=md0 nand-disable=1"
Once the ramdisk is booted successfully, run the
ios_examiner.py
script without para-
meters. It allows you to enter commands in the
ios_examiner
shell, as shown in the fol-
lowing command lines:
$cd iphone-dataprotection$sudo python python_scripts/
ios_examiner.py
Connecting to device :
b716de79051ef093a98fc3ff1c46ca5e36faabc3
Device model: iPhone 4 GSM
UDID: b716de79051ef093a98fc3ff1c46ca5e36faabc3
ECID: 1937316564364
Serial number: 870522V6A4S
key835: ef8f36fb3a85b42a72e8c5efa6b1a844
key89B: de75b5f5fa6abc5bf25293b38f980a52
[...]
YaFTL_readCxtInfo FAIL, restore needed maxUsn=4491408
FTL restore in progress
100% |########################################|
BTOC not found for block 13 (usn 4491530), scanning all pages
