Information Technology Reference
In-Depth Information
Acquisition via jailbreaking
To perform physical acquisition on devices that are not vulnerable to the Boot ROM ex-
ploit, the device must be jailbroken. Jailbreaking an iPhone allows the examiner to install
tools that would not normally be on the device, such as SSH. By far, the most popular
method for jailbreaking is with redSn0w or evasi0n. Both tools have simple wizards that
will step the iOS device through the jailbreak process and install the
Cydia
application. An
examiner should only jailbreak a device as a last resort and should use great caution when
doing so. Again, all steps taken by the examiner must be well-documented. The jailbreak-
ing process makes changes to the device, which may damage evidence or render it inad-
missible in court. If possible, consider performing a
logical acquisition
first to preserve
evidence that may be lost during the jailbreaking process.
To obtain an image of the user data partition, the forensic workstation and the target iOS
device must be placed on the same wireless network. From the forensic workstation, run
the following SSH command to start the process. Make sure that you replace the IP address
used in the command with your device's IP address before running it.
$ssh root@192.168.2.9 "dd if=/dev/rdisk0s1s2 bs=8192" >
data.dmg
Enter
alpine
as the password and hit
Enter
on the keyboard. This process may take sev-
eral hours depending on the capacity of the iPhone. Once completed, it displays a certain
number of bytes that have been copied, as shown in the following command lines:
1801554+0 records in
1801554+0 records out
14758330368 bytes (15 GB) copied, 2722.38 s, 5.4 MB/s
The SSH command connects to the SSH server on the iOS device as a root user. The
dd
if=/dev/rdisk0s1s2 bs=8192
command executes the disk copy utility on the
iPhone and reads the user data partition located at
/dev/rdisk0s1s2
with a block size
of 8K. The command outputs the
data.dmg
file onto the forensic workstation drive. The
resulted image file can be manipulated by the forensic analyst's choice of tools.
It is not possible to jailbreak a device that is protected with a passcode. So, if a device
(A5+) is protected with a passcode and is not jailbroken, it is not possible to perform phys-
ical acquisition on that device. Also, it should be noted that the raw disk image obtained
