Information Technology Reference
In-Depth Information
from the iPhone is encrypted and cannot be parsed. In order to decrypt the image, we must
obtain encryption keys from the device. The encryption keys are tied to the device's UID
key, which can be used only when the IOAESAccelerator kernel extension is patched. It is
easy to obtain encryption keys on devices that run on iOS 5 and earlier versions. Since
iOS 6, Apple introduced new security features to the kernel such as
Kernel Address
Space Layout Randomization
and
Kernel Address Space Protection
, which prevent
examiners from patching the kernel code directly. However, the Elcomsoft iOS Forensic
Toolkit, a commercial tool for iOS forensics, claims that it is capable of performing phys-
ical acquisition on devices that run on iOS 6 and iOS 7. This claim assumes that the iOS
device is jailbroken, or that the examiner has access to the host computer that contains the
pairing keys in escrow files. The tool is discussed in detail in
Chapter 6
,
iOS Forensic
Tools
.
The following details explain the steps involved in obtaining a disk image from the
iPhone 4S that has iOS 5 and is protected with a passcode in this example.
As a prerequisite, the iPhone 4S should already be jailbroken and OpenSSH is installed on
it with the default root user password.
Set up the iPhone Data Protection Tools as explained in the previous sections. Edit
Makefile
in the
ramdisk_tools
folder, fix the iOS SDK version, and run the
make
command:
$cd iphone-dataprotection
$cd ramdisk_tools
$sudo make
Connect the iPhone to the computer via USB and establish the communication by running
the
tcprelay.py
script as follows:
$cd iphone-dataprotection
$python usbmuxd-python-client/tcprelay.py -t 22:2222
Dump the iPhone user data partition using the following command:
$ssh root@127.0.0.1 "dd if=/dev/rdisk0s1s2 bs=8192" >
data.dmg
Enter
alpine
as the password and hit
Enter
.
