Information Technology Reference
In-Depth Information
EIFT—selecting partition to image option
After selecting the partition, the window prompts you for a filename to save the
image. If the filename is not supplied, it extracts the raw file system from the
device and stores it as a
user.dmg
file in the user's home directory. Best prac-
tices include acquiring both the user and system partitions.
7. After the acquisition, you can reboot the device to function normally by selecting
menu item
9
.
8. To decrypt the acquired image, select menu item
7
. You will be prompted to
provide filenames of the encrypted image, device keys, and a filename to save the
decrypted image. If the filename is not supplied, it decrypts the image and stores
it as
user-decrypted.dmg
in the user's home directory. The toolkit also
computes the SHA1 hash of the decrypted image file. EIFT is also capable of per-
forming physical acquisition of a jailbroken iPhone 4S and newer devices running
on iOS 5/6/7. At the time of writing this, EIFT is the only tool that supports phys-
ical acquisition of the iPhone 4S and newer devices running with iOS 7. EIFT re-
quires the OpenSSH package to be installed on the device to perform acquisition
on newer devices. OpenSSH runs the SSH server on the device and allows you to
copy and run the acquisition tools. Once the SSH server is running on the device,
you can follow steps 3 to 8 to acquire a raw disk image from an iPhone 4S and
newer devices.
