Understanding the Internals of iOS Devices - Practical Mobile Forensics

Information Technology Reference

In-Depth Information

Disk layout

By default, the file system is configured as two logical disk partitions: system (root or firm-

ware) partition and user data partition.

The system partition contains the OS and all of the preloaded applications used with the

iPhone. The system partition is mounted as read-only unless an OS upgrade is performed or

the device is jailbroken. The partition is updated only when a firmware upgrade is per-

formed on the device. During this process, the entire partition is formatted by iTunes

without affecting any of the user data. The system partition takes only a small portion of

storage space, normally between 0.9 GB and 2.7 GB, depending on the size of the NAND

drive. As the system partition was designed to remain in factory state for the entire life of

the iPhone, there is typically little useful evidentiary information that can be obtained from

it. If the iOS device was jailbroken, files containing information regarding the jailbreak

may be resident on the system partition. Jailbreaking an iOS device allows the user root ac-

cess to the device and voids the manufacturer warranty. Jailbreaking will be discussed later

in this chapter.

The user data partition contains all user-created data ranging from music to contacts. The

user data partition occupies most of the NAND memory and is mounted at /private/

var on the device. Most of the evidentiary information can be found in this partition. Dur-

ing a physical acquisition, both the user data and system partitions can be captured and

saved as a .dmg or .img file. These raw image files can be mounted as read-only for

forensic analysis, which is covered in detail in Chapter 3 , Data Acquisition from iOS

Devices . Even on non-jailbroken iOS devices, it is recommended to acquire both the sys-

tem and user data partitions to ensure all data is obtained for examination.

To view the mounted partitions on the iPhone, connect a jailbroken iPhone to a workstation

over SSH, and run the mount command. For this example, iPhone 4 with 5.1.1 is used.

The mount command shows that the system partition is mounted on / (root) , and the

user data partition is mounted on /private/var , as shown in the following command

lines. Both partitions show HFS as the file system, and the user data partition even shows

that journaling is enabled.

iPhone4:~ root# mount

/dev/disk0s1s1 on / (hfs, local, journaled, noatime)

devfs on /dev (devfs, local, nobrowse)

Search WWH ::

Custom Search

Home