iPhone Forensics

iPhone Forensics

Gangsters, hoodlums, and a variety of nightlife users love iPhones. If you want to be a successful street user owning an iPhone is an absolute necessity. While this is bad for all who are robbed of their iPhones, law enforcement benefits greatly due to the iPhone’s vulnerability to forensics.
Hakin9 2/2009 https://hakin9.org


  • How to get data off an iPhone


  • Basic understaning of jailbreaks
  • Command-line skills

People using Apple’s latest mobile device leave behind a huge trail of information due to specific hardware design issues, while the introduction of flash memory has made most (if not all PDA’s and Smartphones) vulnerable, the iPhone’s operating system encourages forensic intrusion to some extent.

iPhone internals

As of this writing, iPhone devices come in four different flavours. There is an iPhone, an iPhone 3G, an iPod Touch and an iPod Touch 2G. The first two have GSM and WiFi, while the other two have WiFi only. All of the devices have multiple sub-families with various amounts of storage ranging from the 4GB on an entry-level iPhone to the 32GB on some high-end devices. All of these devices are rumoured to run an ARM port of Mac OS X 10.5 which essentially means that they are based on a Unix core. As Apple originally didn’t allow customers to install third-party products on their iPhone, so-called jailbreaking soon became a popular sport among freaks. A jailbreak is a special firmware bundle which allows you to install any kind of programwithout having to use the iTunes store. It furthermore removes all file system access restrictions on the firmware in its default state: this is why programs like file managers usually come in jailbroken and non-jailbroken versions.

Memory architecture

All of the aforementioned devices share the same memory architecture. The device has a small Firmware partition, and a bigger User partition. The Firmware partition usually is smaller than 500MB and normally does not change, unless a firmware update is installed. Thus, all the interesting stuff sits in the User partition since it is based in Flash memory. Writes are evenly spread out across the chip to keep wear levels in check. This unique property of the Flash memory allows deleted data to survive for months. Putting an iPhone into restore mode thus doesn’t do any harm. If a complete restore is performed, the User partition file system is erased, but the actual data is not shredded or overwritten.

iTunes strikes back

Like most other PDA’s, Apple’s mobile devices are synchronized with the PC. The sync software is called iTunes, and it creates local copies of each and every file found on the device. These files can be found in a (hidden) folder called MobileSync. The dump below shows the MobileSync folder on my Windows XP machine: see Listing 1. As we can see, the backup folder is housed in each user’s profile, and contains a variety of subfolders bearing device ID’s and date stamps. Usually, the folder without the device ID is the one containing the latest files.

You must be logged in to post a comment