Many analysts and researchers work with a very limited budget, many of us can’t get those $uper expen$ive commercial mobile acquisition and analysis tools. I’ve been asked many times, “What tools can I use to analyze iOS with $0 in the budget for tools?”
With newer iOS devices that come with newer operating systems, the ease of forensic access to iOS devices has been quite limited. Every commercial tool has the capability to provide a logical dump of the phone (give or take the caveats of access to PIN/Passcodes or the reboot/unlock status of the devices of course!). This data dump may be fine for some analysts but I have found that it doesn’t quite provide me with the data that I’m looking for. I needed to find a different way of doing things.
Breakin’ Jails
Whether or not you think this is “forensically sound” or whether your legal policies allow you to do so I want to at least offer this method as a potential capability.
You should absolutely discuss this with the people you need to before you use this method operationally because, among other reasons:
- It will change the data on the phone, but of course data is always changing on mobile devices.
- The jailbreak software can be “shady” at best.
- You are breaking the security of the system. This is kinda the point of a jailbreak after all.
- The jailbreak process may not go as planned, and you could destroy the data on the device (or brick the device itself!). Use this method only as final option to an exhaustive effort to get the data you need. If a logical backup gets you what you need then absolutely go with it.
- The jailbreak can potentially void the warranty, however restoring the phone to a current, clean OS though iTunes will remove the jailbreak.
Remember - Documentation is key! Sometimes to get to the files we need we have to Jailbreak - there is really no other way around this problem.
Of course if it is for research and testing – and it’s a device you own – go nuts!
Jailbreak Software
Jailbreaking software is available for most iOS versions/device combinations. At the time of this writing iOS 9.1+ does not have a jailbreak available. One of my favorite sites to determine what jailbreaks are available for a specific device and iOS combination is https://www.theiphonewiki.com/wiki/Jailbreak. New jailbreaks can come out anytime from before an iOS update comes out to months afterwards - there is no guarantee that a jailbreak will even be available when you need it. Sometimes you just have to wait it out.
Popular jailbreaks for iOS 8 and 9 are TaiG and Pangu, available at the links below. Jailbreak instructions can be searched for easily and depends on the jailbreak software you are using.
In preparation for the jailbreak you will need the password for the device as some jailbreaks require you to remove this password. Also as part of jailbreak “best practices” some jailbreaks require the device to be backed up, in airplane mode, Find My iPhone turned off, and without a password. Be sure to read the directions carefully - each one works a little bit different.
A word of warning here - make sure you go to the legitimate link for the jailbreak software, otherwise you might be tricked into paying a fee. (As of this writing, most public jailbreaks are free - we can hope the iOS jailbreak creators continue this trend.)
Utility Install
Once jailbroken, you need to install SSH to make imaging and analysis possible.
Cydia is usually the tool of choice for this process as most jailbreak software includes and installs this application. OpenSSH is the preferred SSH utility for iDevices, find the OpenSSH application and install it.