Many analysts and researchers work with a very limited budget, many of us can’t get those $uper expen$ive commercial mobile acquisition and analysis tools. I’ve been asked many times, “What tools can I use to analyze iOS with $0 in the budget for tools?”
With newer iOS devices that come with newer operating systems, the ease of forensic access to iOS devices has been quite limited. Every commercial tool has the capability to provide a logical dump of the phone (give or take the caveats of access to PIN/Passcodes or the reboot/unlock status of the devices of course!). This data dump may be fine for some analysts but I have found that it doesn’t quite provide me with the data that I’m looking for. I needed to find a different way of doing things.
Whether or not you think this is “forensically sound” or whether your legal policies allow you to do so I want to at least offer this method as a potential capability.
You should absolutely discuss this with the people you need to before you use this method operationally because, among other reasons:
- It will change the data on the phone, but of course data is always changing on mobile devices.
- The jailbreak software can be “shady” at best.
- You are breaking the security of the system. This is kinda the point of a jailbreak after all.
- The jailbreak process may not go as planned, and you could destroy the data on the device (or brick the device itself!). Use this method only as final option to an exhaustive effort to get the data you need. If a logical backup gets you what you need then absolutely go with it.
- The jailbreak can potentially void the warranty, however restoring the phone to a current, clean OS though iTunes will remove the jailbreak.
Remember - Documentation is key! Sometimes to get to the files we need we have to Jailbreak - there is really no other way around this problem.
Of course if it is for research and testing – and it’s a device you own – go nuts!
Jailbreaking software is available for most iOS versions/device combinations. At the time of this writing iOS 9.1+ does not have a jailbreak available. One of my favorite sites to determine what jailbreaks are available for a specific device and iOS combination is https://www.theiphonewiki.com/wiki/Jailbreak. New jailbreaks can come out anytime from before an iOS update comes out to months afterwards - there is no guarantee that a jailbreak will even be available when you need it. Sometimes you just have to wait it out.
In preparation for the jailbreak you will need the password for the device as some jailbreaks require you to remove this password. Also as part of jailbreak “best practices” some jailbreaks require the device to be backed up, in airplane mode, Find My iPhone turned off, and without a password. Be sure to read the directions carefully - each one works a little bit different.
A word of warning here - make sure you go to the legitimate link for the jailbreak software, otherwise you might be tricked into paying a fee. (As of this writing, most public jailbreaks are free - we can hope the iOS jailbreak creators continue this trend.)
Once jailbroken, you need to install SSH to make imaging and analysis possible.
Cydia is usually the tool of choice for this process as most jailbreak software includes and installs this application. OpenSSH is the preferred SSH utility for iDevices, find the OpenSSH application and install it.
You may need to “Refresh” the Sources before searching for it. Go to Sources tab in Cydia and Press “Refresh”.
Dump the Device’s Data
Accessing the device is easy using SSH over WiFi, but when we copy data from the device that could be a bit slow. Instead, we are going to use a tool called iproxy to access the device over USB using the usbmuxd capability. To do this, we are going to install a package called iproxy, part of the libimobiledevice suite of utilities. This installation can be done using brew if you prefer. Please review the additional utilities available, many are very useful!
Connect the iDevice using a USB cable. iproxy creates a usbmuxd (USB) connection from an iDevice to the system by listening to SSH connections and forwarding them to another port. The iproxy usage is as follows:
iproxy LOCAL_TCP_PORT DEVICE_TCP_PORT [UDID]
In the screenshot below, I’ve connected my iPhone via USB cable to my system and ran iproxy using ‘4242’ as my local port and ’22’ as the device port (SSH can usually be found port 22).
The next step is to SSH to the iDevice. We do this using the built in SSH client on OS X, one change we need to make is to specify the port we are going to use. In this case I will use port 4242 as configured from iproxy using the ‘-p’ flag. I will be logging in as ‘root’ on 127.0.0.1. I could also login as ‘mobile’, the devices ‘user’ account – by why limit myself! I didn’t jailbreak for nothing! The default password for both ‘root’ and ‘mobile’ accounts is ‘alpine’. I highly recommend changing both passwords immediately if you are going to be using this device continuously for research (use the passwd command).
This will dump the user into their home directory, since I used ‘root’ I am in /var/root.
We could cd to “/” if we wanted to start reviewing files in the file system but we’re here to dump data. (In fact, you don’t have to SSH into the phone at all before you image – it’s really just a test to make sure everything is in working order.) Before we exit out of this SSH session, let’s look at the partitions of this device. We can do this two different ways; using the ‘mount’ command, or by viewing the /etc/fstab file.
There are always at least two partitions that are of forensic interest, a “System” and “Data” partition.
The “System” partition contains the operating system, ideally it should be read-only as shown in the /etc/fstab output (ro). However, since we jailbroke our devices we can actually write to it if we wanted. This partition is on the /dev/disk0s1s1 device and is mounted on “/”.
The “Data” or “User” partition contains the user data files, configurations, and preferences. From a forensic perspective this is our “gold mine”. This partition is on /dev/disk0s1s2 device and is mounted on “/private/var”. To get to the user’s (mobile) data in the file system in SSH and other tools we have to navigate to /private/var/mobile/.
We have a few options here to make depending on the type of data we want. We can make a full dd-style image of the whole disk (or each partition separately) OR we can get a tar bundle of files (per disk or per partition).
One item to be aware of here – encryption.
- The “System” partition is unencrypted, whether you choose dd-style image or tar bundle is completely a personal preference.
- The “Data” or ”User” partition does have a per-file encryption scheme (read about Data Protection here). Grabbing a dd-style image of this partition is going to be mostly useless as everything will be encrypted. (However you will get file system structure and metadata.) A tar bundle will be much more useful, even though you don’t get the unallocated space.*
*A note about unallocated space in iDevice – Due flash disks and how Data Protection works, even if you grab the unallocated space on an iDevice, there will likely not be much data available to carve or view in an unencrypted format.)
What I normally do is create a dd-style dump of System partition, and a tar bundle of the Data/User partition.
Let’s first create a DD image of our System partition. (If you are following along, be sure to exit out of your SSH session with your device.) The command below will use SSH to connect to the device (using the specific port, in my case I chose 4242). It will ask for the device’s password, and immediately start imaging the System partition using the dd utility on the device.
We have provided it the input file (if=) /dev/rdisk0s1s1. We are using the rdisk here as we don’t have permission to access the active disk on /dev/disk0. We are using a block size (bs=) of 4k or 4096 bytes. Finally, using the pipe “|” we can output the image to our host systems ‘dd’ utility to an output file (of=) called system.dd.
ssh [email protected] -p 4242 dd if=/dev/rdisk0s1s1 bs=4k | dd of=system.dd
This will dump the file into your current working directory. The prompt will not update, however you should be able to see that the system.dd is growing in size. This should only take a few minutes. For my iOS 9.0.2 device the System partition was just over 3G in size.
We can check to make sure we have an HFS+ image by running the following command. Using dd we are going to look at the third sector on the disk. We skipped the first two (by design, they are blank) to look at the HFS+ Volume Header in the 3rd one.
dd if=system.dd skip=2 count=1 | xxd
The “HX” in the first two bytes, followed by “HFSJ” show us that this is a Journaled HFS+ (Case sensitive) partition.
Now let’s get to the Data/User partition. We going to use nearly the same command, except we are going to change a few items. We will be using the tar command to place the logical files into a tarball. We are specifically going to grab only the files in the /private/var directory. (We could do the whole drive here from ‘/’, but we already captured the system partition using the previous command. Again, this is user preference.) Finally, we will redirect the output of this to a user.tar file on our local systems. Depending on the allocated data on the user space on the device this could take a considerable amount of time!
ssh [email protected] -p 4242 ‘tar -cf - /private/var/' > user.tar
Once you have the data dump, you can analyze in the tool of your choice or extract the tarball into a read-only disk such as a DMG for easier analysis/transport.
For my uses I extracted the tarball into a directory using the following command. (Note: Some forensic analysis software may allow you to use this tar file as is, some do not.)
tar -xvpf user.tar -C user_untar/
Time to poke around! Have fun!