How to acquire iOS data through jail breaking?
The partition of firmware could be basically replaced with another version of it which is hacked. Through such cool methodology, any desired tools can get accordingly installed while they were not actually existent there on the device. Such tools will be like services as SSH and Terminal. These are simply not available normally on iOS devices without having jailbreaking functioned on them. Image of a partition can then be gotten through jail breaking of the iOS device in the interest of the examiner.
One of the most commonly utilized iPhone jailbreaking methodologies is referred to as redSn0w. What is good about such interesting tool lies in the following: while the firmware gets replaced, Cydia application gets installed instead. Thereafter, any artifacts could get extracted by the examiner as wished.
To start with this great technique of extraction, jail breaking is worth noting that both the forensics workstation used and the iOS device should be existent on the same wireless network in the very first place. Type the following command on the terminal’s workstation or command line prompt to depend on the SSH service in starting the desired process:
ssh [email protected] dd if=/dev/rdisk0 bs=1M | dd of=ios-root.img
let’s discuss the last command more right now! The purpose of such a command is to essentially establish a connection between the forensics workstation and the iOS device. The interpretation of the part of “dd if=/dev/rdisk0 bs=1M” is that basically, the dd command will have an input file of =/dev/rdisk0 with a size of a block of 1M. Then, the file of ios-root.img will get outputted onto the forensics workstation through the command of dd of=ios-root.img.
Such an output file could then be analyzed by an examiner, This can be done through any desired software or analysis tool. On some iPhone devices though, the created image file would become encrypted and parsing such file would be impossible accordingly. If the iOS device, however, relies on a user volume’s hardware encryption, then they would make no sense at all after all. On the other hand, tools such as iXam and Lantern would be the cool solution in that case. They are used essentially for the sake of creating a physical acquisition of data The reason for that is that such tools are able to produce a readable image through getting the required keychains decrypted.
What are the tools for analyzing acquired data then?
There are in fact plenty of tools which could be utilized for the sake of connecting to and analyzing a created image file taken from an iOS device. The open source community plays a great role. In this case, such that searching and retrieving evidence which is desired by the examiner could be performed easily using such tools.
Examples of such tools are like Scalpel, DD, Find, Stings and some others. They can be all used for the sake of analyzing an iOS image much like that of a FAT or NTFS image. Moreover, HFS+ images could get analyzed by tools such as Encase and FTK imager. They can also mount the images and analyze them afterward.
How to use Pangu Jailbreak for Jailbreaking purposes?
- First of all, the software is available at the following link:
- Get the software downloaded from the website. Check that you download the very last version.
- Make use of a USB cable to get the iPhone connected to the forensics workstation
- Pay attention to iTunes and assure yourself that it is not running at the moment.
- Get the passcode disabled and get the iPhone switched into the Airplane Mode.
- Get the downloaded application of Pangu Jailbreak opened now.
- When the software detects the connected iPhone, it will automatically display it with its iOS version. Now click on “Start” to begin the journey.
- This will lead to another window where you have two options. These are either to “Cancel” or “Already backup”. Your choice should be “Already backup”
Note that inside this window there are some notes which the application presents to you. It warns the user that there is a chance of data loss that may occur. For smoother and successive operation, it suggests switching the phone to airplane mode. It also suggests getting the data backed up before proceeding further.
- Now that you clicked on “Already backup”, the process of the jail breaking will start. Percentage of the completion of the process will always be displayed on the window. At the progress of 55%, there is a high possibility that the device would reboot. At 65%, the program would ask you to re-enable Airplane mode.
In addition, at 75%, the program would ask you to get the device unlocked and getPangu Jailbreak running on it.
- From experience, it could be told that the application would ask now to have an access to Photo and will ask for such permission due to an unknown reason. Upon Finishing, Phone would reboot, and Pangu would prompt that device is already Jailbroken,
- How to relate to the evidence?
It is vital to note that cases of a forensic investigation can be formed basically by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a forensic procedure.
Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be in terms of seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable: =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task. They make the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/