Chapter 4. Forensic Recovery
In the previous chapter, you learned how to install a recovery toolkit on the iPhone. When the toolkit is installed, an OpenSSH daemon begins accepting connections on the device, and a Unix world is ready to service requests from the examiner. This chapter walks you through the process of configuring the iPhone to communicate with your desktop on the same Wi-Fi network so you can recover the raw media partition. Once recovered, you’ll be introduced to data recovery tools for carving and validating files, which you’ll use for further recovery of deleted files.
Configuring Wi-Fi and SSH
The media partition must be recovered over Wi-Fi, so your wireless network must be configured to connect the iPhone and desktop machine. Depending on the level of integrity your examination requires, the following options are available, each with differing levels of complexity:
Use an insecure access point with or without an encrypted tunnel or MD5 digests
Use a WPA-encrypted or WEP-encrypted access point
Use an ad-hoc network
WEP-encrypted networks suffer from an initialization vector vulnerability, where
a malicious actor could deduce the network key by watching encrypted
traffic as it flows across the network. This means that a WEP-encrypted
network is susceptible to potential tampering while your data is in
transit. To counter this, you may choose to use a network supporting WPA
(Wi-Fi Protected Access), which is
newer and more secure. Alternatively, the md5
utility, installed with the recovery
toolkit, can be used to create a cryptographic digest of the media
partition before and after transmission to ensure that it has not been
tampered with during transit.
Connecting to an Access Point
To configure wireless access on the iPhone, tap the Settings icon. A list of options will appear.
Tap the option labeled Wi-Fi, second down from the top. This will transition to a window where the wireless network can be configured. If Wi-Fi is turned off, tap the switch at the top to turn it on.
A list of available wireless networks will appear in the section labeled “Choose a Network.” Tap on the network that your desktop is presently connected to. As the iPhone joins the network, a wait indicator will be displayed.
Once the network has been joined, tap the blue disclosure arrow to the right of the selected network. This will allow you to view and change the iPhone’s IP address and other network settings.
Take note of the IP address of the iPhone, as you’ll need it later. Use the
ping
utility on the desktop to ensure that the device is reachable. If it is not, one or both of the devices may be misconfigured, or the access point may enforce AP isolation.Warning
The procedure in this chapter will not work if your access point enables an “AP isolation” feature, which prevents devices on the network from communicating with other local devices. If your access point is configured in this fashion, you must either disable this feature or revert to using an ad-hoc network.
Creating an Ad-Hoc Network
If no access point is available, or if insecure devices are not permitted to connect to local access points by policy, the desktop can be configured to serve as its own access point. Both machines will require a static IP address.
Mac OS X
Leopard can easily create ad-hoc networks on the fly. To create an ad-hoc network:
Click on the AirPort icon located on the desktop’s menu bar and select “Create Network…” from the menu.
You will be prompted to create a computer-to-computer network, and a new window will be presented that prompts you for information.
You may name the network anything you like—this example will use the network name
forensics1
.Click OK to create the network and automatically join it.
At this point, your ad-hoc network has been created and your desktop is connected to it, but because your desktop doesn’t run a DHCP server, a static IP address must be assigned. You can manually configure the wireless interface from a terminal window. Open the Terminal application in your Utilities folder and enter the following command to set the IP address of your wireless interface to 192.168.0.1:
$ sudo ifconfig en1 inet 192.168.0.1 netmask 255.255.255.0
Note
Certain versions of iPhone software appear to have difficulty connecting to an ad-hoc network that is encrypted. If you experience a problem joining the network, try recreating the network without a password.
Now connect your iPhone to the ad-hoc network:
Tap through Settings Wi-Fi.
You should see the name of your ad-hoc network on the network list (for example,
forensics1
). Tap the network and you should connect.Once connected, configure the iPhone to have a static address on the network. Tap the blue disclosure arrow to bring up the iPhone’s network settings.
Tap Static to set the information manually. Now enter an IP address of 192.168.0.2, a netmask of 255.255.255.0, and optionally the IP address of your ISP’s DNS server.
Press the back button (labeled Wi-Fi Networks) for these changes to take effect.
You should now be able to ping the iPhone at IP address 192.168.0.2 from your desktop at IP address 192.168.0.1. If you can’t, you’ve done something wrong, so go back and repeat these steps.
Windows
To create an ad-hoc network in Windows XP, perform these steps:
Open the control panel and choose Network Connections.
Right-click on your wireless connection and select Properties from the pop-up menu.
Click the Wireless Networks tab and click the Add button to add a new wireless network.
Enter the name of the network you would like to create. In this example,
forensics1
will be used.Check the box titled “This is a computer-to-computer (ad hoc) network.”
Once complete, click the Advanced tab and manually set the IP address of the wireless connection to 192.168.0.1 with a netmask of 255.255.255.0.
Save and apply all of your changes.
Your desktop machine will be automatically joined to the newly created network.
Now connect your iPhone to the ad-hoc network:
Tap through Settings Wi-Fi.
You should see the name of your ad-hoc network on the network list (for example,
forensics1
). Tap the network and you should connect.Once connected, configure the iPhone to have a static address on the network. Tap the blue disclosure arrow to bring up the iPhone’s network settings.
Tap Static to set the information manually. Now enter an IP address of 192.168.0.2, a netmask of 255.255.255.0, and optionally the IP address of your ISP’s DNS server.
Press the back button (labeled Wi-Fi Networks) for these changes to take effect.
You should now be able to ping the iPhone at IP address 192.168.0.2 from your desktop at IP address 192.168.0.1. If you can’t, you’ve done something wrong, so go back and repeat these steps.
SSH to the iPhone
Once the iPhone is active on the network, you connect to it via SSH from your desktop. If you have not already done so, install the SSH tools outlined in Chapter 2. Then enter the command:
$ssh -l root
x.x.x.x
Note
Replace
with
the IP address of the iPhone. When prompted for a password, enter
x.x.x.x
alpine
, which is the root
password set automatically when you install the forensics toolkit.
If you are unable to connect, try pinging the device to ensure you
have network connectivity.
Once you have successfully logged into the iPhone, you’re ready to recover the media partition.
Recovering the Media Partition
With the recovery toolkit installed and the iPhone sharing a network connection with your desktop, the media partition can finally be recovered. Depending on what level of integrity you’re looking to establish, there are many different ways to accomplish this. This section walks you through the different steps involved in recovering the media partition. Some processes are optional, and it will ultimately be up to you to determine which security options are important.
Note
Prior to performing a recovery, it’s a good idea to disable the iPhone’s locking mechanism. Click on the Preferences icon, then General. Change the Auto-Lock option to Never.
Command-Line Terminal
Much of the work involved from here on out will be performed on the command line, so it’s important to know how to invoke a command-line terminal window.
Tools Needed
To recover the media partition, you’ll need two
command-line tools on the desktop: dd
and nc
. The dd
tool is a disk copy tool used to copy the
raw drive image, while the nc
tool
(also known as netcat
) is used to
send (and receive) data across a network. Both of these tools must be
installed on both the desktop and the iPhone. The recovery toolkit
automatically installs the iPhone builds of these tools, leaving the
desktop portion up to you.
The file copy over netcat
is insecure unless forwarded through an SSH tunnel. In
both cases, for evidentiary integrity, it is recommended that this
copy be conducted over a private, encrypted wireless network, or that
MD5 digests be used to verify the integrity of the image.
Mac OS X Leopard includes these tools by default. To verify this, open a terminal and type
which dd nc
. Paths to both files should appear in the resulting output.Windows versions of these tools may be downloaded at http://www.chrysocome.net/dd and http://www.vulnwatch.org/netcat/. An archive is also available on the O’Reilly website at http://www.oreilly.com/9780596153588.
MD5 Digests
Before transmitting the media partition to the desktop
machine, it may be appropriate to generate an MD5 digest of it from
the iPhone. This will ensure that the partition data hasn’t been
altered or tampered with while in transit. To do this, connect to the
iPhone using SSH and issue the commands below into a terminal window,
replacing
with
the IP address of the iPhone:x.x.x.x
$ssh -l root
#
x.x.x.x
cd /
#umount -f /private/var
#mount -o ro /private/var
#md5 /dev/rdisk0s2
These commands connect to the iPhone via SSH and then change to
the root (/) directory. Next, the
umount
command forcibly unmounts
the /private/var partition. Since
other iPhone applications are using the disk, it cannot be unmounted
without force (the -f
option).
Finally, the partition is remounted with the read-only option
(ro
) and the md5
tool is instructed to create a digest of
its raw device.
In order to create a digest, the entire partition must be read and processed. Depending on the capacity of the iPhone, this may take several hours to complete. To keep the iPhone “alive” during this time, it may be necessary to occasionally swipe your finger across the screen in a way that won’t activate any applications or user interface elements. If the iPhone falls asleep, it may shut down its wireless connection, which would cause the entire process to freeze. To keep the network connection alive, it’s a good idea to run a ping session from the iPhone (in another terminal window) while waiting for the MD5 digest to return.
Note
You can test the network connection by pressing Enter a few times in the terminal window. If you can see empty lines being echoed to your terminal window, the connection is still live.
While the user partition is mounted as read-only, the user interface (via the touch screen) must not be used, except to touch an inactive portion of the screen (to keep the backlight active). If, at any time, the operating system layer becomes nonresponsive, rebooting the device will cause the user partition to be remounted back in read-write mode. This will allow the operating system to write to the partition again, however, and so you’ll need to reissue the commands above to generate another MD5 digest.
Note
To forcibly reboot the iPhone, hold the Home and Power buttons down only until the device powers off. Wait a few seconds and then hold down the Power button to power the device back on.
When completed, the md5
utility will return a digest of the raw disk partition, as shown
below. Copy this output, after transferring the disk image across the
network, as you will use it later to compare with a digest created on
the desktop.
MD5 (/dev/rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023
Unencrypted Recovery
The fastest and easiest way to recover the media partition is to send it directly to the desktop machine without any level of encryption. If you’re using a WEP- or WPA-encrypted wireless network, the data will be encrypted on the network layer regardless. To send the disk partition, you’ll need to run separate commands from both the desktop machine and the iPhone to transmit the disk contents across the network.
Your desktop and the iPhone are essentially going to play a game
of catch. On the desktop side, you’ll be issuing a command (using
netcat
) telling the desktop to
listen on a network port. Think of a port like you’d think of third
base—the desktop is being instructed to listen for incoming data at a
certain location, and the iPhone is going to throw the ball (here, the
disk image) to the desktop. Both have to be set up right, or the
transmission will fail.
On the desktop side, instruct the netcat
tool to listen on a local port (in
this example, 7000). The information that the desktop receives is then
sent to the disk copy utility, which is used to convert the data back
into a disk image file.
Mac OS X
Issue the following from a terminal window:
$ nc -l 7000 | dd of=./rdisk0s2 bs=4096
Here’s a breakdown of the command:
nc
Calls
netcat
-l
Tells
netcat
to listen for incoming connections7000
Tells
netcat
to use port 7000| dd
Pipes (relays) the information received by
netcat
to thedd
disk copy utilityof=./rdisk0s2
Stores the disk image locally (
of
stands for “output file”) with the filename rdisk0s2bs=4096
Uses a disk block size of 4 K
Note
Some versions of
netcat
for Mac OS X use the arguments-l -p 7000
instead of-l 7000
.
Windows
Issue the following from a command prompt:
$ nc -L -p 7000 | dd of=./rdisk0s2 bs=4096
Here’s a breakdown of the command:
nc
Calls
netcat
-L
Tells
netcat
to listen for incoming connections-p 7000
Tells
netcat
to use port 7000| dd
Pipes (relays) the information received by
netcat
to thedd
disk copy utilityof=./rdisk0s2
Store the disk image locally (
of
stands for “output file”) with the filename rdisk0s2bs=4096
Uses a disk block size of 4 K
Sending the data
After you tell the desktop machine to listen for
incoming data, the terminal window on the desktop will appear to sit
idle. This means it’s waiting and listening for data. Open a second
terminal window and connect to the iPhone using SSH. Use the
following commands to instruct it to send its media partition to the
desktop. In the sample commands,
represents the IP address of the iPhone, and x.x.x.x
represents the IP address of the desktop machine:y.y.y.y
$ssh -l root
#
x.x.x.x
/bin/dd if=/dev/rdisk0s2 bs=4096 | nc
y.y.y.y
7000
Here’s a breakdown of the send command:
/bin/dd
Calls the disk copy utility on the iPhone
if=/dev/rdisk0s2
Instructs disk copy to read the second partition of the raw disk as input
bs=4096
Uses a disk block size of 4 K
| nc
Pipes (relays) the information received by the disk copy utility to
netcat
y.y.y.y
Since
-l
wasn’t specified, instructsnetcat
to send the data to (not receive from) the specified address7000
Instructs
netcat
to use port 7000
The raw partition will begin transferring over the network, which should be reflected by a gradual increase in the size of the file on the local desktop. This operation may take several hours, depending on the capacity of the iPhone. Only the media portion of the iPhone’s disk storage will be sent, so the actual file size will be less than the advertised capacity. When the file reaches its maximum size, you’ll see both terminal windows report that a certain number of bytes have been sent or received. Once complete, it may be necessary to cancel the operation on the iPhone’s side by pressing Ctrl-C.
Note
If the operation fails prematurely, ensure that the iPhone is connected to the dock connector and is charging. The iPhone automatically shuts down its Wi-Fi when on battery as it enters sleep mode. If necessary, also set the Auto-Lock feature to Never in the iPhone’s general settings to keep the display awake and unlocked. As a last resort, try running a ping from a separate terminal window on the iPhone, and occasionally swipe your finger across the screen to keep it from idling. If the operation persistently fails, check with your system administrator to ensure that it is not being hindered by firewall policies, and check the desktop machine to ensure its firewall is configured to allow access on the desired port (in this example, 7000).
Once complete, run the md5
command on your desktop machine to ensure the digest matches the one
taken on the iPhone:
$ md5 rdisk0s2
MD5 (rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023
The hexadecimal number following the equals sign should be exactly the same as the one you generated on the original image using the procedure described earlier in the section MD5 Digests.” If everything is fine, back up the disk image from the desktop and check it into a digital vault. All further file operations should be performed on a copy of the disk image.
Warning
Never try to examine an original disk image, only a copy. Some tools have been known to slightly alter the disk image in the course of their operation, thereby altering the digest. The disk image is also likely to be altered if mounted as a filesystem.
Now that the media partition has been copied, the iPhone itself may be analyzed by hand to obtain any information available through the standard user interface.
Encrypted Recovery of the Media Partition
Using a technique similar to the previous method, the disk image can be transmitted across an encrypted SSH tunnel, adding an extra layer of security (at the expense of added time) to your recovery efforts. This is done by creating a remotely forwarded network connection to the iPhone, so that all data transmitted across it will be encrypted by SSH. This helps prevent tampering and ensures that the data traveling across the wireless network is encrypted on an application layer. If you are using message digests or an encrypted access point, this step may be redundant.
Along with the drawback of increasing transfer time, certain combinations of the SSH client and server can sometimes also result in packet size or other errors. In the event this occurs, you’ll need to use a different SSH client on the desktop machine, or simply revert back to using the unencrypted technique described in the last section.
In the previous section, you connected to the iPhone using the simple SSH command:
$ssh -l root
x.x.x.x
To establish an encrypted tunnel, you’ll need to spice this up a little. Add the following parameters to compress and remotely forward data:
$ssh -l root -C -R 7000:127.0.0.1:7000
x.x.x.x
If you’re using a GUI tool, such as PuTTY, instead of a command-line tool, configure a remotely forwarded port as shown in Figure 4-1.
On the desktop, instruct the netcat
tool to listen on a local port as
before (in this example, port 7000). There is no longer a need for the
dd
command, however. Just pipe the
information sent to the desktop to the disk.
$ nc -l 7000 > rdisk0s2
$ nc -L -p 7000 > rdisk0s2
On the iPhone, perform a raw partition dump. Instead of using the IP address of the desktop machine, use the localhost address of 127.0.0.1. This will feed the data through the iPhone’s loopback interface, which will direct it through the encrypted SSH tunnel.
# cat /dev/rdisk0s2 | nc 127.0.0.1 7000
As the raw partition transfers across the SSH tunnel, activity should be reflected by an increase in the size of the file on the local desktop. This operation may take several hours, depending on the capacity of the iPhone, and will take longer than an unencrypted transfer. Only the media portion of the device’s storage will be sent, so the actual file size will be less than the advertised capacity. When the file reaches its maximum size, both sides of the connection will report that a certain number of bytes have been sent (or received). When finished, it may be necessary to cancel the operation on the iPhone’s side by pressing Ctrl-C.
Note
If the operation fails prematurely, ensure that the iPhone is connected to the dock connector and is charging. The iPhone automatically shuts down its Wi-Fi when on battery as it enters sleep mode. If necessary, also set the Auto-Lock feature to Never in the iPhone’s general settings to keep the display awake and unlocked. As a last resort, try running a ping from a separate terminal window on the iPhone, and occasionally swipe your finger across the screen to keep it from idling. If the operation persistently fails, check with your system administrator to ensure that it is not being hindered by firewall policies, and check the desktop machine to ensure its firewall is configured to allow access on the desired port (in this example, 7000).
Once complete, run the md5
command on your desktop machine to ensure the digest matches the one
taken on the iPhone:
$ md5 rdisk0s2
MD5 (rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023
The hexadecimal number following the equals sign should be exactly the same as the one you generated on the original image using the procedure described earlier in the section MD5 Digests. If everything is fine, back up the disk image from the desktop and check it into a digital vault. All further file operations should be performed on a copy of the disk image.
Warning
Never examine an original disk image, only a copy. Some tools have been known to slightly alter the disk image in the course of their operation, thereby altering the digest. The disk image is also likely to be altered if mounted as a filesystem.
Making Commercial Tools Compatible
Once a raw disk image has been recovered from the iPhone, it can
be read by many commercial forensics tools such as Encase or FTK, but
with one caveat. The disk image itself is reported as an HFS/X image
(fifth generation HFS), which most tools do not yet recognize. The
identifier for this format is located at or around offset 0x400 inside
the image file. Changing the identifier from HX
to H+
(denoting an HFS/+ filesystem) causes most existing tools to accept
the file for processing. To make this change, document it and then use
a hex editor, such as Hex Fiend or HexEdit 32. Figure 4-2 shows a segment of
the file where the HX
appears.
Data Carving Using Foremost/Scalpel
To recover deleted files, you need a data-carving tool. Data carving is the process of extracting structured data from unstructured data. Until mounted as a filesystem, the raw partition recovered from the iPhone looks like one big file to the computer, and contains both live and deleted data. A data-carving tool can scan the disk image for traces of desired files, such as images, voicemail, and other files. It then carves these smaller files out of the image for further analysis. Foremost and Scalpel are both data-carving tools.
Foremost is a free forensics tool developed by Special Agents Kris Kendall and Jesse Kornblum of the U.S. Air Force Office of Special Investigations. Foremost can be freely downloaded from http://foremost.sourceforge.net and compiled/installed on most desktop operating systems. Mac OS systems may either build from sources or install using MacPorts (http://www.macports.org):
$ sudo port install foremost
Scalpel is a tool based on Foremost and performs much faster analysis using an identical configuration file. Scalpel is available at http://www.digitalforensicssolutions.com/Scalpel/. Windows binaries for Scalpel are included in the distribution. Scalpel can be compiled and installed on a Mac desktop using the following commands (if the version number has changed, simply substitute the current version in the following file and directory names):
$tar -zxvf scalpel-1.60.tar.gz
$cd scalpel-1.60
$make bsd
$sudo mkdir -p /usr/local/bin /usr/local/etc
$sudo cp -p scalpel /usr/local/bin
$sudo cp -p scalpel.conf /usr/local/etc
Note
To compile software on a Mac, Xcode Tools must be installed. This package can be downloaded free from the Apple Developer Connection website at http://developer.apple.com.
Data carving is by no means an exact technique, and some deleted data may be partially overwritten. Foremost and Scalpel both rise to the challenge by allowing examiners to specify headers (and optionally footers) that identify the beginning and end of the desired data they are searching for. The default configuration file includes data types for several different file formats, leaving it up to the examiner to uncomment the lines for files they want to carve out.
The format of the Foremost and Scalpel configuration files is identical, and equally simple to understand. A single entry consists of five fields: file extension, case sensitivity, default size, header, and optional footer:
jpg y 200000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
In this example of a JPEG image, the extension is declared as
.jpg and the pattern is identified
as case-sensitive (the y
in the
second field). The default file size, which is used when the footer is
either not specified or not found, is defined as 200 K. The header and
footer are specified in hexadecimal by using the \x
prefix, but plain text may also be used, as
you’ll see in the next section. In the previous example, the byte
pattern FFD9 marks the end of this particular JPEG format. When the file
is found, the data-carving tool will scan it until reaching the 200 K
limit or finding the 0xFFD9 pattern. No more than 200 kilobytes will be
stored in any one file that matched this configuration line. But most
images, databases, and other files can still be used even if they
contain extra junk at the end of the file. If files become truncated,
you can increase the file size to get a larger chunk of data.
Configuration for iPhone Recovery
The Foremost tool uses a foremost.conf file for its configuration, while Scalpel uses an identical configuration, traditionally named scalpel.conf. Both sample configurations allow the examiner to uncomment certain types of files to be carved. Additional types may also be defined in the configuration, which you will sometimes find useful because the iPhone stores many proprietary files of interest that aren’t represented in the Foremost and Scalpel configuration files. Edit the default configuration included with the software and uncomment any desired file types. Next, add the definitions that you find useful in the following sections.
Dynamic dictionaries
dat y 16384 DynamicDictionary
Dynamic dictionary files are keyboard caches used by the iPhone to learn its owner’s particular dictionary. Whenever a user enters text—whether usernames, certain passwords, website URLs, chat messages, email messages, or other form of input—much of it is stored (in order) in the keyboard cache. Adding the line shown here to the configuration file will search for deleted and/or existing keyboard caches, revealing fragments of historical communication. An example of such a file is shown in Figure 4-3, containing fragments from multiple email messages, search engine lookups, and other user input.
Voicemail messages
amr y 65535 #!AMR
The AMR codec is considered the standard speech codec by 3GPP, a collaborative standards body involved in mobile communications. It yields high-quality audio playback for voice content, and is used on the iPhone to store voicemail messages. Most voicemail messages fit nicely into 65 K, but to extract larger chunks of voicemail messages, simply increase the file size specified in the third field of this entry.
Property lists
plist y 4096 <plist </plist
A property list is an XML-like configuration file used heavily in the Mac OS world, including the iPhone. Many preloaded applications, as well as Apple’s operating system components, use property lists to store anything from basic configuration data to history and cache information. By analyzing these files, the examiner can get an idea of what websites the suspect may have visited or what Google Maps direction lookups were queried. Other useful information may include mail server information, iTunes account info, and so on. The different property lists on the iPhone will be explained in the next chapter.
SQLite databases
sqlitedb y 5000000 SQLite\x20format
The SQLite database format is widely used in the Mac OS X world to store calendars, address books, Google Maps tile graphics, and other information on the iPhone. SQLite databases are generally “live” on the filesystem, but older, deleted databases may be recovered in the event that the device was recently restored. Instructions for querying SQLite databases and recovering Google Maps tile graphics are covered in the next chapter.
email y 40960 From:
Scanning for email headers is an effective way to recover both live and deleted email.
Other files
pdf y 5000000 %PDF- %EOF doc y 12500000 \xd0\xcf\x11\xe0\xa1\xb1
Adobe PDF and Microsoft Word files can be stored locally when sent to the iPhone via email or navigated to using the iPhone’s Safari web browser.
PGP blocks
txt y 100000 -----BEGIN
PGP-encrypted messages are generally not of great use without a key, but can frequently include unencrypted messages within the same thread, should any have been sent/received.
Images
GIF, JPG, and PNG image formats are all used on the iPhone, and can be enabled for scanning by removing the comments preceding the corresponding lines in the configuration file. In addition to the default formats included, the following formats are used for various graphics on the iPhone.
png y 40960 \x89PNG
This particular format of PNG is used to store small icons and Google Maps tile graphics.
jpg y 5000000 \xff\xd8\xff\xe1 \x7f\xff\xd9
This is the JPEG format used for photos taken with the built-in camera.
Note
Be sure to enable the stock graphics formats in addition to the ones in this section.
Building Rules
If you’re trying to recover a file that isn’t listed in the above examples, you’ll need to build your own rule to carve it out. Some methods for doing this are:
Identify the file format you’re looking for. Many online resources can provide you with information for a host of different file formats.
Assemble a list of possible file headers. Use what information you can find about the file format to assemble a list of file headers that could have been used in the file you’re searching for. Remember, it’s better to generate too much data than not enough, so be liberal with your list—
grep
and other tools can help you sort through it.Recreate the file structure using the same software or equipment, if possible. If you’re trying to recover a file created with a particular software package, use that same software package to write a new file. In most cases, the first few bytes of the file header will be the same regardless of the file’s contents. If you’re trying to track down a file saved by a digital camera, video recorder, or other equipment, reproduce the steps to create another similar file, and examine its header.
Scanning with Foremost/Scalpel
Once a valid configuration file has been created, Foremost/Scalpel can be instructed to scan the image from the command line:
$ foremost -c foremost.conf rdisk0s2
foremost version 0.69
Written by Kris Kendall and Jesse Kornblum.
Opening /usr/local/sandbox /rdisk0s2
rdisk0s2: 0.9% | | 130.0 MB 11:07 ETA
If using Scalpel, replace the name of the application:
$ scalpel -c scalpel.conf rdisk0s2
Sometimes Scalpel tries to bite off more than it can chew in
terms of system resources. If errors concerning the maximum number of
file descriptors, or similar resource errors, are reported it may be
necessary to run the tool with superuser privileges and use the
ulimit
command to lift resource
restrictions. You’re likely to run into this problem only when using
Scalpel on Mac OS X:
$sudo -s
$ulimit && ulimit -n 8192
$scalpel -c scalpel.conf rdisk0s2
The entire process may take a few hours to complete using Foremost, or less than a half hour using Scalpel. Potentially useful information will be recovered to a directory named foremost-output (or scalpel-output) within the current working directory. The tool will also create an audit.txt file within the output directory containing a manifest of the information recovered. Once recovered, it’s up to the examiner to determine what data is valid.
Validating Images with ImageMagick
Recovery tools generally err on the side of generating too much data, rather than skipping files that could be important. As a result, they extract a lot of data that may be partially corrupt or unwanted altogether. Finding valid images to examine can be a time-consuming process in the presence of thousands of files, so a few simple recipes can greatly help reduce the amount of time needed.
The ImageMagick package contains a set of image processing
utilities, one of which can be used to display information about images.
The identify
tool included with
ImageMagick is perfect for sifting through the thousands of files
created by data-carving tools to identify the readable images.
ImageMagick can be downloaded from http://www.imagemagick.org/script/index.php. Mac OS users
may build from sources or use MacPorts (http://www.macports.org) to install the package:
$ sudo port install imagemagick
Once installed, write a simple bash script to test the validity of an image file. For the purposes of this example, name the file test-script.sh:
#!/bin/bash mkdir invalid identify $1 || mv $1 ./invalid/
Warning
Some images may be corrupt, but still somewhat
recognizable. These images may appear invalid to the identify
tool. It is therefore recommended
that images only be moved, not deleted, so that invalid images can be
later reviewed by hand.
When calling ImageMagick’s identify
tool for a given file, a successful
exit code will be returned if the image can be read. The previous script
moves all invalid images to a subdirectory named invalid, leaving the valid images in the
original directory where you invoke the script. The script can then be
invoked for a given supported image type (.jpg, .gif, .png, etc.) using a simple recipe with the
find
command:
$mkdir invalid
$chmod 755 test-script.sh
$ find foremost-output -type f -name "*.jpg" -exec ./test-script.sh {} \;
The syntax of the find
command
is subtle and replete with metacharacters. You can either stick to the
script shown here and just adapt the .jpg file suffix, or explore the find
documentation to discover its options for
ownership, age of files,
etc.
Strings Dump
As a final means to turn up data, the strings from the raw disk image can be extracted and saved to a file. The output will be enormous, but it will allow loose text searches for a particular conversation or other data.
Extracting Strings
To extract the strings from the disk image, perform the following.
Mac OS X
The strings
utility
comes integrated with Mac OS X, as it is a standard Unix tool.
Simply issue the following from a terminal window:
$strings rdisk0s2 >
filename
Windows
Download the Windows version of strings
from http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx.
Issue the following command to dump the text strings from the disk
image:
$strings.exe rdisk0s2 >
filename
The Takeaway
There are a lot of different security measures you can take to securely obtain the raw disk partition from the iPhone. Use the safest method that meets your goals. There is no need to overdo it.
Data carving can be used to pull any type of data from a raw image or other file, but it’s up to the examiner to have some clue about what to look for. If you’re unsure, enable all file types and take the extra time to look through the results.
Using simple tools like
strings
can give you a very large file of text to search through for key words or phrases.
Get iPhone Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.