Chapter 4. Forensic Recovery

In the previous chapter, you learned how to install a recovery toolkit on the iPhone. When the toolkit is installed, an OpenSSH daemon begins accepting connections on the device, and a Unix world is ready to service requests from the examiner. This chapter walks you through the process of configuring the iPhone to communicate with your desktop on the same Wi-Fi network so you can recover the raw media partition. Once recovered, you’ll be introduced to data recovery tools for carving and validating files, which you’ll use for further recovery of deleted files.

Configuring Wi-Fi and SSH

The media partition must be recovered over Wi-Fi, so your wireless network must be configured to connect the iPhone and desktop machine. Depending on the level of integrity your examination requires, the following options are available, each with differing levels of complexity:

  • Use an insecure access point with or without an encrypted tunnel or MD5 digests

  • Use a WPA-encrypted or WEP-encrypted access point

  • Use an ad-hoc network

WEP-encrypted networks suffer from an initialization vector vulnerability, where a malicious actor could deduce the network key by watching encrypted traffic as it flows across the network. This means that a WEP-encrypted network is susceptible to potential tampering while your data is in transit. To counter this, you may choose to use a network supporting WPA (Wi-Fi Protected Access), which is newer and more secure. Alternatively, the md5 utility, installed with the recovery toolkit, can be used to create a cryptographic digest of the media partition before and after transmission to ensure that it has not been tampered with during transit.

Connecting to an Access Point

  1. To configure wireless access on the iPhone, tap the Settings icon. A list of options will appear.

  2. Tap the option labeled Wi-Fi, second down from the top. This will transition to a window where the wireless network can be configured. If Wi-Fi is turned off, tap the switch at the top to turn it on.

  3. A list of available wireless networks will appear in the section labeled “Choose a Network.” Tap on the network that your desktop is presently connected to. As the iPhone joins the network, a wait indicator will be displayed.

  4. Once the network has been joined, tap the blue disclosure arrow to the right of the selected network. This will allow you to view and change the iPhone’s IP address and other network settings.

  5. Take note of the IP address of the iPhone, as you’ll need it later. Use the ping utility on the desktop to ensure that the device is reachable. If it is not, one or both of the devices may be misconfigured, or the access point may enforce AP isolation.

    Warning

    The procedure in this chapter will not work if your access point enables an “AP isolation” feature, which prevents devices on the network from communicating with other local devices. If your access point is configured in this fashion, you must either disable this feature or revert to using an ad-hoc network.

Creating an Ad-Hoc Network

If no access point is available, or if insecure devices are not permitted to connect to local access points by policy, the desktop can be configured to serve as its own access point. Both machines will require a static IP address.

Mac OS X

Leopard can easily create ad-hoc networks on the fly. To create an ad-hoc network:

  1. Click on the AirPort icon located on the desktop’s menu bar and select “Create Network…” from the menu.

  2. You will be prompted to create a computer-to-computer network, and a new window will be presented that prompts you for information.

  3. You may name the network anything you like—this example will use the network name forensics1.

  4. Click OK to create the network and automatically join it.

At this point, your ad-hoc network has been created and your desktop is connected to it, but because your desktop doesn’t run a DHCP server, a static IP address must be assigned. You can manually configure the wireless interface from a terminal window. Open the Terminal application in your Utilities folder and enter the following command to set the IP address of your wireless interface to 192.168.0.1:

$ sudo ifconfig en1 inet 192.168.0.1 netmask 255.255.255.0

Note

Certain versions of iPhone software appear to have difficulty connecting to an ad-hoc network that is encrypted. If you experience a problem joining the network, try recreating the network without a password.

Now connect your iPhone to the ad-hoc network:

  1. Tap through Settings Wi-Fi.

  2. You should see the name of your ad-hoc network on the network list (for example, forensics1). Tap the network and you should connect.

  3. Once connected, configure the iPhone to have a static address on the network. Tap the blue disclosure arrow to bring up the iPhone’s network settings.

  4. Tap Static to set the information manually. Now enter an IP address of 192.168.0.2, a netmask of 255.255.255.0, and optionally the IP address of your ISP’s DNS server.

  5. Press the back button (labeled Wi-Fi Networks) for these changes to take effect.

You should now be able to ping the iPhone at IP address 192.168.0.2 from your desktop at IP address 192.168.0.1. If you can’t, you’ve done something wrong, so go back and repeat these steps.

Windows

To create an ad-hoc network in Windows XP, perform these steps:

  1. Open the control panel and choose Network Connections.

  2. Right-click on your wireless connection and select Properties from the pop-up menu.

  3. Click the Wireless Networks tab and click the Add button to add a new wireless network.

  4. Enter the name of the network you would like to create. In this example, forensics1 will be used.

  5. Check the box titled “This is a computer-to-computer (ad hoc) network.”

  6. Once complete, click the Advanced tab and manually set the IP address of the wireless connection to 192.168.0.1 with a netmask of 255.255.255.0.

  7. Save and apply all of your changes.

Your desktop machine will be automatically joined to the newly created network.

Now connect your iPhone to the ad-hoc network:

  1. Tap through Settings Wi-Fi.

  2. You should see the name of your ad-hoc network on the network list (for example, forensics1). Tap the network and you should connect.

  3. Once connected, configure the iPhone to have a static address on the network. Tap the blue disclosure arrow to bring up the iPhone’s network settings.

  4. Tap Static to set the information manually. Now enter an IP address of 192.168.0.2, a netmask of 255.255.255.0, and optionally the IP address of your ISP’s DNS server.

  5. Press the back button (labeled Wi-Fi Networks) for these changes to take effect.

You should now be able to ping the iPhone at IP address 192.168.0.2 from your desktop at IP address 192.168.0.1. If you can’t, you’ve done something wrong, so go back and repeat these steps.

SSH to the iPhone

Once the iPhone is active on the network, you connect to it via SSH from your desktop. If you have not already done so, install the SSH tools outlined in Chapter 2. Then enter the command:

$ ssh -l root x.x.x.x

Note

Replace x.x.x.x with the IP address of the iPhone. When prompted for a password, enter alpine, which is the root password set automatically when you install the forensics toolkit. If you are unable to connect, try pinging the device to ensure you have network connectivity.

Once you have successfully logged into the iPhone, you’re ready to recover the media partition.

Recovering the Media Partition

With the recovery toolkit installed and the iPhone sharing a network connection with your desktop, the media partition can finally be recovered. Depending on what level of integrity you’re looking to establish, there are many different ways to accomplish this. This section walks you through the different steps involved in recovering the media partition. Some processes are optional, and it will ultimately be up to you to determine which security options are important.

Note

Prior to performing a recovery, it’s a good idea to disable the iPhone’s locking mechanism. Click on the Preferences icon, then General. Change the Auto-Lock option to Never.

Command-Line Terminal

Much of the work involved from here on out will be performed on the command line, so it’s important to know how to invoke a command-line terminal window.

Mac OS X

Find the Terminal application by opening the Applications folder, and double-clicking on the Utilities folder. Double-click Terminal to open the application. Subsequent windows can be opened by selecting New Window from the Terminal menu.

Windows

Click on the Start menu, then highlight Programs, followed by Accessories. Click on the Command Prompt application. This will open a new window with what you may refer to as a “DOS prompt.”

Tools Needed

To recover the media partition, you’ll need two command-line tools on the desktop: dd and nc. The dd tool is a disk copy tool used to copy the raw drive image, while the nc tool (also known as netcat) is used to send (and receive) data across a network. Both of these tools must be installed on both the desktop and the iPhone. The recovery toolkit automatically installs the iPhone builds of these tools, leaving the desktop portion up to you.

The file copy over netcat is insecure unless forwarded through an SSH tunnel. In both cases, for evidentiary integrity, it is recommended that this copy be conducted over a private, encrypted wireless network, or that MD5 digests be used to verify the integrity of the image.

MD5 Digests

Before transmitting the media partition to the desktop machine, it may be appropriate to generate an MD5 digest of it from the iPhone. This will ensure that the partition data hasn’t been altered or tampered with while in transit. To do this, connect to the iPhone using SSH and issue the commands below into a terminal window, replacing x.x.x.x with the IP address of the iPhone:

$ ssh -l root x.x.x.x
# cd /
# umount -f /private/var
# mount -o ro /private/var
# md5 /dev/rdisk0s2

These commands connect to the iPhone via SSH and then change to the root (/) directory. Next, the umount command forcibly unmounts the /private/var partition. Since other iPhone applications are using the disk, it cannot be unmounted without force (the -f option). Finally, the partition is remounted with the read-only option (ro) and the md5 tool is instructed to create a digest of its raw device.

In order to create a digest, the entire partition must be read and processed. Depending on the capacity of the iPhone, this may take several hours to complete. To keep the iPhone “alive” during this time, it may be necessary to occasionally swipe your finger across the screen in a way that won’t activate any applications or user interface elements. If the iPhone falls asleep, it may shut down its wireless connection, which would cause the entire process to freeze. To keep the network connection alive, it’s a good idea to run a ping session from the iPhone (in another terminal window) while waiting for the MD5 digest to return.

Note

You can test the network connection by pressing Enter a few times in the terminal window. If you can see empty lines being echoed to your terminal window, the connection is still live.

While the user partition is mounted as read-only, the user interface (via the touch screen) must not be used, except to touch an inactive portion of the screen (to keep the backlight active). If, at any time, the operating system layer becomes nonresponsive, rebooting the device will cause the user partition to be remounted back in read-write mode. This will allow the operating system to write to the partition again, however, and so you’ll need to reissue the commands above to generate another MD5 digest.

Note

To forcibly reboot the iPhone, hold the Home and Power buttons down only until the device powers off. Wait a few seconds and then hold down the Power button to power the device back on.

When completed, the md5 utility will return a digest of the raw disk partition, as shown below. Copy this output, after transferring the disk image across the network, as you will use it later to compare with a digest created on the desktop.

MD5 (/dev/rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023

Unencrypted Recovery

The fastest and easiest way to recover the media partition is to send it directly to the desktop machine without any level of encryption. If you’re using a WEP- or WPA-encrypted wireless network, the data will be encrypted on the network layer regardless. To send the disk partition, you’ll need to run separate commands from both the desktop machine and the iPhone to transmit the disk contents across the network.

Your desktop and the iPhone are essentially going to play a game of catch. On the desktop side, you’ll be issuing a command (using netcat) telling the desktop to listen on a network port. Think of a port like you’d think of third base—the desktop is being instructed to listen for incoming data at a certain location, and the iPhone is going to throw the ball (here, the disk image) to the desktop. Both have to be set up right, or the transmission will fail.

On the desktop side, instruct the netcat tool to listen on a local port (in this example, 7000). The information that the desktop receives is then sent to the disk copy utility, which is used to convert the data back into a disk image file.

Mac OS X

Issue the following from a terminal window:

$ nc -l 7000 | dd of=./rdisk0s2 bs=4096

Here’s a breakdown of the command:

nc

Calls netcat

-l

Tells netcat to listen for incoming connections

7000

Tells netcat to use port 7000

| dd

Pipes (relays) the information received by netcat to the dd disk copy utility

of=./rdisk0s2

Stores the disk image locally (of stands for “output file”) with the filename rdisk0s2

bs=4096

Uses a disk block size of 4 K

Note

Some versions of netcat for Mac OS X use the arguments -l -p 7000 instead of -l 7000.

Windows

Issue the following from a command prompt:

$ nc -L -p 7000 | dd of=./rdisk0s2 bs=4096

Here’s a breakdown of the command:

nc

Calls netcat

-L

Tells netcat to listen for incoming connections

-p 7000

Tells netcat to use port 7000

| dd

Pipes (relays) the information received by netcat to the dd disk copy utility

of=./rdisk0s2

Store the disk image locally (of stands for “output file”) with the filename rdisk0s2

bs=4096

Uses a disk block size of 4 K

Sending the data

After you tell the desktop machine to listen for incoming data, the terminal window on the desktop will appear to sit idle. This means it’s waiting and listening for data. Open a second terminal window and connect to the iPhone using SSH. Use the following commands to instruct it to send its media partition to the desktop. In the sample commands, x.x.x.x represents the IP address of the iPhone, and y.y.y.y represents the IP address of the desktop machine:

$ ssh -l root x.x.x.x
# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc y.y.y.y 7000

Here’s a breakdown of the send command:

/bin/dd

Calls the disk copy utility on the iPhone

if=/dev/rdisk0s2

Instructs disk copy to read the second partition of the raw disk as input

bs=4096

Uses a disk block size of 4 K

| nc

Pipes (relays) the information received by the disk copy utility to netcat

y.y.y.y

Since -l wasn’t specified, instructs netcat to send the data to (not receive from) the specified address

7000

Instructs netcat to use port 7000

The raw partition will begin transferring over the network, which should be reflected by a gradual increase in the size of the file on the local desktop. This operation may take several hours, depending on the capacity of the iPhone. Only the media portion of the iPhone’s disk storage will be sent, so the actual file size will be less than the advertised capacity. When the file reaches its maximum size, you’ll see both terminal windows report that a certain number of bytes have been sent or received. Once complete, it may be necessary to cancel the operation on the iPhone’s side by pressing Ctrl-C.

Note

If the operation fails prematurely, ensure that the iPhone is connected to the dock connector and is charging. The iPhone automatically shuts down its Wi-Fi when on battery as it enters sleep mode. If necessary, also set the Auto-Lock feature to Never in the iPhone’s general settings to keep the display awake and unlocked. As a last resort, try running a ping from a separate terminal window on the iPhone, and occasionally swipe your finger across the screen to keep it from idling. If the operation persistently fails, check with your system administrator to ensure that it is not being hindered by firewall policies, and check the desktop machine to ensure its firewall is configured to allow access on the desired port (in this example, 7000).

Once complete, run the md5 command on your desktop machine to ensure the digest matches the one taken on the iPhone:

$ md5 rdisk0s2
MD5 (rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023

The hexadecimal number following the equals sign should be exactly the same as the one you generated on the original image using the procedure described earlier in the section MD5 Digests.” If everything is fine, back up the disk image from the desktop and check it into a digital vault. All further file operations should be performed on a copy of the disk image.

Warning

Never try to examine an original disk image, only a copy. Some tools have been known to slightly alter the disk image in the course of their operation, thereby altering the digest. The disk image is also likely to be altered if mounted as a filesystem.

Now that the media partition has been copied, the iPhone itself may be analyzed by hand to obtain any information available through the standard user interface.

Encrypted Recovery of the Media Partition

Using a technique similar to the previous method, the disk image can be transmitted across an encrypted SSH tunnel, adding an extra layer of security (at the expense of added time) to your recovery efforts. This is done by creating a remotely forwarded network connection to the iPhone, so that all data transmitted across it will be encrypted by SSH. This helps prevent tampering and ensures that the data traveling across the wireless network is encrypted on an application layer. If you are using message digests or an encrypted access point, this step may be redundant.

Along with the drawback of increasing transfer time, certain combinations of the SSH client and server can sometimes also result in packet size or other errors. In the event this occurs, you’ll need to use a different SSH client on the desktop machine, or simply revert back to using the unencrypted technique described in the last section.

In the previous section, you connected to the iPhone using the simple SSH command:

$ ssh -l root x.x.x.x

To establish an encrypted tunnel, you’ll need to spice this up a little. Add the following parameters to compress and remotely forward data:

$ ssh -l root -C -R 7000:127.0.0.1:7000 x.x.x.x

If you’re using a GUI tool, such as PuTTY, instead of a command-line tool, configure a remotely forwarded port as shown in Figure 4-1.

Remote port forwarding configuration in PuTTY
Figure 4-1. Remote port forwarding configuration in PuTTY

On the desktop, instruct the netcat tool to listen on a local port as before (in this example, port 7000). There is no longer a need for the dd command, however. Just pipe the information sent to the desktop to the disk.

On Mac OS X:

$ nc -l 7000 > rdisk0s2

On Windows:

$ nc -L -p 7000 > rdisk0s2

On the iPhone, perform a raw partition dump. Instead of using the IP address of the desktop machine, use the localhost address of 127.0.0.1. This will feed the data through the iPhone’s loopback interface, which will direct it through the encrypted SSH tunnel.

# cat /dev/rdisk0s2 | nc 127.0.0.1 7000

As the raw partition transfers across the SSH tunnel, activity should be reflected by an increase in the size of the file on the local desktop. This operation may take several hours, depending on the capacity of the iPhone, and will take longer than an unencrypted transfer. Only the media portion of the device’s storage will be sent, so the actual file size will be less than the advertised capacity. When the file reaches its maximum size, both sides of the connection will report that a certain number of bytes have been sent (or received). When finished, it may be necessary to cancel the operation on the iPhone’s side by pressing Ctrl-C.

Note

If the operation fails prematurely, ensure that the iPhone is connected to the dock connector and is charging. The iPhone automatically shuts down its Wi-Fi when on battery as it enters sleep mode. If necessary, also set the Auto-Lock feature to Never in the iPhone’s general settings to keep the display awake and unlocked. As a last resort, try running a ping from a separate terminal window on the iPhone, and occasionally swipe your finger across the screen to keep it from idling. If the operation persistently fails, check with your system administrator to ensure that it is not being hindered by firewall policies, and check the desktop machine to ensure its firewall is configured to allow access on the desired port (in this example, 7000).

Once complete, run the md5 command on your desktop machine to ensure the digest matches the one taken on the iPhone:

$ md5 rdisk0s2
MD5 (rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023

The hexadecimal number following the equals sign should be exactly the same as the one you generated on the original image using the procedure described earlier in the section MD5 Digests. If everything is fine, back up the disk image from the desktop and check it into a digital vault. All further file operations should be performed on a copy of the disk image.

Warning

Never examine an original disk image, only a copy. Some tools have been known to slightly alter the disk image in the course of their operation, thereby altering the digest. The disk image is also likely to be altered if mounted as a filesystem.

Making Commercial Tools Compatible

Once a raw disk image has been recovered from the iPhone, it can be read by many commercial forensics tools such as Encase or FTK, but with one caveat. The disk image itself is reported as an HFS/X image (fifth generation HFS), which most tools do not yet recognize. The identifier for this format is located at or around offset 0x400 inside the image file. Changing the identifier from HX to H+ (denoting an HFS/+ filesystem) causes most existing tools to accept the file for processing. To make this change, document it and then use a hex editor, such as Hex Fiend or HexEdit 32. Figure 4-2 shows a segment of the file where the HX appears.

Hex Fiend for Mac displaying offset 0x400
Figure 4-2. Hex Fiend for Mac displaying offset 0x400

Data Carving Using Foremost/Scalpel

To recover deleted files, you need a data-carving tool. Data carving is the process of extracting structured data from unstructured data. Until mounted as a filesystem, the raw partition recovered from the iPhone looks like one big file to the computer, and contains both live and deleted data. A data-carving tool can scan the disk image for traces of desired files, such as images, voicemail, and other files. It then carves these smaller files out of the image for further analysis. Foremost and Scalpel are both data-carving tools.

Foremost is a free forensics tool developed by Special Agents Kris Kendall and Jesse Kornblum of the U.S. Air Force Office of Special Investigations. Foremost can be freely downloaded from http://foremost.sourceforge.net and compiled/installed on most desktop operating systems. Mac OS systems may either build from sources or install using MacPorts (http://www.macports.org):

$ sudo port install foremost

Scalpel is a tool based on Foremost and performs much faster analysis using an identical configuration file. Scalpel is available at http://www.digitalforensicssolutions.com/Scalpel/. Windows binaries for Scalpel are included in the distribution. Scalpel can be compiled and installed on a Mac desktop using the following commands (if the version number has changed, simply substitute the current version in the following file and directory names):

$ tar -zxvf scalpel-1.60.tar.gz
$ cd scalpel-1.60
$ make bsd
$ sudo mkdir -p /usr/local/bin /usr/local/etc
$ sudo cp -p scalpel /usr/local/bin
$ sudo cp -p scalpel.conf /usr/local/etc

Note

To compile software on a Mac, Xcode Tools must be installed. This package can be downloaded free from the Apple Developer Connection website at http://developer.apple.com.

Data carving is by no means an exact technique, and some deleted data may be partially overwritten. Foremost and Scalpel both rise to the challenge by allowing examiners to specify headers (and optionally footers) that identify the beginning and end of the desired data they are searching for. The default configuration file includes data types for several different file formats, leaving it up to the examiner to uncomment the lines for files they want to carve out.

The format of the Foremost and Scalpel configuration files is identical, and equally simple to understand. A single entry consists of five fields: file extension, case sensitivity, default size, header, and optional footer:

jpg        y    200000  \xff\xd8\xff\xe0\x00\x10        \xff\xd9

In this example of a JPEG image, the extension is declared as .jpg and the pattern is identified as case-sensitive (the y in the second field). The default file size, which is used when the footer is either not specified or not found, is defined as 200 K. The header and footer are specified in hexadecimal by using the \x prefix, but plain text may also be used, as you’ll see in the next section. In the previous example, the byte pattern FFD9 marks the end of this particular JPEG format. When the file is found, the data-carving tool will scan it until reaching the 200 K limit or finding the 0xFFD9 pattern. No more than 200 kilobytes will be stored in any one file that matched this configuration line. But most images, databases, and other files can still be used even if they contain extra junk at the end of the file. If files become truncated, you can increase the file size to get a larger chunk of data.

Configuration for iPhone Recovery

The Foremost tool uses a foremost.conf file for its configuration, while Scalpel uses an identical configuration, traditionally named scalpel.conf. Both sample configurations allow the examiner to uncomment certain types of files to be carved. Additional types may also be defined in the configuration, which you will sometimes find useful because the iPhone stores many proprietary files of interest that aren’t represented in the Foremost and Scalpel configuration files. Edit the default configuration included with the software and uncomment any desired file types. Next, add the definitions that you find useful in the following sections.

Dynamic dictionaries

dat        y    16384   DynamicDictionary

Dynamic dictionary files are keyboard caches used by the iPhone to learn its owner’s particular dictionary. Whenever a user enters text—whether usernames, certain passwords, website URLs, chat messages, email messages, or other form of input—much of it is stored (in order) in the keyboard cache. Adding the line shown here to the configuration file will search for deleted and/or existing keyboard caches, revealing fragments of historical communication. An example of such a file is shown in Figure 4-3, containing fragments from multiple email messages, search engine lookups, and other user input.

A deleted, two-week-old dynamic keyboard cache
Figure 4-3. A deleted, two-week-old dynamic keyboard cache

Voicemail messages

amr        y     65535      #!AMR

The AMR codec is considered the standard speech codec by 3GPP, a collaborative standards body involved in mobile communications. It yields high-quality audio playback for voice content, and is used on the iPhone to store voicemail messages. Most voicemail messages fit nicely into 65 K, but to extract larger chunks of voicemail messages, simply increase the file size specified in the third field of this entry.

Property lists

plist      y     4096     <plist  </plist

A property list is an XML-like configuration file used heavily in the Mac OS world, including the iPhone. Many preloaded applications, as well as Apple’s operating system components, use property lists to store anything from basic configuration data to history and cache information. By analyzing these files, the examiner can get an idea of what websites the suspect may have visited or what Google Maps direction lookups were queried. Other useful information may include mail server information, iTunes account info, and so on. The different property lists on the iPhone will be explained in the next chapter.

SQLite databases

sqlitedb   y     5000000  SQLite\x20format

The SQLite database format is widely used in the Mac OS X world to store calendars, address books, Google Maps tile graphics, and other information on the iPhone. SQLite databases are generally “live” on the filesystem, but older, deleted databases may be recovered in the event that the device was recently restored. Instructions for querying SQLite databases and recovering Google Maps tile graphics are covered in the next chapter.

Email

email      y     40960    From:

Scanning for email headers is an effective way to recover both live and deleted email.

Web pages

htm        n     50000   <html  </html>

Other files

pdf         y     5000000   %PDF-  %EOF
doc         y     12500000  \xd0\xcf\x11\xe0\xa1\xb1

Adobe PDF and Microsoft Word files can be stored locally when sent to the iPhone via email or navigated to using the iPhone’s Safari web browser.

PGP blocks

txt         y     100000  -----BEGIN

PGP-encrypted messages are generally not of great use without a key, but can frequently include unencrypted messages within the same thread, should any have been sent/received.

Images

GIF, JPG, and PNG image formats are all used on the iPhone, and can be enabled for scanning by removing the comments preceding the corresponding lines in the configuration file. In addition to the default formats included, the following formats are used for various graphics on the iPhone.

png         y     40960    \x89PNG

This particular format of PNG is used to store small icons and Google Maps tile graphics.

jpg         y     5000000  \xff\xd8\xff\xe1    \x7f\xff\xd9

This is the JPEG format used for photos taken with the built-in camera.

Note

Be sure to enable the stock graphics formats in addition to the ones in this section.

Building Rules

If you’re trying to recover a file that isn’t listed in the above examples, you’ll need to build your own rule to carve it out. Some methods for doing this are:

  1. Identify the file format you’re looking for. Many online resources can provide you with information for a host of different file formats.

  2. Assemble a list of possible file headers. Use what information you can find about the file format to assemble a list of file headers that could have been used in the file you’re searching for. Remember, it’s better to generate too much data than not enough, so be liberal with your list—grep and other tools can help you sort through it.

  3. Recreate the file structure using the same software or equipment, if possible. If you’re trying to recover a file created with a particular software package, use that same software package to write a new file. In most cases, the first few bytes of the file header will be the same regardless of the file’s contents. If you’re trying to track down a file saved by a digital camera, video recorder, or other equipment, reproduce the steps to create another similar file, and examine its header.

Scanning with Foremost/Scalpel

Once a valid configuration file has been created, Foremost/Scalpel can be instructed to scan the image from the command line:

$ foremost -c foremost.conf rdisk0s2
foremost version 0.69
Written by Kris Kendall and Jesse Kornblum.
Opening /usr/local/sandbox /rdisk0s2
rdisk0s2:   0.9% |                      |  130.0 MB    11:07 ETA

If using Scalpel, replace the name of the application:

$ scalpel -c scalpel.conf rdisk0s2

Sometimes Scalpel tries to bite off more than it can chew in terms of system resources. If errors concerning the maximum number of file descriptors, or similar resource errors, are reported it may be necessary to run the tool with superuser privileges and use the ulimit command to lift resource restrictions. You’re likely to run into this problem only when using Scalpel on Mac OS X:

$ sudo -s
$ ulimit && ulimit -n 8192
$ scalpel -c scalpel.conf rdisk0s2

The entire process may take a few hours to complete using Foremost, or less than a half hour using Scalpel. Potentially useful information will be recovered to a directory named foremost-output (or scalpel-output) within the current working directory. The tool will also create an audit.txt file within the output directory containing a manifest of the information recovered. Once recovered, it’s up to the examiner to determine what data is valid.

Validating Images with ImageMagick

Recovery tools generally err on the side of generating too much data, rather than skipping files that could be important. As a result, they extract a lot of data that may be partially corrupt or unwanted altogether. Finding valid images to examine can be a time-consuming process in the presence of thousands of files, so a few simple recipes can greatly help reduce the amount of time needed.

The ImageMagick package contains a set of image processing utilities, one of which can be used to display information about images. The identify tool included with ImageMagick is perfect for sifting through the thousands of files created by data-carving tools to identify the readable images. ImageMagick can be downloaded from http://www.imagemagick.org/script/index.php. Mac OS users may build from sources or use MacPorts (http://www.macports.org) to install the package:

$ sudo port install imagemagick

Once installed, write a simple bash script to test the validity of an image file. For the purposes of this example, name the file test-script.sh:

#!/bin/bash
mkdir invalid
identify $1 || mv $1 ./invalid/

Warning

Some images may be corrupt, but still somewhat recognizable. These images may appear invalid to the identify tool. It is therefore recommended that images only be moved, not deleted, so that invalid images can be later reviewed by hand.

When calling ImageMagick’s identify tool for a given file, a successful exit code will be returned if the image can be read. The previous script moves all invalid images to a subdirectory named invalid, leaving the valid images in the original directory where you invoke the script. The script can then be invoked for a given supported image type (.jpg, .gif, .png, etc.) using a simple recipe with the find command:

$ mkdir invalid
$ chmod 755 test-script.sh
$ find foremost-output -type f -name "*.jpg" -exec ./test-script.sh {} \;

The syntax of the find command is subtle and replete with metacharacters. You can either stick to the script shown here and just adapt the .jpg file suffix, or explore the find documentation to discover its options for ownership, age of files, etc.

Strings Dump

As a final means to turn up data, the strings from the raw disk image can be extracted and saved to a file. The output will be enormous, but it will allow loose text searches for a particular conversation or other data.

Extracting Strings

To extract the strings from the disk image, perform the following.

Mac OS X

The strings utility comes integrated with Mac OS X, as it is a standard Unix tool. Simply issue the following from a terminal window:

$ strings rdisk0s2 > filename

Windows

Download the Windows version of strings from http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx. Issue the following command to dump the text strings from the disk image:

$ strings.exe rdisk0s2 > filename

The Takeaway

  • There are a lot of different security measures you can take to securely obtain the raw disk partition from the iPhone. Use the safest method that meets your goals. There is no need to overdo it.

  • Data carving can be used to pull any type of data from a raw image or other file, but it’s up to the examiner to have some clue about what to look for. If you’re unsure, enable all file types and take the extra time to look through the results.

  • Using simple tools like strings can give you a very large file of text to search through for key words or phrases.

Get iPhone Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.