Data Carving Using Foremost/Scalpel
To recover deleted files, you need a data-carving tool. Data carving is the process of extracting structured data from unstructured data. Until mounted as a filesystem, the raw partition recovered from the iPhone looks like one big file to the computer, and contains both live and deleted data. A data-carving tool can scan the disk image for traces of desired files, such as images, voicemail, and other files. It then carves these smaller files out of the image for further analysis. Foremost and Scalpel are both data-carving tools.
Foremost is a free forensics tool developed by Special Agents Kris Kendall and Jesse Kornblum of the U.S. Air Force Office of Special Investigations. Foremost can be freely downloaded from http://foremost.sourceforge.net and compiled/installed on most desktop operating systems. Mac OS systems may either build from sources or install using MacPorts (http://www.macports.org):
$ sudo port install foremostScalpel is a tool based on Foremost and performs much faster analysis using an identical configuration file. Scalpel is available at http://www.digitalforensicssolutions.com/Scalpel/. Windows binaries for Scalpel are included in the distribution. Scalpel can be compiled and installed on a Mac desktop using the following commands (if the version number has changed, simply substitute the current version in the following file and directory names):
$tar -zxvf scalpel-1.60.tar.gz$cd scalpel-1.60$make bsd$sudo mkdir -p /usr/local/bin ...