O'Reilly logo

Practical Mobile Forensics by Heather Mahalik, Rohit Tamma, Satish Bommisetty

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Acquisition via a custom ramdisk

Acquisition via a custom ramdisk is a novel method to acquire data from an iPhone. It gains access to the file system by loading a custom ramdisk into the memory and exploiting a weakness in the boot process while the device is in the DFU mode. A custom ramdisk contains the forensic tools necessary to dump the file system over USB via an SSH tunnel. Loading a custom ramdisk onto a device will not alter the user data, and thus the evidence will not be destroyed.

Imagine a computer that is protected with an OS-level password, we can still access the hard disk contents by booting with a live CD. Similarly, on the iPhone, we can load a custom ramdisk over USB and access the file system. However, the iPhone secure boot ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required