Jonathan Zdziarski's Domain

A few have written in with questions about the latest version of the “Zdziarski” method of iPhone forensic recovery, which is used in the automated tools available free to law enforcement agencies worldwide. This is a quick rundown of the most frequently asked questions.

Q. Does this method “jailbreak” the device?
No. In fact, the latest method has an extremely lightweight footprint and the device will boot back into its normal operating mode once the imaging process is complete. The latest methods do not rewrite the operating system, do not patch the NOR, do not patch the kernel, do not grant the examiner access to the device, and do not require a system restore. All of the available automated forensic tools on this site have been updated to use these new methods. The new technique does not even use the 24KPWN exploit, widely touted by the hacking community.

(more…)

Bypassing Passcode and Backup Encryption:
    http://www.youtube.com/watch?v=5wS3AMbXRLs

Forensic Recovery of Raw Disk:
    http://www.youtube.com/watch?v=kHdNoKIZUCw

What Data Can You Steal From an iPhone in 2 Minutes?
    http://www.youtube.com/watch?v=34f47m-lYSg

These YouTube videos demonsrate just how easy it is to bypass the passcode and backup encryption in an iPhone 3G[s] within only a couple of minutes’ time. A second video shows how easily tools can pull an unencrypted raw disk image from the device. The seriousness of the iPhone 3G[s]‘ vulnerabilities may make enterprises and government agencies think twice before allowing these devices to contain confidential data. Apple has been alerted to and aware of these vulnerabilities for many years, across all three models of iPhone, but has failed to address them.

The 3G[s] has penetrated the government/military markets as well as top fortune-100s, possibly under the misleading marketing term “hardware encryption”, which many have taken at face value. Serious vulnerabilities such as these threaten to put our country’s national security at risk. Apple’s only fix thus far has been to consistently put a few nails on the front door, but they have thus far failed to fix the major underlying design issues that allow for this threat. Unfortunately, the only way Apple seems to listen is through addressing such problems publicly, as all previous attempts to talk with them have failed. I sincerely hope they fix these issues before a breach occurs.

Law enforcement agencies have the toughest challenge in mobile forensics: not only do they have to get data off the phone of a pedophile, rapist, or murderer, but they have to do it in a forensically sound manner that can be reproduced and explained in a court of law. I have created a new site, iphoneinsecurity.com to make all of my latest research and automated tools to iPhone forensics available to law enforcement agencies. I require that those with access be full time, sworn officers with agencies having arrest and search and seizure powers. A contact address also exists to request access. In addition to the restricted content, many public articles and announcements are also posted by law enforcement officers and other experts in the field, so head on over and check it out.

With buzzwords like, “hardware encryption” and “remote wipe”, many enterprises have been misled into believing that the iPhone 3G[s] is secure enough to store confidential correspondence or other information. Apple is no doubt pushing the enterprise market, but is the iPhone truly secure enough?

While this subject truly warrants a complete white paper, take the following points into consideration. The following apply not only to the iPhone 3G[s], but also to earlier generation devices. Here are the top seven things every enterprise should know about the iPhone:

(more…)

Andrew Hoog, Chief Investigative Officer at Via Forensics, put together a good summation of the available forensics techniques for recovering data from the iPhone. This paper is a few months old, so it doesn’t cover my latest USB method (which is much faster and easier), but he does cite my original method from the book, along with some other useful methods. Depending on what kind of information you want to get, there are different techniques you can use. Andrew has informed me this paper will be updated shortly so keep an eye out for a new edition.

I recently did a forensics webinar about cracking the iPhone’s passcode, in which I demonstrated some of the techniques from my latest book. I cited the fact that the iPhone takes screen grabs every time you push the home button, so that the 3D “zoom” effect can be processed when the application zooms in and out, when suspending and resuming applications. Many people asked me if there was a way to disable this writing to disk, so that screenshots couldn’t be recovered forensically. I did some further digging and found that the screenshots themselves actually get written to /var/mobile/Library/Caches/Snapshots. If you delete this folder and symlink it to /dev/null, the screenshots don’t get written to disk. The side effect to this is that when resuming an application, you’ll get the default screen in the zoom-in effect. Once the application resumes, however, you’ll have your application screen back. For example, your mail application will always zoom to the front as if you had an empty inbox, but will quickly correct itself once the application resumes. On a jailbroken iPhone, you can disable these screenshots with the following commands:

(more…)