Plugging the iPhone Screenshot Leak

I recently did a forensics webinar about cracking the iPhone’s passcode, in which I demonstrated some of the techniques from my latest book. I cited the fact that the iPhone takes screen grabs every time you push the home button, so that the 3D “zoom” effect can be processed when the application zooms in and out, when suspending and resuming applications. Many people asked me if there was a way to disable this writing to disk, so that screenshots couldn’t be recovered forensically. I did some further digging and found that the screenshots themselves actually get written to /var/mobile/Library/Caches/Snapshots. If you delete this folder and symlink it to /dev/null, the screenshots don’t get written to disk. The side effect to this is that when resuming an application, you’ll get the default screen in the zoom-in effect. Once the application resumes, however, you’ll have your application screen back. For example, your mail application will always zoom to the front as if you had an empty inbox, but will quickly correct itself once the application resumes. On a jailbroken iPhone, you can disable these screenshots with the following commands:

# rm -rf /var/mobile/Library/Caches/Snapshots
# ln -s /dev/null /var/mobile/Library/Caches/Snapshots

To return to the default behavior, just delete the symlink and the directory will get recreated. Mind you, this has no effect on the many other pieces of data stored on the iPhone, and therefore your iPhone will always be at risk for leaking private data, especially to seasoned forensic examiners. To find out what else your iPhone leaks, you’ll have to buy the book :)

Leave a Reply