iPhone Forensic Method FAQ

A few have written in with questions about the latest version of the “Zdziarski” method of iPhone forensic recovery, which is used in the automated tools available free to law enforcement agencies worldwide. This is a quick rundown of the most frequently asked questions.

Q. Does this method “jailbreak” the device?
No. In fact, the latest method has an extremely lightweight footprint and the device will boot back into its normal operating mode once the imaging process is complete. The latest methods do not rewrite the operating system, do not patch the NOR, do not patch the kernel, do not grant the examiner access to the device, and do not require a system restore. All of the available automated forensic tools on this site have been updated to use these new methods. The new technique does not even use the 24KPWN exploit, widely touted by the hacking community.

Q. How can you image the device without jailbreaking?
The system components needed to image a device are loaded into the iPhone’s RAM rather than written to disk. This allows the kernel and other components to be booted from memory. The imaging software is contained on a RAM disk, which is also booted from memory. Think of it as booting a Helix CD-ROM or a USB key chain. A small recovery agent is instituted in the protected operating area of the device. Once the imaging process is complete, the phone will reboot back into the same kernel it had when you seized it.

Q. Do you have to bypass the passcode to image the device?
No. The passcode and any other front-door security is all user-interface based, and the imaging software runs on a much lower level, transparent to the user interface. You’ll be able to get a raw disk image from a device that is passcode protected, has backup encryption enabled, or even has been disabled by too many passcode attempts. With that said, these tools do offer the option to bypass these functions in the event that your case requires access to the device’s user interface. For example, an active kidnapping case might call for intercepting phone calls or downloading email from the suspect’s active accounts and put saving human life as a precedent over preserving the evidence. You may also want to defeat the passcode and backup encryption in order to make commercial triage tools, such as Celebrite, compatible.

Q. Does your tool write to any user data on the device?
No. The user data partition is treated as sacred and no writes are made to user data whatsoever. All of the soruce code for these tools is also available for peer-review by the law enforcement agencies using them, so you can verify this in the code itself. Don’t trust closed source commercial tools, see it for yourself.

Q. How long does it take to image a device?
About 15-30 minutes is all it takes, regardless of whether you’re imaging a 4GB iPhone or a 32GB iPhone 3G[s]. The method makes use of high speed USB protocols, allowing device imaging to be conducted in record time, as opposed to other commercial tools which use the slower USB serial protocol, and can take 4-6 hours, or more. Some cases just can’t wait that long, and most departments are now suffering through a backlog of iPhones. Ten iPhones would take a commercial tool 40-60 hours of time! The automated tools found on this site can do all ten in 2-5 hours, or concurrently in 15-30 minutes.

Q. What devices and firmware versions are supported?
As of 9-16-2009, all three devices (iPhone, iPhone 3G, and iPhone 3G[s]) running all firmware versions from 1.0 – 3.1.2 are supported.

Q. Is the hardware encryption on the 3G[s] a problem?
No. This method invokes the device’s hardware encryption chip to automatically decrypt the disk image prior to transfering it to the desktop. While the data is stored encrypted on the iPhone, you get the decrypted image on your desktop machine.

Q. What format is the disk image in?
The disk image is a standard HFS volume, and can either be mounted directly in Mac OS X as a .dmg file, or can be loaded into Encase, FTK, X-Ways, or a number of other tools capable of reading HFS images.

Q. Why is this stuff free? Shouldn’t you be making millions off us?
I make a good living already. Someone needs to be supporting the good guys who are protecting our country, and since Apple won’t do it, I’m doing what I can to make sure LE and the military have the tools they need to keep us safe. If you really want to support my efforts, you’re invited to host an Advanced iPhone Forensics workshop on your campus. Contact me if you have at least 10 seats and would like to put a workshop together in the US or Canada.

Q. Well I read that this other dude says your methods are jailbreaking
Not everyone who purports to be an expert in the world of digital forensics knows entirely what they’re talking about; especially when it comes to the iPhone. Anyone who believes these methods constitute jailbreaking is quite frankly ignorant of the technical details. No jailbreaking is performed here, and anyone who does understand the technical details behind it can attest to it. Another good example of why an open source solution is so important – so you can see exactly what’s happening and judge for yourself.