Recover data from an iPhone

From CGSecurity
Jump to navigation Jump to search

En.png English It.png Italiano


If you have lost your data (pictures, contacts...) from your Iphone, it's still possible to recover them.

You need

  • a Jailbroken iPhone. Warning: Jailbreaking, according to Apple, voids Apple's warranty on the device.
  • BSD Subsystem and OpenSSH installed on your iPhone
  • Terminal (or MobileTerminal) installed on your iPhone
  • An SSH server installed on your computer (Standard on Linux and MacOS X)
  • The 'DD' utility installed on your computer (Pre-installed on most Linux systems)
  • PhotoRec installed on your computer
  • a wifi connection

Steps:

  • Turn off autolock on your iPhone: Settings > General > Auto-Lock > and select "Never".
  • Connect the iPhone to its charger
  • Start the Terminal on your iPhone
  • Use "su" to become root
  • Run dd if=/dev/rdisk0 bs=4096 | ssh -C username@computer_IP 'dd of=iphone.img'
    • Replace username by the user account on your computer and computer_IP by the IP address of your computer.
    • This command is case sensitive, don't get it wrong.
    • Don't confuse dd if= with dd of=, otherwise you may overwrite your iPhone memory.
    • It can take a few hours, so be patient. There will be no progress bar.
      • If you want an indication of progress (dd statistics), put the job in background (Ctrl-Z, bg). Then send the USR1 signal to the dd process (kill -USR1 `pgrep dd), and it will print to stderr. For awesome points, wrap that call in a watch loop. If you're really good, you can make your own progress bar, since the numbers are all there.
  • Once the copy is finished, on your computer, run photorec iphone.img.

Example: 

cd testdisk-6.12
./photorec ~/iphone.img

Note that data is encrypted by default on iPhone 4, so you need to decrypt the data first: https://code.google.com/archive/p/iphone-dataprotection/

Fixing the partition table from image extracted using UFED

Image extracted using Cellebrite 'Universal Forensic Extraction Device' (UFED) may not contain a valid partition table, so the image isn't usable with other Forensics tools. To fix the partition table,

  • run testdisk with the image name in parameter:
testdisk "Bram_Image (iPhone4GSM_5.0-5.0.1_Physical_Physical_02-12-11_12-10-17.img)"
  • Select EFI GPT for the partition table type
  • After Analyse and Quick Search, several HFS/HFSX partitions should be listed
  • Select the first partition (it begins at sector 64), press 't' to change its type to EFI System
  • On next screen, choose Write, confirm, Quit

Now the disk image can be used with almost all forensics tools.

Data recovery from an iPod

You need to put your iPod in Disk Mode before using PhotoRec.

Retrieved from "https://www.cgsecurity.org/mw/index.php?title=Recover_data_from_an_iPhone&oldid=8985"