Recover data from an iPhone

From CGSecurity

Jump to: navigation, search

En.png english version It.png versione italiana


If you have lost your data (pictures, contacts...) from your Iphone, it's still possible to recover them.

You need

  • a Jailbroken iPhone. Warning: Jailbreaking, according to Apple, voids Apple's warranty on the device.
  • BSD Subsystem and OpenSSH installed on your iPhone
  • Terminal (or MobileTerminal) installed on your iPhone
  • An SSH server installed on your computer (Standard on Linux and MacOS X)
  • The 'DD' utility installed on your computer (Pre-installed on most Linux systems)
  • PhotoRec installed on your computer
  • a wifi connection

Steps:

  • Turn off autolock on your iPhone: Settings > General > Auto-Lock > and select "Never".
  • Connect the iPhone to its charger
  • Start the Terminal on your iPhone
  • Use "su" to become root
  • Run dd if=/dev/rdisk0 bs=4096 | ssh -C username@computer_IP 'dd of=iphone.img'
    • Replace username by the user account on your computer and computer_IP by the IP address of your computer.
    • This command is case sensitive, don't get it wrong.
    • Don't confuse dd if= with dd of=, otherwise you may overwrite your iPhone memory.
    • It can take a few hours, so be patient. There will be no progress bar.
  • Once the copy is finished, on your computer, run photorec iphone.img.

Example: 

cd testdisk-6.12
./photorec ~/iphone.img

Note that data is encrypted by default on iPhone 4, so you need to decrypt the data first: http://code.google.com/p/iphone-dataprotection/

Fixing the partition table from image extracted using UFED

Image extracted using Cellebrite 'Universal Forensic Extraction Device' (UFED) may not contain a valid partition table, so the image isn't usable with other Forensics tools. To fix the partition table,

  • run testdisk with the image name in parameter: 
testdisk "Bram_Image (iPhone4GSM_5.0-5.0.1_Physical_Physical_02-12-11_12-10-17.img)"
  • Select EFI GPT for the partition table type
  • After Analyse and Quick Search, several HFS/HFSX partitions should be listed
  • Select the first partition (it begins at sector 64), press 't' to change its type to EFI System
  • On next screen, choose Write, confirm, Quit

Now the disk image can be used with almost all forensics tools.

Personal tools
Data Recovery
Security