Recover data from an iPhone
Jump to navigation
Jump to search
If you have lost your data (pictures, contacts...) from your Iphone, it's still possible to recover them.
You need
- a Jailbroken iPhone. Warning: Jailbreaking, according to Apple, voids Apple's warranty on the device.
- BSD Subsystem and OpenSSH installed on your iPhone
- Terminal (or MobileTerminal) installed on your iPhone
- An SSH server installed on your computer (Standard on Linux and MacOS X)
- The 'DD' utility installed on your computer (Pre-installed on most Linux systems)
- PhotoRec installed on your computer
- a wifi connection
Steps:
- Turn off autolock on your iPhone: Settings > General > Auto-Lock > and select "Never".
- Connect the iPhone to its charger
- Start the Terminal on your iPhone
- Use "su" to become root
- Run
dd if=/dev/rdisk0 bs=4096 | ssh -C username@computer_IP 'dd of=iphone.img'
- Replace
username
by the user account on your computer andcomputer_IP
by the IP address of your computer. - This command is case sensitive, don't get it wrong.
- Don't confuse
dd if=
withdd of=
, otherwise you may overwrite your iPhone memory. - It can take a few hours, so be patient. There will be no progress bar.
- If you want an indication of progress (dd statistics), put the job in background (Ctrl-Z, bg). Then send the USR1 signal to the dd process (kill -USR1 `pgrep dd), and it will print to stderr. For awesome points, wrap that call in a watch loop. If you're really good, you can make your own progress bar, since the numbers are all there.
- Replace
- Once the copy is finished, on your computer, run
photorec iphone.img
.
Example:
cd testdisk-6.12 ./photorec ~/iphone.img
- Follow PhotoRec Step By Step guide if needed
Note that data is encrypted by default on iPhone 4, so you need to decrypt the data first: https://code.google.com/archive/p/iphone-dataprotection/
Fixing the partition table from image extracted using UFED
Image extracted using Cellebrite 'Universal Forensic Extraction Device' (UFED) may not contain a valid partition table, so the image isn't usable with other Forensics tools. To fix the partition table,
- run testdisk with the image name in parameter:
testdisk "Bram_Image (iPhone4GSM_5.0-5.0.1_Physical_Physical_02-12-11_12-10-17.img)"
- Select EFI GPT for the partition table type
- After Analyse and Quick Search, several HFS/HFSX partitions should be listed
- Select the first partition (it begins at sector 64), press 't' to change its type to
EFI System
- On next screen, choose Write, confirm, Quit
Now the disk image can be used with almost all forensics tools.
Data recovery from an iPod
You need to put your iPod in Disk Mode before using PhotoRec.