Lets see what we can all do together!
Andrew Hoog, Chief Investigative Officer at Via Forensics, has put together an iPhone Forensics Whitepaper summarizing the available forensic techniques for recovering data from the iPhone. Depending on what kind of information you want to get, there are a number of different techniques you can use.
Download the iPhone Forensics Whitepaper here:http://www.megaupload.com/?d=3GB0AILF
July 24, 2009: The Simplicity Of Bypassing iPhone 3G[s] Passcode and Encryption
Bypassing Passcode and Backup Encryption:
The 3G[s] has penetrated the government/military markets as well as top fortune-100s, possibly under the misleading marketing term "hardware encryption", which many have taken at face value. Serious vulnerabilities such as these threaten to put our country's national security at risk. Unfortunately, the only way Apple seems to listen is through addressing such problems publicly, as all previous attempts to talk with them have failed. I sincerely hope they fix these issues before a breach occurs..
Many of you use such iPhone function, as “Protection by password”.
But very few people knows, that this protection is easy enough to bypass.
Famous Jonathan Zdziarski, has published today a way how to bypass this protection:
1. Prepare custom Apple iPhone RAM disk. Internet has tons of FAQs how to make it (for example with help of iLiberty+). Mount your RAM disk /dev/rdisk0s2 and delete file /mnt/mobile/Library/Preferences/com.apple.springboard.plist. This is a config which tells Springboard “passcode: on”.
2. Using any utility get your iPhone into “Recovery Mode” and after that upload RAM disk using something like this:
(iPHUC Recovery) #: filecopytophone Bypass_Passcode.bin
(iPHUC Recovery) #: cmd setenvboot-argsrd=md0-x-spmd0=0×9340000.0xA00000
(iPHUC Recovery) #: cmd saveenv
(iPHUC Recovery) #: cmd bootx
3. Then reboot your iPhone and that’s it: protection by the password are not present anymore.
Advanced iPhone Forensics L-1
Recovering Evidence, Personal Data, and Corporate Assets
The iPhone has become America's #1 mobile device, and is increasingly being used in business, personal activities, and also crime. The iPhone stores an enormous amount of information useful to corporate security professionals and law enforcement agents. Enterprises must adequately manage sensitive data which may put their company at risk. Law enforcement agencies and freelance forensic examiners must process the iPhone for evidence linking its owner to crimes.
Host a course for your department and provide these crucial skills to your personnel. Jonathan Zdziarski, original iPhone hacker and author of many iPhone books including iPhone Forensics and iPhone SDK Application Development, will lead your organization's security professionals through the delicate process of recovering and processing evidence stored on the iPhone. This full two-day course will guide you, hands on, through forensic recovery and electronic discovery of an iPhone, iPhone 3G, and iPhone 3G[s] and cover iPhone firmware up to and including the new v3.1. Attendees will receive a 170pp white paper containing Zdziarski's latest methods, the tools they can use in the field, and a certificate of completion to certify their skillset. All of the tools and demo content used in the classroom will also be provided so attendees can learn and follow hands-on. Have Jonathan train your personnel hands-on to learn:
What kind of evidence is stored on an iPhone, and what can be recovered through desktop trace
Raw disk recovery of a v1.x, v2.x, and v3.x iPhone user disk partition, preserving and recovering the entire raw user disk. Recovery over USB cable or Wi-Fi.
Making commercial tools, such as Encase, recognize an iPhone disk image
Bypassing passcode protection and device encryption to gain access to the device's user interface for compatibility with third-party triage tools, or for time-sensitive cases where preservation of life is priority.
Interrupting the iPhone 3G's "secure wipe" process
Recovering deleted voicemail, images, email, and other personal data using data carving techniques
Recovering geotagged metadata from camera photos (GPS coordinates taken at the time the photo was taken)
Electronic discovery of Google map lookups, WiFi connect records, keyboard typing cache, and other sensitive data stored on the live file system
Extracting contact information and other data from the iPhone's database
Collecting desktop trace and establishing trusted relationships to owners' desktops
Different recovery strategies based on case needs
Using the tools and know-how provided in this course, you'll work hands-on to recover stored and deleted information from the iPhone including:
Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication.
Screenshots preserved from the last state of an application, taken whenever the home button is pressed, or when 3D zoom effects are used.
Deleted images from the suspect's photo library, camera roll, and browsing cache.
Deleted address book entries, contacts, calendar events, and other personal data.
Exhaustive call history, beyond that displayed.
Reconstructing record fragments from corrupt databases
Map tile images from the iPhone's Google Maps application, lookups and longitude/latitude coordinates of previous map searches, and coordinates of the last GPS fix.
Browser cache and deleted browser objects, which identify the web sites a user has visited.
Cached and deleted email messages, SMS messages, and other communication with corresponding time stamps.
Deleted voicemail recordings stored on the device.
Pairing records establishing trusted relationships between the device and one or more desktop computers.
Let's Bypass the iPhone Passcode without Restoring
Ok, So I have stumbled on a few 3GS's in the past months since the release that are stuck on disabled screens. All options have been exhausted except for a full restore, which inadvertently would put the 3GS on 3.1 making it a locked phone, no good! There has been talk by Nervegas (Jonathan Zdziarski) that he has developed something for use by police to bypass the passcode on the 3GS and other models by simply uploading a custom hybrid of purplera1n and redsn0w. However, he will not release it to the pubic. I am sure with the heads we have out here at MMi we too could develop such a tool which in turn would benefit a lot of us. Below is the information I have gathered so far including the videos he has posted as well.
These YouTube videos, courtesy of security researcher Jonathan Zdziarski, demonsrate just how easy it is to bypass the passcode and backup encryption in an iPhone 3G[s] within only a couple of minutes' time. A second video shows how easily tools can pull an unencrypted raw disk image from the device. The seriousness of the iPhone 3G[s]' vulnerabilities may make enterprises and government agencies think twice before allowing these devices to contain confidential data. Apple has been alerted to and aware of these vulnerabilities for many years, across all three models of iPhone, but has failed to address them. Jonathan adds:
Here is the information from the class he offers teaching his method: