Last week, Jonathan Zdziarski, the author of iPhone Forensics and other books, took part in a webcast in which he shared his latest technique to recover the live user disk from an iPhone over USB, without the need to bypass the iPhone passcode security or re-enable a disabled phone.
At the end of the hour there were still a few questions unanswered, which Jonathan was kind enough to answer for us. Here they are, in the order in which they were received.
Attendee question: How do you find the firmware version of a iPhone which is security locked?
Jonathan Z: If it's passcode locked, you can put the phone into recovery mode by holding down home+power. If it's version 2.x, the recovery screen will have the text "iTunes" and display the USB end of the cable. Version 1.1 displays no text, and shows the phone end of the cable. Version 1.0 displays only the triangle. Once you know the major version of firmware you can either remove the passcode to get the full version, or just use the latest major version in your kit. For 2.x, I usually use 2.2.1.
I believe there is also a way to determine this using various USB tools.
Attendee question: Won't your "system partition repair" method wipe out any data from a user's iPhone that was previously jailbroken (and customized)?
Jonathan Z: The repair method only writes to the system partition and not the user data partition, so the user data will remain intact. It's also safer to disconnect any jailbreak tools than to let them continue to run - if the device is jailbroken, it may have apt or other tools running that will write to the user data partition on their own... repairing the system partition will cut these tools off. If you're certain a phone is jailbroken and don't want to run the repair stage, you can skip it and just run stage 2... just bear in mind that anything the user set up on the phone is still going to run and write to the file system.
Attendee question, after performing the Stage 2 prep: Do you need to to this prep work for every phone, or just once for all 3G's?
Jonathan Z: Once you prepare the two bundles (prep/exec), you can re-use them for all 3Gs running the same firmware version. You can use 2.2.1 on older versions, but most examiners create a series of bundles matching the exact firmware version.
Attendee question: I generally use an island system that I rebuild for each exam, is there a reason you aren't running as root?
Jonathan Z: I performed the prep / exec bundles as root, but you don't need to be root to run the recovery. I usually recommend creating (at least) a separate, file vault encrypted user account for each recovery.
Attendee question after Jonathan shows the files and screenshots the iPhone system saves: Is there any exif metadata incorporated into the deleted screenshots?
Jonathan Z: Yes. All of the exif data is preserved, and if the images were geotagged will also contain the GPS coordinates they were taken at.
Attendee question, after performing the live recovery: Does running a standard itunes software update after this return device to its original usable state
Jonathan Z:: A standard itunes update (not restore) would restore it... or you could re-run the prep stage again... or you could just write a simple script to delete the two files used for recovery.
Attendee question: Do you need to do all these steps for each separate iPhone you do..i.e. with different iPhone OS, do you need to make different set up?
Jonathan Z: As long as the hardware and major version matches, you can use the same bundles for different phones.
If this whets your appetite for more of the same, follow Jonathan through the entire process in the webcast. And don't forget to grab your own copy of iPhone Forensics.