July 12, 2009

Recover deleted files from a jailbroke iPhone (or *nix)

Here I will describe a process that will allow you to recover deleted files from an jailbroken iPhone hard drive. If you do not know what jailbroken means, your device most likely does not fall into this category. This method should also work with virtually any *nix based distribution as well. I will split this up into two parts: create disk image and analyze disk image. You will also find a list of my resources at the end. I suggest reading completely through each section before attempting it. Do not be intimidated by the length of this post. I have tried to provide a lot of information, but this operation boils down to using only 2 commands.

CREATE DISK IMAGE

The instant you realize that you need to recover a deleted file, stop using the device immediately. The more you continue to use the device, the higher the chance that the files you need will be overwritten.

The first thing we need to do is to make a copy of the data on the device's hard drive. The technique we will use to do this is to use the dd tool via ssh over wifi. Here are two variations on how to achive this.

Variation 1:
SSH into the device from a host machine.

Requirements:
The device will need to have OpenSSH running. The default password for OpenSSH right now is 'alpine'. The host machine will also need the dd tool installed.

You will need to identify the IP address that your device is using. I like to use SBSettings app to get this information. From the host machine, run the following command:

ssh root@device.ip.address "dd if=/dev/disk0" | dd of=iphone-dump.img

where device.ip.address is the ip address of the device.

Variation 2:
SSH into a host machine from the device.

Requirements:
The host machine will need to have an OpenSSH server running. It must also have the dd tool installed.

Run the following command:

dd if=/dev/disk0 | ssh username@host.ip.address "dd of=iphone-dump.img"

where username is a valid user account on the host machine and host.ip.address is the ip address of the host machine.

Notes:
-Only attempt this operation with the device plugged in as it tends to rapidly drain the battery.
-When you run the dd command via ssh, you will have no feedback until the operation is completed.
-The copy operation can take several hours depending on the hard drive size of the device.
-You can use the 'ls -l' command to monitor the size of the img file during the copy to make sure it is still running.
-Make sure that the host computer has enough free space to hold the entire contents of the device's hard drive.
-If he image size appears to stop growing during the operation, relax, wake up your iphone, and make sure the wifi signal strength is strong. The operation will generally continue without issue.

ANALYZE THE DISK IMAGE

In a filesystem a file is stored in a some spot on your disk and information about the file such as its name and position on the disk is entered into a special section of the hard drive that acts like an index of a book. When you 'delete' a file, it is the entry in the index that is removed, not the file itself. However, any new files may be copied over the file as it is no longer being 'used'. There are several forensic tools that exist that will manual search the hard drive for files instead of relying on the index. It is in this way that we can recover deleted information. However, as you can see, there is no guarantees that the file has not been written over yet.

The iPhone uses a filesystem called HFS. This is a special format used by Apple and is not supported by a wide range of forensic tools. The tool that I use for HFS is called PhotoRec by CGSecurity. It can be downloaded from here:


To begin, run the following command:

photorec iphone-dump.img

From here, you can simply select all of the auto-detected options to have PhotoRec recover most of your disk's files.

For more control and possibly better results, you can find a step by step guide for PhotoRec here:


The popular SleuthKit tool also has support that you can choose to enable if you compile the source code yourself. The tool plans to have HFS enabled by default starting in a future release. It can be found here:


There is no gaurantee that any one tool will detect all available information. Feel free to try several different tools. Because of the nature of how the recovery works, you can easily end up with corrupt files. There exist tools that can help you to repair or extract good data from corrupt files.

Notes:
-FileJuicer can help extract good data from corrupt files (http://echoone.com/filejuicer/). There is a 5 day trial available.
-iSquint can help repair corrupt movie files (http://www.macupdate.com/info.php/id/19769).
-The iPhone takes a temporary PNG screenshot every time you exit an application in order to create the transition effect. We can take advantage of this. If you have an image file that was unable to be recovered, make sure to have your forensic tool also recover PNG files. Sometimes you can recover one of the screenshot files in place of the unrecovered original image.

No comments: