±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 171

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Jonathan Zdziarski iPhone Tools [Discussion]

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

kmarker
Member
 

Re: Jonathan Zdziarski iPhone Tools [Discussion]

Post Posted: Apr 15, 11 21:43

- Doug
Has anyone had any success getting a file system from a device running 4.3.1 yet?

Using the Linux tools I have added the following line under the iPhone 4 (GSM) header in the firmware.txt file:


A1332+4.3.1=http://appldnld.apple.com/iPhone4/041-0551.20110325.Aw2Dr/iPhone3,1_4.3.1_8G4_Restore.ipsw

I have updated our lab iPhone 4 to 4.3.1 and I can run boot-liverecovery and boot-kernel fine. It then gives me a 0 byte recovered file system.

I have tried unplugging and plugging in, running through the process a few times, various restarts etc. Nothing seems to work!

Any suggestions?


What recovery module are you using? You should be using recover-tarball.sh, not recover.sh (Assuming those are still the names of the recovery modules).  
 
  

Sloman
Newbie
 

Re: Jonathan Zdziarski iPhone Tools [Discussion]

Post Posted: Apr 16, 11 00:45

- armresl
LE can and does make money off his methods, and other phone software methods of removing data from cellphones.

You have to think outside the box to find this answer, but any idea how they do it?

"As is stated on his personal website, Non-LE requests will not be answered. I'm sure he doesn't want others making money off of his research and work, especially the commercial entities. "


That's easy, here in the States, some of the States allow Police Officers to "moonlight" as PI's. So the officer learns the tricks of the trade at work and then works on the side on cases and makes the bucks.
Me thinks it's called "Double Dipping". Personally it's not fair to those of us in the Private sector who are willing to pay out of our own pocket to learn the same tricks. And yes, I'm a retired cop, but because I don't carry a badge anymore, I've not been allowed in the club.  
 
  

Doug
Senior Member
 

Re: Jonathan Zdziarski iPhone Tools [Discussion]

Post Posted: Apr 18, 11 13:20

- kmarker
- Doug
Has anyone had any success getting a file system from a device running 4.3.1 yet?

Using the Linux tools I have added the following line under the iPhone 4 (GSM) header in the firmware.txt file:


A1332+4.3.1=http://appldnld.apple.com/iPhone4/041-0551.20110325.Aw2Dr/iPhone3,1_4.3.1_8G4_Restore.ipsw

I have updated our lab iPhone 4 to 4.3.1 and I can run boot-liverecovery and boot-kernel fine. It then gives me a 0 byte recovered file system.

I have tried unplugging and plugging in, running through the process a few times, various restarts etc. Nothing seems to work!

Any suggestions?


What recovery module are you using? You should be using recover-tarball.sh, not recover.sh (Assuming those are still the names of the recovery modules).


I was using the recover-fs.sh module.

Cheers,  
 
  

ThePM
Senior Member
 

Re: Jonathan Zdziarski iPhone Tools [Discussion]

Post Posted: Apr 19, 11 17:43

I have been able to perform a file system dump on an iPhone 3Gs and an iPhone 4 both running iOS 4.3.1. However, I did not use JZ tools as they aren't up to date but the methodology used is pretty much the same as JZ has implemented in his automated tools.

I created a recovery ramdisk that has SSH on it. I then booted the iPhones from this ramdisk and used the secure copy command (scp) to download the filesystem from the devices. You can also use SFTP to perform the download operation, but the great thing with scp is that you can use some options to preserve permissions and timestamps.

You can find the procedure I used to do this here: www.hackint0sh.org/f12...2063-6.htm

However, using this procedure, you won't be able to download emails from the device as it results in permission errors. I believe it's either a bug in the SSH binary that was packed in the ramdisk or it's a security feature from the Apple crypto API. The only way I was able to retrieve the emails was to jailbreak the iPhones, install Cydia and then install OpenSSH. After that, I was able to download the Mail folder without any issue.

Now (before I get flamed on this forum), I know that jailbreaking a device is not a forensic process, but in this case, we had written consent from the owner, we really needed the emails and we are ready to testify in court what has been done and why.

Hope this helps.  
 
  

armresl
Senior Member
 

Re: Jonathan Zdziarski iPhone Tools [Discussion]

Post Posted: Apr 24, 11 02:40

I appreciate the fact that you were an officer, thank you for your service.

The officers that I know don't do this, but I have heard of some who do, and that's all fine until our side does an aff of software or a depo and finds out what they have been using and if any of that is a fruit of being an officer.

A few current officers I know have gone to great lengths to distance themselves from any software they acquired in an officer capacity and in an private capacity.


- Sloman
- armresl
LE can and does make money off his methods, and other phone software methods of removing data from cellphones.

You have to think outside the box to find this answer, but any idea how they do it?

"As is stated on his personal website, Non-LE requests will not be answered. I'm sure he doesn't want others making money off of his research and work, especially the commercial entities. "


That's easy, here in the States, some of the States allow Police Officers to "moonlight" as PI's. So the officer learns the tricks of the trade at work and then works on the side on cases and makes the bucks.
Me thinks it's called "Double Dipping". Personally it's not fair to those of us in the Private sector who are willing to pay out of our own pocket to learn the same tricks. And yes, I'm a retired cop, but because I don't carry a badge anymore, I've not been allowed in the club.

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

vrocco
Member
 

Re: Jonathan Zdziarski iPhone Tools [Discussion]

Post Posted: Apr 26, 11 01:52

Can someone familiar with these tools give me some guidance? I am trying to using the boot-passcode tool to remove the sim card lock and let me in to the phone. This is a data recovery case, not forensic. Everytime I try and use the automated tools, I get errors. So I decided just to open the .sh and type the commands one by one to the terminal (linux). However, when I do the ./injectgreen I get: ./injectgreen: 1: syntaxt error: Unterminated quoted string

I can't find the source on the site for the injectgreen file, so I can't fix the code and recompile. If anyone can help, please PM me. I obviously have valid access to these tools, but am just learning to use them.

Thanks

UPDATE: I thought maybe it was a linux issue, so I pulled out a Mac and tried to run the scripts on there. I get the same problems. On top of the error listed above, it doesn't seem to run any of the binaries (xpwntool, irecovery). It's like they didn't compile correctly, but I can't find the sources for those to compile myself. HELP!!!!

UPDATE: Got everything except the injectgreen binary to work. I ended up getting xpwntool and irecovery from different sources. Linux will still not execute the injectgreen. I get "bash: ./injectgreen: cannot execute binary file"  
 
  

Doug
Senior Member
 

Re: Jonathan Zdziarski iPhone Tools [Discussion]

Post Posted: May 10, 11 18:05

When dealing with the latest Linux scripts is there an easy way to get them ready to use on a stand alone machine with no internet connection?

I know that once you have run (for example) a 3GS running 4.2.1 for the first time it will have downloaded the relevant firmware files and can be completed again in the future without the need to connect to the internet.

My question is that I want to set up a machine that will not need to be on the internet once it has been created. Because of this I want to download all the firmware parts and have all the scripts set up and not have to worry about it again until there are updates. But sadly I do not have access to all the iOS devices running all the firmwares to go through and manually and set the tool up by downloading the firmware packages for each hardware/iOS combination.

Is there an easy way to do this?

Could I download all the firmwares listed in firmware.txt URLs and change the firmware.txt file so it points to a local location (download folder) rather than the Apple site?  
 

Page 4 of 5
Page Previous  1, 2, 3, 4, 5  Next