Forensic Recovery Recovering The Media Partition Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

With the recovery toolkit installed and the iPhone sharing a network connection with your desktop, the media partition can finally be recovered. Depending on what level of integrity you're looking to establish, there are many different ways to accomplish this. This section walks you through the different steps involved in recovering the media partition. Some processes are optional, and it will ultimately be up to you to determine which security options are important.

NOTE

Prior to performing a recovery, it's a good idea to disable the iPhone's locking mechanism. Click on the Preferences icon, then General. Change the Auto-Lock option to Never.

4.2.1. Command-Line Terminal

Much of the work involved from here on out will be performed on the command line, so it's important to know how to invoke a command-line terminal window.

4.2.1.1. Mac OS X

Find the Terminal application by opening the Applications folder, and double-clicking on the Utilities folder. Double-click Terminal to open the application. Subsequent windows can be opened by selecting New Window from the Terminal menu.

4.2.1.2. Windows

Click on the Start menu, then highlight Programs, followed by Accessories. Click on the Command Prompt application. This will open a new window with what you may refer to as a "DOS prompt."

4.2.2. Tools Needed

To recover the media partition, you'll need two command-line tools on the desktop: dd and nc. The dd tool is a disk copy tool used to copy the raw drive image, while the nc tool (also known as netcat) is used to send (and receive) data across a network. Both of these tools must be installed on both the desktop and the iPhone. The recovery toolkit automatically installs the iPhone builds of these tools, leaving the desktop portion up to you.

The file copy over netcat is insecure unless forwarded through an SSH tunnel. In both cases, for evidentiary integrity, it is recommended that this copy be conducted over a private, encrypted wireless network, or that MD5 digests be used to verify the integrity of the image.

Mac OS X Leopard includes these tools by default. To verify this, open a terminal and type which dd nc. Paths to both files should appear in the resulting output.

Windows versions of these tools may be downloaded at http://www.chrysocome.net/dd and http://www.vulnwatch.org/netcat/. An archive is also available on the O'Reilly website at http://www.oreilly.com/9780596153588.

4.2.3. MD5 Digests

Before transmitting the media partition to the desktop machine, it may be appropriate to generate an MD5 digest of it from the iPhone. This will ensure that the partition data hasn't been altered or tampered with while in transit. To do this, connect to the iPhone using SSH and issue the commands below into a terminal window, replacing x.x.x.x with the IP address of the iPhone:

$ ssh -l root x.x.x.x

# cd /

# umount -f /private/var

# mount -o ro /private/var

# md5 /dev/rdisk0s2

These commands connect to the iPhone via SSH and then change to the root (/) directory. Next, the umount command forcibly unmounts the /private/var partition. Since other iPhone applications are using the disk, it cannot be unmounted without force (the -f option). Finally, the partition is remounted with the read-only option (ro) and the md5 tool is instructed to create a digest of its raw device.

In order to create a digest, the entire partition must be read and processed. Depending on the capacity of the iPhone, this may take several hours to complete. To keep the iPhone "alive" during this time, it may be necessary to occasionally swipe your finger across the screen in a way that won't activate any applications or user interface elements. If the iPhone falls asleep, it may shut down its wireless connection, which would cause the entire process to freeze. To keep the network connection alive, it's a good idea to run a ping session from the iPhone (in another terminal window) while waiting for the MD5 digest to return.

NOTE

You can test the network connection by pressing Enter a few times in the terminal window. If you can see empty lines being echoed to your terminal window, the connection is still live.

While the user partition is mounted as read-only, the user interface (via the touch screen) must not be used, except to touch an inactive portion of the screen (to keep the backlight active). If, at any time, the operating system layer becomes nonresponsive, rebooting the device will cause the user partition to be remounted back in read-write mode. This will allow the operating system to write to the partition again, however, and so you'll need to reissue the commands above to generate another MD5 digest.

NOTE

To forcibly reboot the iPhone, hold the Home and Power buttons down only until the device powers off. Wait a few seconds and then hold down the Power button to power the device back on.

When completed, the md5 utility will return a digest of the raw disk partition, as shown below. Copy this output, after transferring the disk image across the network, as you will use it later to compare with a digest created on the desktop.

MD5 (/dev/rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023

4.2.4. Unencrypted Recovery

The fastest and easiest way to recover the media partition is to send it directly to the desktop machine without any level of encryption. If you're using a WEP- or WPA-encrypted wireless network, the data will be encrypted on the network layer regardless. To send the disk partition, you'll need to run separate commands from both the desktop machine and the iPhone to transmit the disk contents across the network.

Your desktop and the iPhone are essentially going to play a game of catch. On the desktop side, you'll be issuing a command (using netcat) telling the desktop to listen on a network port. Think of a port like you'd think of third baseâ€"the desktop is being instructed to listen for incoming data at a certain location, and the iPhone is going to throw the ball (here, the disk image) to the desktop. Both have to be set up right, or the transmission will fail.

On the desktop side, instruct the netcat tool to listen on a local port (in this example, 7000). The information that the desktop receives is then sent to the disk copy utility, which is used to convert the data back into a disk image file.

4.2.4.1. Mac OS X

Issue the following from a terminal window:

$ nc -l 7000 | dd of=./rdisk0s2 bs=4096

Here's a breakdown of the command:

nc

Calls netcat

-l

Tells netcat to listen for incoming connections

7000

Tells netcat to use port 7000

| dd

Pipes (relays) the information received by netcat to the dd disk copy utility

of=./rdisk0s2

Stores the disk image locally (of stands for "output file") with the filename rdisk0s2

bs=4096

Uses a disk block size of 4 K

NOTE

Some versions of netcat for Mac OS X use the arguments -l -p 7000 instead of -l 7000.

4.2.4.2. Windows

Issue the following from a command prompt:

$ nc -L -p 7000 | dd of=./rdisk0s2 bs=4096

Here's a breakdown of the command:

nc

Calls netcat

-L

Tells netcat to listen for incoming connections

-p 7000

Tells netcat to use port 7000

| dd

Pipes (relays) the information received by netcat to the dd disk copy utility

of=./rdisk0s2

Store the disk image locally (of stands for "output file") with the filename rdisk0s2

bs=4096

Uses a disk block size of 4 K

4.2.4.3. Sending the data

After you tell the desktop machine to listen for incoming data, the terminal window on the desktop will appear to sit idle. This means it's waiting and listening for data. Open a second terminal window and connect to the iPhone using SSH. Use the following commands to instruct it to send its media partition to the desktop. In the sample commands, x.x.x.x represents the IP address of the iPhone, and y.y.y.y represents the IP address of the desktop machine:

$ ssh -l root x.x.x.x

# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc y.y.y.y 7000

Here's a breakdown of the send command:

/bin/dd

Calls the disk copy utility on the iPhone

if=/dev/rdisk0s2

Instructs disk copy to read the second partition of the raw disk as input

bs=4096

Uses a disk block size of 4 K

| nc

Pipes (relays) the information received by the disk copy utility to netcat

y.y.y.y

Since -l wasn't specified, instructs netcat to send the data to (not receive from) the specified address

7000

Instructs netcat to use port 7000

The raw partition will begin transferring over the network, which should be reflected by a gradual increase in the size of the file on the local desktop. This operation may take several hours, depending on the capacity of the iPhone. Only the media portion of the iPhone's disk storage will be sent, so the actual file size will be less than the advertised capacity. When the file reaches its maximum size, you'll see both terminal windows report that a certain number of bytes have been sent or received. Once complete, it may be necessary to cancel the operation on the iPhone's side by pressing Ctrl-C.

NOTE

If the operation fails prematurely, ensure that the iPhone is connected to the dock connector and is charging. The iPhone automatically shuts down its Wi-Fi when on battery as it enters sleep mode. If necessary, also set the Auto-Lock feature to Never in the iPhone's general settings to keep the display awake and unlocked. As a last resort, try running a ping from a separate terminal window on the iPhone, and occasionally swipe your finger across the screen to keep it from idling. If the operation persistently fails, check with your system administrator to ensure that it is not being hindered by firewall policies, and check the desktop machine to ensure its firewall is configured to allow access on the desired port (in this example, 7000).

Once complete, run the md5 command on your desktop machine to ensure the digest matches the one taken on the iPhone:

$ md5 rdisk0s2

MD5 (rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023

The hexadecimal number following the equals sign should be exactly the same as the one you generated on the original image using the procedure described earlier in Section 4.2.3." If everything is fine, back up the disk image from the desktop and check it into a digital vault. All further file operations should be performed on a copy of the disk image.

Never try to examine an original disk image, only a copy. Some tools have been known to slightly alter the disk image in the course of their operation, thereby altering the digest. The disk image is also likely to be altered if mounted as a filesystem.

Now that the media partition has been copied, the iPhone itself may be analyzed by hand to obtain any information available through the standard user interface.

4.2.5. Encrypted Recovery of the Media Partition

Using a technique similar to the previous method, the disk image can be transmitted across an encrypted SSH tunnel, adding an extra layer of security (at the expense of added time) to your recovery efforts. This is done by creating a remotely forwarded network connection to the iPhone, so that all data transmitted across it will be encrypted by SSH. This helps prevent tampering and ensures that the data traveling across the wireless network is encrypted on an application layer. If you are using message digests or an encrypted access point, this step may be redundant.

Along with the drawback of increasing transfer time, certain combinations of the SSH client and server can sometimes also result in packet size or other errors. In the event this occurs, you'll need to use a different SSH client on the desktop machine, or simply revert back to using the unencrypted technique described in the last section.

In the previous section, you connected to the iPhone using the simple SSH command:

$ ssh -l root x.x.x.x

To establish an encrypted tunnel, you'll need to spice this up a little. Add the following parameters to compress and remotely forward data:

$ ssh -l root -C -R 7000:127.0.0.1:7000 x.x.x.x

If you're using a GUI tool, such as PuTTY, instead of a command-line tool, configure a remotely forwarded port as shown in Figure 4-1.

Figure 4-1. Remote port forwarding configuration in PuTTY

On the desktop, instruct the netcat tool to listen on a local port as before (in this example, port 7000). There is no longer a need for the dd command, however. Just pipe the information sent to the desktop to the disk.

On Mac OS X:

$ nc -l 7000 > rdisk0s2

On Windows:

$ nc -L -p 7000 > rdisk0s2

On the iPhone, perform a raw partition dump. Instead of using the IP address of the desktop machine, use the localhost address of 127.0.0.1. This will feed the data through the iPhone's loopback interface, which will direct it through the encrypted SSH tunnel.

# cat /dev/rdisk0s2 | nc 127.0.0.1 7000

As the raw partition transfers across the SSH tunnel, activity should be reflected by an increase in the size of the file on the local desktop. This operation may take several hours, depending on the capacity of the iPhone, and will take longer than an unencrypted transfer. Only the media portion of the device's storage will be sent, so the actual file size will be less than the advertised capacity. When the file reaches its maximum size, both sides of the connection will report that a certain number of bytes have been sent (or received). When finished, it may be necessary to cancel the operation on the iPhone's side by pressing Ctrl-C.

NOTE

If the operation fails prematurely, ensure that the iPhone is connected to the dock connector and is charging. The iPhone automatically shuts down its Wi-Fi when on battery as it enters sleep mode. If necessary, also set the Auto-Lock feature to Never in the iPhone's general settings to keep the display awake and unlocked. As a last resort, try running a ping from a separate terminal window on the iPhone, and occasionally swipe your finger across the screen to keep it from idling. If the operation persistently fails, check with your system administrator to ensure that it is not being hindered by firewall policies, and check the desktop machine to ensure its firewall is configured to allow access on the desired port (in this example, 7000).

Once complete, run the md5 command on your desktop machine to ensure the digest matches the one taken on the iPhone:

$ md5 rdisk0s2

MD5 (rdisk0s2) = b5bd6ba33b37c45daf4e5cf520f48023

The hexadecimal number following the equals sign should be exactly the same as the one you generated on the original image using the procedure described earlier in Section 4.2.3. If everything is fine, back up the disk image from the desktop and check it into a digital vault. All further file operations should be performed on a copy of the disk image.

Never examine an original disk image, only a copy. Some tools have been known to slightly alter the disk image in the course of their operation, thereby altering the digest. The disk image is also likely to be altered if mounted as a filesystem.

4.2.6. Making Commercial Tools Compatible

Once a raw disk image has been recovered from the iPhone, it can be read by many commercial forensics tools such as Encase or FTK, but with one caveat. The disk image itself is reported as an HFS/X image (fifth generation HFS), which most tools do not yet recognize. The identifier for this format is located at or around offset 0x400 inside the image file. Changing the identifier from HX to H+ (denoting an HFS/+ filesystem) causes most existing tools to accept the file for processing. To make this change, document it and then use a hex editor, such as Hex Fiend or HexEdit 32. Figure 4-2 shows a segment of the file where the HX appears.

Figure 4-2. Hex Fiend for Mac displaying offset 0x400

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.