Comments (12)
Indeed this is a tricky question. An idea would be to first look for cprotect
attributes of deleted files (using a tool like filexray) and then try each of
these file keys on all the unalocated blocks.
Another idea would be to create a raw dump of the nand memory to include blocks
hidden by the FTL/VFL layers. Since the encryption IV depends on the logical
block number you'd need to do the reverse translation (physical page number to
logical).
Original comment by [email protected]
on 1 Jun 2011 at 10:03
from iphone-dataprotection.
Does emf_decrypter extract and decrypt individual files or does it produce a
decrypted raw dump that i can use winhex on?
Original comment by [email protected]
on 29 Jun 2011 at 9:47
from iphone-dataprotection.
it decrypts the raw dump "in place" but does not decrypts the unallocated space
because this is non-trivial.
Original comment by [email protected]
on 30 Jun 2011 at 8:33
from iphone-dataprotection.
Jean, Thank you and your partner for both your hard work. I got all tools to
compile and work as described. Hopefully in the future this tool or hfsexplorer
will support the decryption of unallocated data.
Original comment by [email protected]
on 1 Jul 2011 at 2:31
from iphone-dataprotection.
i just committed a proof of concept implementation of a recovery technique
using the journal file, based on this paper :
http://www.dfrws.org/2008/proceedings/p76-burghardt.pdf
http://www.dfrws.org/2008/proceedings/p76-burghardt_pres.pdf
It can help recover a few deleted files, depending on the state of the
partition when the image was acquired.
Original comment by [email protected]
on 30 Jul 2011 at 12:51
from iphone-dataprotection.
at this point, other than the amazing progress already done, it means i will
have to keep my 30Gb dd image of my iphone's data partition until progress is
made for that unallocated space.
Original comment by [email protected]
on 24 Oct 2011 at 7:13
from iphone-dataprotection.
To clarify - does this mean that those of us who want to pull a dd image off an
ios 4 device and decrypt it in order to run tools like photorec to recover
deleted images are wasting our time?
Original comment by [email protected]
on 31 Dec 2011 at 5:38
from iphone-dataprotection.
yes, photorec cannot work on ios 4 dd images since the unallocated space will
be encrypted.
Original comment by [email protected]
on 2 Jan 2012 at 5:11
from iphone-dataprotection.
It turns out it is possible to read the raw NAND and recover deleted files due
to the way the FTL works. However you need to acquire a NAND image, this will
not work on dd images.
See http://esec-lab.sogeti.com/post/Low-level-iOS-forensics and the updated
README for more info.
Original comment by [email protected]
on 30 Jun 2012 at 11:33
- Changed state: Started
from iphone-dataprotection.
Hello!
Is it possible to read the NAND of a 4s device? It runs FW 5.1.1.
I need to recover one video file.
Original comment by [email protected]
on 11 Apr 2013 at 12:32
from iphone-dataprotection.
[deleted comment]
from iphone-dataprotection.
@Hybrid-Heaven it is not possible yet, some things have to be fixed in the nand
dumper, and the new FTL used on A5+ devices must be reversed to adapt the
undelete technique (issue 61).
Original comment by [email protected]
on 13 Apr 2013 at 2:25
from iphone-dataprotection.
Related Issues (20)
- jailbreak semi untethered 7.1.1 iphone 4 stuck at apple logo HOT 1
- Problem with keychain_tool.py on iOS 7.1.1 HOT 2
- Get Less Backupuuid HOT 4
- Comparability with C or C++
- iPhone 4 Rev A IOS 7.0.4
- Some File Missing in downloaded Icloud backup only show 100 files maximum
- listing and Downnloading only 100 files of icloud data
- How can i extract a certificate/identity from I0s7 with keychain_dump?
- Offline iOS_examiner crashes
- Device UNSUPPORTED error HOT 1
- extract email's passwords from an encrypted ios backup .. !!
- rqrq
- ios 8.1 icloud backup HOT 2
- Cannot brute force passcode on iPhone 3GS (32GB)
- iOS 8.1.2 ios_examiner undelete error HOT 1
- dataRecovery.py is showing error HOT 2
- Key not matching cert (iOS 7)
- DFU mode firmware updataion
- how to bruteforce in windows
- NAND Dumper in ios examiner doesn't seem to start
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iphone-dataprotection.