5 min read

In this article by Bhanu Birani and Mayank Birani, the authors of the book, IOS Forensics Cookbook, we have discussed Forensics recovery; also, how it is important, when in some investigation cases there is a need of decrypting the information from the iOS devices. These devices are in an encrypted form usually.

In this article, we will focus on various tools and scripts, which can be used to read the data from the devices under investigation. We are going to cover the following topics:

  • DFU and Recovery mode
  • Extracting iTunes backup

(For more resources related to this topic, see here.)

DFU and Recovery Mode

In this section we’ll cover both the DFU mode and the Recovery mode separately.

DFU mode

In this section, we will see how to launch the DFU mode, but before that we see what DFU means. DFU stands for Device Firmware Upgrade, which means this mode is used specifically while iOS upgrades. This is a mode where device can be connected with iTunes and still do not load iBoot boot loader. Your device screen will be completely black in DFU mode because neither the boot loader nor the operating system is loaded. DFU bypasses the iBoot so that you can downgrade your device.

How to do it…

We need to follow these steps in order to launch a device in DFU mode:

  1. Turn off your device.

  2. Connect your device to the computer.
  3. Press your Home button and the Power button, together, for 10 seconds.
  4. Now, release the Power button and keep holding the Home button till your computer detects the device that is connected.

  5. After sometime, iTunes should detect your device.
  6. Make sure that your phone does not show any Restore logo on the device, if it does, then you are in Recovery mode, not in DFU.
  7. Once your DFU operations are done, you can hold the Power and Home buttons till you see the Apple logo in order to return to the normal functioning device. This is the easiest way to recover a device from a faulty backup file.

Recovery mode

In this section, you will learn about the Recovery mode of our iOS devices. To dive deep into the Recovery mode, we fist need to understand a few basics such as which boot loader is been used by iOS devices, how the boot takes place, and so on. We will explore all such concepts in order to simplify the understanding of the Recovery mode. All iOS devices use the iBoot boot loader in order to load the operating systems. The iBoot’s state, which is used for recovery and restore purposes, is called Recovery mode. iOS cannot be downgraded in this state as the iBoot is loaded. iBoot also prevents any other custom firmware to flash into device unless it is a jailbreak, that is, “pwned”.

How to do it…

The following are the detailed steps to launch the Recovery mode on any iOS device:

  1. You need to turn off your iOS device in order to launch the Recovery mode.

  2. Disconnect all the cables from the device and remove it from the dock if it is connected.
  3. Now, while holding the Home button, connect your iOS device to the computer using the cable.
  4. Hold the Home button till you see the Connect to iTunes screen.

  5. Once you see the screen, you have entered the Recovery mode.
  6. Now you will receive a popup in your Mac saying “iTunes has detected your iDevice in recovery mode”.
  7. Now you can use iTunes to restore the device in the Recovery mode. Make sure your data is backed up because the recovery will restore the device to Factory Settings. You can later restore from the backup as well.
  8. Once your Recovery mode operations are complete, you will need to escape from the Recovery mode. To escape, just press the power button and the home button concurrently for 10-12 seconds.

Extracting iTunes backup

Extracting the logical information from the iTunes backup is crucial for forensics investigation. There is a full stack of tools available for extracting data from the iTunes backup. They come in a wide variety, distributed from open source to paid tools. Some of these forensic tools are Oxygen Forensics Suite, Access Data MPE+, EnCase, iBackup Bot, DiskAid, and so on. The famous open source tools are iPhone backup analyzer and iPhone analyzer. In this section, we are going to learn how to use the iPhone backup extractor tools.

How to do it…

The iPhone backup extractor is an open source forensic tool, which can extract information from device backups. However, there is one constraint that the backup should be created from iTunes 10 onwards. Follow these steps to extract data from iTunes backup:

  1. Download the iPhone backup extractor from http://supercrazyawesome.com/.
  2. Make sure that all your iTunes backup is located at this directory: ~/Library/ApplicationSupports/MobileSync/Backup. In case you don’t have the required backup at this location, you can also copy paste it.
  3. The application will prompt after it is launched. The prompt should look similar to the following screenshot:

  4. Now tap on the Read Backups button to read the backup available at ~/Library/ApplicationSupports/MobileSync/Backup. Now, you can choose any option as shown here:

  5. This tool also allows you to extract data for an individual application and enables you to read the iOS file system backup.
  6. Now, you can select the file you want to extract. Once the file is selected, click on Extract.
  7. You will be get a popup asking for the destination directory. This complete process should look similar to the following screenshot:

  8. There are various other tools similar to this; iPhone Backup Browser is one of them, where you can view your decrypted data stored in your backup files. This tool supports only Windows operating system as of now. You can download this software from http://code.google.com/p/iphonebackupbrowser/.

Summary

In this article, we covered how to launch the DFU and the DFU and the Recovery modes. We also learned to extract the logical information from the iTunes backup using the iPhone backup extractor tool.

Resources for Article:

Further resources on this subject:

Packt

LEAVE A REPLY

Please enter your comment!
Please enter your name here