iPhone Forensics – on iOS 5

January 10

iPhone Forensics goal is extracting data and artifacts from iPhone without altering the information on the device.
iPhone forensics can be performed on the backups made by iTunes (escrow key attack) or directly on the live device. This article explains the technical procedure and the challenges involved in extracting data from the live iPhone.

The techniques explained in the article only works for iPhone 3gs, iPhone 4 & iPad1. It does not work for iPhone 4s, iPad 2,  iPad 3 and iPad mini.

Techniques explained in the article also works for iOS 6 (Use iOS 5.1.1 ipsw file iOS 6 devices).

Forensics on Live Device:

Jean Sigwald a researcher at Sogeti ESEC Labs has released open source forensic tools (with the support of iOS 5) to recover low level data from the iPhone. Below details outline their research and gives an overview on usage of iPhone forensic tools.

iPhone 4 GSM model, running with iOS 5.1.1 is used for the demos.

Steps involved in iPhone forensics:

  • Creating & Loading forensic toolkit on to the device without damaging the evidence
  • Establishing a communication between the device and the computer
  • Bypassing the iPhone passcode restrictions
  • Reading the encrypted file system
  • Recovering the deleted files


1. Creating & Loading forensic toolkit

Imagine a computer which is protected with OS level password –  we can still access the hard disk data by booting a live CD or by removing the hard disk and connecting it to other machine. When we compare computers to the iPhone, it is an embedded device. So it is not easy to take out the chips (hard disk) and dump data in it. iPhone makes chip dumping even more complicated by encrypting the data during storage. In order to perform iPhone forensics, we use Live CD approach. As the iPhone has only one serial port, we are going to load custom OS over USB to access hard disk (NAND chip) of the device. But the problem here is, iPhone only loads the firmware which is signed by Apple.

In order to create and load forensic toolkit, first we need to understand iPhone functions at operating system level.  iOS (previously known as iPhone OS) is the operating system that runs on all Apple devices like iPhone, iPod, Apple TV and iPad.  iOS is a zip file (ships as an .ipsw file) that contains boot loaders, kernel, system software, shared libraries & built in applications.

When an iPhone boots up, it walks through a chain of trust which is a series of RSA signature checks among software components in a specific order as shown in Figure 1.

The BootRom is a Read only memory (ROM) and it is the first stage of booting an iOS device. BootRom contains the Apple root certificates to signature check the next stage.

iPhone operates in 3 modes – Normal Mode, Recovery Mode, DFU mode

In Normal mode, BootRom start off some initialization stuff and loads the low level boot loader (LLB) by verifying its signature. LLB signature checks and loads the stage 2 boot loader (iBoot). iBoot signature checks the kernel & device tree and kernel signature checks all the user applications.

In DFU mode, iPhone follows the boot sequence with a series of signature checks as shown in
Figure 2. BootRom signature checks the second level boot loaders (iBSS, iBEC). Boot loader signature checks the kernel and kernel signature checks the Ramdisk.

During iOS update, Ramdisk gets loaded into RAM and it loads all other OS components. In Forensics, we will create a custom Ramdisk with all our forensic tool kit and load it on iPhone volatile memory. Signature checks implemented at various stages in the boot sequence does not allow loading our custom Ramdisk. To load our custom Ramdisk we have to bypass all these signature checks. In the chain of trust boot sequence, if we compromise one link, we can fully control all the links that follow it. The hacker community have found several vulnerabilities in BootRom using which we can flash our own boot loader and patch all other signature checks in all the subsequent stages. Apart from signature checks, every stage is also encrypted. These encryption keys can be grabbed from JailBreaking tools.

Building custom Ramdisk

First we will build a custom Ramdisk with all our forensic tools and patch the Ramdisk signature checks in kernel. Later, we use jailbreak tools to load our kernel by patching BootRom signature checks.

With the open source forensic toolkit released by Sogeti Labs, we can build Ramdisk only on MAC OS X. During this article, Ramdisk is built on MAC OS X 10.6. The entire forensic toolkit contains python scripts, few binaries and few shell scripts.

In order to run the tools, first we need to install all the dependencies (Use the below listed commands from OS X terminal).

Download and install Xcode 4. It installs the required compilers (ex: gcc).

Download ldid, grant execute permissions and move it to /usr/bin directory. ldid is used for signing the binaries.

curl -O
chmod +x ldid
sudo mv ldid /usr/bin/

Download and install OSXFuse. OSXFUSE allows to extend Mac OS X’s native file handling capabilities via third-party file system.

curl -O -L
hdiutil mount OSXFUSE-2.3.4.dmg
sudo installer -pkg /Volumes/FUSE for OS X/Install OSXFUSE 2.3.pkg -target /
hdiutil eject /Volumes/FUSE for OS X/

Download & install python modules – pycrypto, M2crypto, construct and progressbar.

sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto
sudo easy_install M2crypto construct progressbar

Download and install Mercurial ( to check out the source code from the repository.

hg clone
cd iphone-dataprotection

Compile img3fs.c which is located in img3fs folder. This script is used to encrypt and decrypt Ramdisk and kernel. If you run into a problem while running this command, edit the makefile in img3fs folder and change the compiler path.

make -C img3fs/

Download redsn0w which is a famous JailBreaking tool. Keys.plist file inside redsn0w contains the encryption keys to decrypt Ramdisk and Kernel.

curl -O -L
cp redsn0w_mac_0.9.14b2/ .

To patch the signature checks in kernel, supply iOS 5.1.1 ipsw file to iOS 5.1.1 ipsw file can be downloaded from which maintains all iOS versions for all Apple devices.

python python_scripts/ iPhone3,1_5.1.1_9B208_Restore.ipsw

The above python script creates a patched kernel and a shell script to create Ramdisk.

sh ./

Running the shell script downloads the forensic tool kit (ssh.tar.gz) and adds it to the Ramdisk. The Ramdisk image is just a plain HFS+ file system which is native to Mac OS, making it fairly simple to add files to it. All the steps mentioned above create a patched kernel and a custom Ramdisk with forensic tools.

Note: I have created the patched kernel and the custom Ramdisk for iPhone 4. You can directly download these files and skip all the above steps.

Download Link –

Loading Forensic Toolkit

In order to load forensic toolkit, supply iOS 5.1.1 ipsw file, patched kernel and custom Ramdisk to redsn0w tool. Connect the device to computer using USB cable and run the below command. Follow the steps displayed by redsn0w to boot the device in DFU mode. In DFU mode, redsn0w exploits the BootRom vulnerability and loads patched kernel & custom Ramdisk on to the device.

./redsn0w_mac_0.9.14b2/ -i iPhone3,1_5.1.1_9B208_Restore.ipsw -r myramdisk.dmg -k kernelcache.release.n88.patched

If the process fails with the No identifying data fetched error, make sure that the host computer is connected to the internet. After redsn0w is done, the Ramdisk boots in verbose mode. Upon successful boot up, iPhone displays ‘OK’ message.

2. Establishing device to computer communication

Once booted with custom Ramdisk, networking capabilities (like WI-FI) are not enabled by default. So a different way is chosen to communicate with the device by following the approach that Apple took with iTunes. USBMUX is a protocol used by iTunes to talk to the booted iPhone and coordinate access to its iPhone services by other applications. USB multiplexing provides TCP like connectivity over a USB port using SSL. Over this channel iTunes uses AFC service to transfer files. But here we use this channel to establish a SSH connection and get shell access to the device.

SSH works on port 22. script redirects port 22 traffic to 2222 port.

python usbmuxd-python-client/ -t 22:2222 1999:1999

SSH is now accessible at localhost:2222.

ssh -p 2222 root@localhost
password: alpine

At this point, we get access to the file system. To make things even more complicated, every file is encrypted with its own unique encryption key tied to particular iOS device. Furthermore, data protection mechanism introduced with iOS 4 adds another layer of encryption that does not give access to the protected files & keychain items when the device is locked. Data protection is the combination of using hardware based encryption along with a software key.  Every iPhone (>3gs) contains a special piece of hardware (AES processor) which handles the encryption with a set of hardcoded keys (UID, GID). OS running on the device cannot read the hardcoded keys but it can use the keys generate by UID (0x835 and 0x89B) for encryption and decryption. Software key is protected by a passcode and is also used to unlock the device every time the user wants to make use of the device. So in order to access the protected files, first we have to bypass the passcode.

3. Bypassing the iPhone passcode restrictions

Initially (< iOS 4), passcode is stored in a file which can be removed directly over SSH. Since the introduction of data protection (from iOS 4), passcode is used to encrypt protected files and keychain items on the device. So in order to decrypt the data, we have to supply the valid passcode.

Passcode validation is performed at two levels one at springboard and another one at kernel level. Brute force attack performed at springboard level locks the device, introduces delays and may lead to data wipe-out. However these protection mechanisms are not applicable at kernel level (AppleKeyStore method) and it leads to brute force attacks.  To make brute force attacks less practical, passcode key derived from the user passcode is tied to hardware UID key.  So the brute force can only be performed on the device and it is not possible to prepare pre compute values (like rainbow tables) offline. script can be used to brute force the 4 digit passcode.

python python_scripts/

Port 1999 opened with is used by the brute force script. It connects to the custom restored_external daemon on the Ramdisk, collects basic device information (serial number, UDID, etc.), unique device keys (keys 0x835 and 0x89B), downloads the system keybag and tries to brute force the passcode (4 digits only).

Table 1 illustrates the time required to brute force different types of passcodes.

4. Reading the encrypted file system

Upon successful passcode brute force, the script automatically downloads the keychain. Keychain is a SQLite database which stores sensitive data on your device.  Keychain is encrypted with hardware key.  Keychain also restrict which applications can access the stored data.  Each application on your device has a unique application-identifier (also called as entitlements).  The keychain service restricts which data an application can access based on this identifier. By default, applications can only access data associated with their own application-identifier.  Later apple introduced keychain groups. Now applications which belong to same group can share the keychain items.  There are two ways to access all the keychain items. One way is, by writing an application and making it as a member of all application groups. The other way is by writing an application and granting entitlement.

Keychain database contents can be extracted using

python python_scripts/ -d [UDID]/keychain-2.db [UDID]/[DATAVOLUMEID].plist

To dump the iPhone file system execute the dump_data_partition shell script.


The script reads the file system from the device and copies it to UDID directory as an image (.dmg) file. The image file can be opened using the modified HFSExplorer that will decrypt the files on the fly. To decrypt it permanently, script can be used.

python python_scripts/ [UDID]/[data_DATE].dmg decrypts all files in the file system image. To view the decrypted files, mount the file system with below command.

Hdituil mount [UDID]/[data_DATE].dmg

As soon as the file system is decrypted, there are various files of interest available such as the mail database, the SMS database and location history, etc…

5. Recovering the deleted files

Deleting a file on iPhone, only deletes the file reference. So it is possible to recover the deleted files. To recover the deleted files run script.

python python_scripts/ [UDID]/[data_DATE].dmg

With this technique it is possible to recover valuable data like call logs, deleted images, deleted SMS, deleted contacts, deleted voicemail and deleted emails.

With the techniques illustrated in the article it is clear that iPhone Forensics is still possible on the latest version of iOS.

Techniques used in the article are explained and demonstrated in the video.




I wrote this article for infosecinstitute.


  1.  iPhone data protection in depth by Jean-Baptiste Bédrune, Jean Sigwald
  2. iPhone data protection tools
  3. ‘Handling iOS encryption in forensic investigation’ by Jochem van Kerkwijk
  4. iPhone Forensics by Jonathan Zdziarski
  5. iPhone forensics white paper
  6. Keychain dumper
  7. 25C3: Hacking the iPhone
  8. iPhone wiki

Posted by on January 10, 2012 in iPhone


Tags: , , , , , , , , , , ,

48 responses to “iPhone Forensics – on iOS 5

  1. Gemma

    January 18, 2012 at 6:19 pm

    Great article I’d like thank you greetings!

  2. j0k3rr

    February 6, 2012 at 5:12 pm

    Very interesting thanks for this video. I got a question if anybody here could help answer. if you perform forensics on itunes backup does it give you the same amount of data such as getting all deleted files or is it better to perform on a live device?

    also the link 4shared does not seem to work? 4shared says The file link that you requested is not valid? ??

  3. j0k3rr

    February 7, 2012 at 7:30 pm

    Thank you very much Satish B for your swift reply and support.

    I have been going through the backup files and gone through the sms.db, the strange thing is i found a few messages that were deleted but nothing to what has been actually deleted off the phone. I will run a live test against the phone and compare the results and post back on here.

    Thanks again! really appreciate it.

  4. ecigs

    April 30, 2012 at 12:24 pm

    Thanks for the great article. I found it really insightful, keep up the good work!

  5. ES Noel

    May 8, 2012 at 3:20 pm

    Great tutorial
    Can this method apply to the iphone4s

    • Satish B

      May 8, 2012 at 7:16 pm

      No. It does not work for 4s.

  6. daz

    May 11, 2012 at 12:55 am

    Nice write-up!
    Would the process above be the same for a jailbroken phone? Would I need to jailbreak and restore ios to get it back to the previous state?


    • Satish B

      May 11, 2012 at 4:16 am

      Same process is applied for jailbroken phones too. You don’t need to jailbreak the phone to use the technique.

  7. kasor

    May 20, 2012 at 9:19 pm

    Great post at iPhone Forensics – on iOS 5 SECURITYLEARN. I was checking continuously this blog and I am impressed! Extremely useful info specially the last part 🙂 I care for such information much. I was looking for this certain info for a very long time. Thank you and good luck.

  8. Krishna Adavi

    June 29, 2012 at 4:20 am

    Hey Satish – very in-depth blog, very cool. I bumped into this as i have a problem. I forgot my pwd to an encrypted backup of my iphone 4S. reading all this and other articles: here is the summary i got. I can jailbreak the phone, delete/rename the key file and then sync and restore the backup from the mac and that should let me do it without asking for the password, is that right?

    OR because i don’t have the password, i need to run the decrypt on the backup directory on the computer manually to retreive the files?

    thanks in adv.

  9. Krishna Adavi

    June 29, 2012 at 4:34 am

    Just to be precise:
    – I setup encrypted local backups 6 months ago and only yesterday realized I forgot password. I tried manytimes and reset the phone to factory settings and restored an OLDER backup from last year from iCloud. Now my phone has a Unencrypted older snapshot of the data
    – What i am trying to understand is: even after restoring to factory settings, does jailbreaking the phone and removing the key file work? (i doubt if the key file would have gotten wiped out by factory restore)
    – Without jailbreaking and getting that key, is there any use to running decrypt on the backup files on my mac? I got this elcomsoft password breaker Home software and tried custom wordlist decrypt but couldn’t crack it. Bruteforce can take years to break obviously.
    – if you tell me there is no hope in recovering this, i will give up and move on..thanks

    • Satish B

      June 29, 2012 at 5:54 pm

      Backup password might be in keychan. Follow my post on keychain dumper usage and dump the keychain. You will find the backup password under ‘backupagent’ service name.

      • Krishna adavi

        June 29, 2012 at 6:22 pm

        Will dump the keychain and see but when i went to keychain util and searched by iphone nothing shows up. Maybe i did not store this in keychain possibly. Still will try dumping keys and check..thx

  10. Arun L

    September 22, 2012 at 9:00 pm


    Thanks for a very informative article. You mention the method doesn’t work for 4S. Could you expand on the reason? I have a 4S from which I want to recover deleted pictures (due to a Reset). I don’t want to sweat on it, if you say its a lost cause.


    • satishb3

      September 22, 2012 at 9:11 pm

      4s does not have boot rom level vulnerability. So it is not possible to boot with custom ram disk.

      However, you can recover the data from a jailbroken 4s.
      1. Jailbreak 4s
      2. Copy iphone file system to computer using dd command
      3. Follow extract aes keys post in my blog
      4. Place the dmg and keys file in one folder
      5. Run emf_decrypter and emf_undelete

      • Arun L

        September 22, 2012 at 9:16 pm

        Super. Thanks for the quick response. Could you possibly comment on whether oxygen-forensics would do the job? I don’t have any MAC, just PC or Linux. Any suggestions for alternatives.


        • satishb3

          September 22, 2012 at 9:21 pm

          No idea on oxygen.

          Mac not required . You can do it from windows machine with python.

  11. Rogerio Nogueira

    October 10, 2012 at 12:24 am

    You are my obi wan!!

  12. Find Duplicate Files

    October 25, 2012 at 10:16 am

    Do you mind if I quote a couple of your articles as
    long as I provide credit and sources back to your website?
    My website is in the exact same area of interest as yours and my users
    would truly benefit from some of the information you provide here.
    Please let me know if this okay with you. Many thanks!

    • satishb3

      October 25, 2012 at 10:59 am

      As long as you provide source back to my website i don’t have any problem.

  13. Matt

    October 30, 2012 at 8:38 am

    Does this work with IOS6?

    • satishb3

      October 30, 2012 at 8:20 pm

      No. It won’t.

  14. Tom

    November 19, 2012 at 10:42 am

    I know you mentioned that it may not work in iPhone 4s. I am just wondering why or if there is any new progress that can help me to retrieve data from my iPhone 4s that is stuck in DFU mode. Any sugestion is appreciated!

    • satishb3

      November 19, 2012 at 4:35 pm

      No way to recover for now

  15. Lilia

    December 5, 2012 at 11:48 pm

    I am sure this article has touched all the internet
    viewers, its really really good piece of writing.


    December 20, 2012 at 6:56 am

    This specific posting iPhone Forensics – on iOS 5, has got extremely very good information and I actually realized just what
    I was hoping for. Thank you.

  17. austin

    December 24, 2012 at 12:44 am

    4s 5.1.1 jailbroken with absinth ssh was accissble ,now stuck in recovery mode , because i deleted some data accidentally , the device won’t even kick into safemode is there any chance i could use this method to somehow get those files from the trash back where it belongs, using ssh please help

    • satishb3

      December 24, 2012 at 7:00 am

      were you able to SSH into the device ? if so, you can grab the file system image, then run recovery tools. Chances of recovering of those files is less but you can give it a try.


    January 25, 2013 at 7:17 am

    “iPhone Forensics – on iOS 5” ended up being a truly good blog, .

    I hope you keep composing and I’ll try to continue to keep following! Many thanks -Danuta

  19. PeterPSyd

    February 15, 2013 at 7:14 am

    Great article and very helpful.
    I have a friend with an iPhone 4 (not 4S), but still running original IOS 4.3.1
    He never synced with iTunes after receiving the iphone already activated and set up.
    He just lost his Address Book entries. Shows zero. IOS blanked for 10 seconds then returned but 500+ Address Book entries disappeared.
    Commercially available iphone recovery tools like Wondershare DrFone show all other data present and able to be retrieved, but show Address Book as blank.

    Since this phone is running IOS 4.3.1 (it might be 4.3.3 I don’t recall):
    1. Could I use this technique to retrieve the Address Book SQLite file directly from the phone?
    2. Can I use the custom Ramdisk you give the link for in your article, or must I create my own with an IOS4.3.3 ipsw? i.e. will your Ramdisk safely read IOS4.3 files?

    NB: He has the iphone’s password so no complications arise from lack of access to the phone itself. It is continuing to function. I told him not to save anything to the phone (but logs will keep being added to), as he continues to make calls send texts and receive/send emails. Not much media on the phone, so I am hoping the file has not yet been overwritten.

    3. How do you rate the chances of recovery of any Contact data?

    If it safely works, I intend resetting the phone completely and installing 6.1 and starting again, so it doesn’t matter if we screw up the retrieval process.

    Thanks for answering these three questions.

    • satishb3

      February 15, 2013 at 8:02 am

      Techniques in this article only recovers files and does not recover SQLite deleted data. To recover SQLite data look at my recent article on SQLite data leakage in ios apps. That would help. Using it we can recover more than half contacts.

  20. Artem

    May 15, 2013 at 4:27 am

    Hi, work iPad mini iOS6???

    • satishb3

      May 16, 2013 at 7:29 am

      No. It wont work for ipad mini.

  21. Per ARne Munthe

    May 16, 2013 at 1:46 am

    Hi and thanks for a great post. I’ve been using this to do some work on an iPad 1 running iOS 5.1.1 and by modifying and adding the right components I’ve managed to create the modified ramdisk. I now get this error when trying to run the keychain-tool :

    Pers-MacBook:iphone-dataprotection peram$ python -d python_scripts/ -d d802c0c166b219f4f45ae7b4dc727af07f3c2c8c/keychain-2.db d802c0c166b219f4f45ae7b4dc727af07f3c2c8c/0da7f663a826a5d5.plist
    Keybag unlocked with passcode key
    Traceback (most recent call last):
    File “python_scripts/”, line 72, in
    File “python_scripts/”, line 52, in main
    File “/Volumes/MountainLion/Users/peram/iphone-dataprotection/python_scripts/keychain/”, line 136, in print_all
    UnicodeEncodeError: ‘ascii’ codec can’t encode character u’\u2019′ in position 15: ordinal not in range(128)

    Any pointers on how to resolve this ? I have 0 python experience so I need help on this.

    Greetings from Oslo, Norway

    • satishb3

      May 16, 2013 at 7:31 am

      Will checkout today and let you know.

  22. Mark

    May 27, 2013 at 8:49 am

    This is excellent information, thank you for sharing it with others. I have successfully run through the ramdisk steps on 2 iPod 4th generation 8 GB devices. However, I tried the same procedure on an iPod 4th generation 16 GB device (model ME179LL/A) running 6.1.3 (10B329) and have not had much luck.

    I can get the device into DFU, and it will boot a 5.0, 5.0.1 and 5.1.1 patched IPSW, but less than a second after I see the OK the screen scrolls with what appears to be a stack trace, and then the device reboots. The same stack dump happens using all 3 different IPSW files. Any ideas what might be causing this, or how I could try to narrow down the problem?

    • satishb3

      May 27, 2013 at 6:15 pm

      I will take a look. Meanwhile you can check with msftguy ramdisk tools.

  23. homepage

    November 27, 2013 at 9:43 pm

    I am genuinely happy to read this blog posts which contains lots
    of helpful data, thanks for providing these kinds of

  24. Vanessa

    July 11, 2014 at 3:20 am

    Has anything come up for the iphone 5c?

    • satishb3

      July 14, 2014 at 8:18 am

      Yes, if 5c is jailbroken & openssh is installed, then you can use elcomsoft toolkit to extract the image and encryption keys.


    July 16, 2014 at 9:16 am

    Thanks for sharing your thoughts.I really appreciate your efforts
    and I will be waiting for your further write ups thank you once again.

  26. dRoid

    December 28, 2014 at 9:31 pm

    Hello Satish and thanks for the article!

    I have a jailbroken iphone 4 gsm (pangu) running iOS 7.1.2, model id iPhone3,1 and I am trying to recover accidentally erased video file from it, I have managed to dd iphone.img of the disk over wifi. But now I am lost what to do next. Is it possible to use your tutorial of extract AES wrapper keys? and then use those keys to decrypt the iphone.img with emf decrypter? I also noticed that the 4shared link of the ramdisk requires a premium account, is there any change you would have time to upload it to some other site, that doesnt require payment?

    Any help greatly appreciated.

  27. Waldo

    March 16, 2015 at 8:08 am

    Thanks for finally talking about >iPhone Forensics – on iOS 5 <Loved it!