iPhone Forensic Examinations – A Series



The Apple iPhone has been generating a huge amount of buzz lately both from the consumer and business customer and now from the forensic community. Several forensic companies have released tools to forensically examine iPhones; Radio Tatics LTD(Aesco), Cellebrite, Paraben (Device Seizure) and myself ( Sixth Legion, WOLF) to name a few. Each of these applications retrieves SMS, Call Records, Contacts as well as other information. And as you undoubtedly have heard it is always a good idea to have more than one tool in your toolbox for validation, preference and detail of information obtained. Each of the applications above have their place in your forensic arsenal.


However different and effective at obtaining the basics of a mobile forensic examination(Contacts, SMS, Calls) each the above applications are, they all share one commonality. None of the above mentioned products obtain what is considered the Holy Grail of Mobile Forensics, a true physical image and the ability to get deleted information out of the iPhone.  There is one method however that can get very near to a physical image of the iPhone and this image can be data mined for deleted information. However, this method has two particular sticking points. One, it involves a fairly complicated process that relies on a knowledge of the command line interface and unix tools. Two it involves the breaking into the filesystem of the iPhone and injecting a toolkit to get this image, which is arguably not forensic and violates Apple’s intellectual property.


In this first of several posts on iPhone forensics, I am going to examine what is meant by the term “jailbreaking”, which is the term used for changing of the iPhone filesystem  and allowing the injection of a forensic rootkit that will allow the examiner to use more traditional digital forensic tools to get as close to a physical image as possible. My goal in writing these posts is to try to demystify and bring technical language about this method down a notch so that phone examiners that may not also be cross trained in traditional electronic forensics can attempt this method particularly if the case is very important ( such as in terrorism or homicide) and the method is justified.


How the iPhone Communicates with a Computer

The iPhone is designed to communicate (read backed up) with a computer via an interface called the Apple File Communication Protocol (AFC). This protocol is a serial port protocol that uses a framework called MobileDevice that is installed with iTunes (default on Apple’s OS X). The protocol uses the USB Port and cable when it is connected to the computer and is responsible for things such as copying music and photos and installing firmware upgrades. 


However, the AFC and iTunes are not allowed to communicate with the entire iPhone memory area. Instead access is limited to certain files on the iPhone, namely those located in the Media folder on the second partition of the device (I will detail the filesystem and partition layout of the iPhone in a follow-up article).


In other words, iTunes is allowed access to a “jailed” or limited area of the device memory. While the AFC can be used for transferring files, it is not effective for reading information from raw devices which is essential to obtaining a physical image. Therefore,some modification needs to occur to the filesystem in order to make access to the raw device and get a truer physical bitstream copy.




So iTunes accesses the iPhone in a jailed environment; what exactly does this mean? The idea of a jailed environment is actually borrowed from the Unix world ( Unix for those of you that don’t know is an operating system-see http://en.wikipedia.org/wiki/Unix). Simply put jailed access means that access to certain areas of memory and files is restricted and that access allowed is not of an administrative or root level. This is generally done to prevent damage to a system.

To recap, the system partition an iPhone, the partition where the OS and the default applications live on the flash memory, is protected from low level access by iTunes or processes unless modified in some way ( the partition layout I will again detail in another post). This “protection” is done through something called a jailed environment or sometimes called a  ‘chroot jail’  which is, again, borrowed from the linux/unix lexicon. 

When a Chroot occurs, it changes the apparent root directory. Any program that is re-rooted to another directory cannot access or name files outside that directory. This re-rooted directory is called the chroot jail or the jailed environment. 

In reference to the iPhone, the chroot jail directory is Media folder (detailed in another post). 

The term “jailbreaking” in reference to the iPhone refers to the breaking open of this chroot jail to allow read/write access to the entire device; not just the Media folder. This, coincidentally, is exactly what occurs in the computer world when a hacker breaks into an unauthorized system and gains root access.

What Occurs When an iPhone is Jailbroken

In essence, what occurs when an iPhone is “jailbroken” for forensic examination is that select Apple File Protocol is used to boot what is called a Ram Disk (An area of RAM that acts as if it were a disk drive) into the iPhone’s running memory. This Ram Disk then mounts the iPhones filesystem and the forensic payload is copied into the filesystem. The iPhone is then rebooted and the payload executes its tasks (for instance, installing traditional Unix tools such as DD and SSH for making disk images and secure networking).

This is of course a simplified explanation, readers who seek more detailed and thorough discourse are invited to read Jonathan Zdziarski excellent book on the subject that is cited at the end of this post.

Forensic Implications of Jailbreaking

You may find yourself in a situation with an iPhone where “Desperate Times Call For Desperate Measures” and need to use the jailbreaking method of examining the iPhone. However, one needs to bear in mind that it isnt really and truly forensically sound and does in fact violate Apple’s copyright and ACPO. Remember the four principal tenets of the ACPO guidelines

  1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may be subsequently be relied upon in court.
  2. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
  3. An audit train or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
  4. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principals are adhered to.

As you can clearly see, jailbreaking an iPhone violates at least the first of these tenets, and it is incumbent upon the examiner to understand thoroughly the method and report on it per the second. There is also a potential problem with the third tenet as well. The examiner should strongly consider whether the applications named in the beginning of this post obtain what is necessary before taking the steps outlined in the jailbreaking method so as to not only follow the ACPO guidelines but avoid possibly destroying evidence.

While effective and very clever the jailbreaking method can be dangerous, especially to examiners that are not used to the command line interface and manually carving data out of an image.

I hope that this post has been informative for the mobile forensic community. In follow-up posts, my goal is to help you with the jailbreaking method of examination as well as looking at iPhone backups, the structure of the filesystem and databases.

Please post commentary about this guide and what you may like to see on follow-up posts.


Reference Work

I am indebted to Jonathan Zdziarski for his work in iPhone Forensics. I highly recommend his book for all those interested in the iPhone.


iPhone Forensics, by Jonathan Zdziarski. Copyright 2008 Jonathan Zdziarski, 978-0-596-15358-8.



  1. Nick


    I was wondering if you would be able to take a little bit of time and help me out. I’ve been trying for quite some time now to follow Jonathan Zdziarski’s methods of creating a physical image of the 2.x firmware. I’ve gone through this countless times on both a mac and a pc and I cannot get it to work. I’ve tried various methods of creating the stage1 and stage2 firmware packages, different versions of iTunes, and I’ve even tried jailbreaking the iPhone before installing the packages and so far nothing has worked. If you can offer me an tips or anything you’ve run across that can help me out I would appreciate it.

    • numenorian

      Is this an exhibit or one of your own you are experimenting with? You may try to use to use pwnage tool and install the BSD subsystem tools. Then you can follow his directions.

  2. Tesan

    I am interested in developing an application to read iphone RAM for forensic analysis. I am newby to iphone based forensics. Could you please help me to find the memory controller data sheet and application development.


  3. Sean

    How can you say out of one side of your mouth that Jailbtreaking violates canons of Forensics and then applaud an individual that is a hacker without any kind of Law Enforcement experience. There are countless Police Officers, Detectives, Examiners, and Labs that clearly state that Jailbreaking is not worth losing a case for the little that one can glean from this method. There are numerous other forensic methods that can be used prior to jailbreaking. Forensics has rules and tenets, not “Anything Goes” junk science.

  4. Pingback: iPhone » エリミネタ
    • ajir16290

      Hello ahmed…i am also working on iphone forensics…and i have got few queries..it would be great if i can have an email id where i can contact you. Thank you