Unallocated Space

[GoogleCodeExporter]

This isnt really an issue with the software, just a question/observation I 
have. I could not find a suitable method for posting this question to you.

How can an unallocated disk sector be decrypted correctly if the data is 
encrypted with a filekey? If the data is unallocated then there can be no 
resource fork for the data, if this is the case how is it possible to decrypt 
the unallocated data?

Original issue reported on code.google.com by matthew....@gmail.com on 30 May 2011 at 9:24

[GoogleCodeExporter]

Indeed this is a tricky question. An idea would be to first look for cprotect 
attributes of deleted files (using a tool like filexray) and then try each of 
these file keys on all the unalocated blocks.
Another idea would be to create a raw dump of the nand memory to include blocks 
hidden by the FTL/VFL layers. Since the encryption IV depends on the logical 
block number you'd need to do the reverse translation (physical page number to 
logical).

Original comment by jean.sig...@gmail.com on 1 Jun 2011 at 10:03

[GoogleCodeExporter]

Does emf_decrypter extract and decrypt individual files or does it produce a 
decrypted raw dump that i can use winhex on?

Original comment by giftedte...@gmail.com on 29 Jun 2011 at 9:47

[GoogleCodeExporter]

it decrypts the raw dump "in place" but does not decrypts the unallocated space 
because this is non-trivial.

Original comment by jean.sig...@gmail.com on 30 Jun 2011 at 8:33

[GoogleCodeExporter]

Jean, Thank you and your partner for both your hard work. I got all tools to 
compile and work as described. Hopefully in the future this tool or hfsexplorer 
will support the decryption of unallocated data.

Original comment by giftedte...@gmail.com on 1 Jul 2011 at 2:31

[GoogleCodeExporter]

i just committed a proof of concept implementation of a recovery technique 
using the journal file, based on this paper :
http://www.dfrws.org/2008/proceedings/p76-burghardt.pdf
http://www.dfrws.org/2008/proceedings/p76-burghardt_pres.pdf

It can help recover a few deleted files, depending on the state of the 
partition when the image was acquired.

Original comment by jean.sig...@gmail.com on 30 Jul 2011 at 12:51

[GoogleCodeExporter]

at this point, other than the amazing progress already done, it means i will 
have to keep my 30Gb dd image of my iphone's data partition until progress is 
made for that unallocated space.

Original comment by forge...@gmail.com on 24 Oct 2011 at 7:13

[GoogleCodeExporter]

To clarify - does this mean that those of us who want to pull a dd image off an 
ios 4 device and decrypt it in order to run tools like photorec to recover 
deleted images are wasting our time?  

Original comment by hamptonf...@gmail.com on 31 Dec 2011 at 5:38

[GoogleCodeExporter]

yes, photorec cannot work on ios 4 dd images since the unallocated space will 
be encrypted.

Original comment by jean.sig...@gmail.com on 2 Jan 2012 at 5:11

[GoogleCodeExporter]

It turns out it is possible to read the raw NAND and recover deleted files due 
to the way the FTL works. However you need to acquire a NAND image, this will 
not work on dd images.
See http://esec-lab.sogeti.com/post/Low-level-iOS-forensics and the updated 
README for more info.

Original comment by jean.sig...@gmail.com on 30 Jun 2012 at 11:33

• Changed state: Started

[GoogleCodeExporter]

Hello!
Is it possible to read the NAND of a 4s device? It runs FW 5.1.1.
I need to recover one video file.

Original comment by hybridhe...@googlemail.com on 11 Apr 2013 at 12:32

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

@Hybrid-Heaven it is not possible yet, some things have to be fixed in the nand 
dumper, and the new FTL used on A5+ devices must be reversed to adapt the 
undelete technique (issue 61).

Original comment by jean.sig...@gmail.com on 13 Apr 2013 at 2:25