Undeleted Files Still Encrypted....?

[GoogleCodeExporter]

Hello,
I have a question/issue regarding the use and results of the emf_undelete 
script.

If I run the script un-modified, the "undelete" folder is empty after the 
script completes.
If, however, I modify the script hfs/journal.py per the instructions in 
Johnathan Zdziarski's text "Hacking and Securing iOS Applications", by 
replacing the method "isDecryptedCorrectly" as described in chapter 6, I then 
get approximately 7 files in the "undelete" folder.

HOWEVER, none of these files in the "undelete" folder seem to be decrypted.

Any idea why?

Also, is there a utility or script that can just decrypt a single file once the 
keys have been extracted?
Similar to "emf_decrypter.py" except that it only would decrypt a single file 
instead of the entire image?

Thank You,
frankmarco2000

Original issue reported on code.google.com by frankmar...@gmail.com on 2 Nov 2012 at 6:25

[GoogleCodeExporter]

hello,
the isDecryptedCorrectly method tries to check if the recovered files are 
valid, but in that case the files you get in the undelete folder are "false 
positives". the method implemented in emf-undelete is very limited, for better 
chances of recovery you have to acquire a nand dump and use the "undelete" 
command of ios_examiner.py (see the README on the wiki).

To decrypt a single file you can use the modified HFSExplorer available on the 
downloads page, it allows you to browse the image and extract/decrypt files on 
the fly, without having to decrypt the entire image.

Original comment by jean.sig...@gmail.com on 3 Nov 2012 at 1:05

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by jean.sig...@gmail.com on 26 Jan 2013 at 10:56

• Changed state: Done
• Added labels: ****
• Removed labels: ****