Universal, fast method for iPad forensics imaging via USB adapter

Luis Gómez-Miralles Joan Arnedo-Moreno

Computer forensics and electronic evidence investigator Estudis d’Informàtica, Multimèdia i Telecomunicació
INCIDE - Investigacion Digital, S.L. Universitat Oberta de Catalunya
Valencia, Spain Barcelona, Spain
[email protected] [email protected]

Abstract such devices become widespread, they will also become

more common and relevant as sources of evidence from a
The Apple iPad is a popular tablet device presented computer forensics standpoint, providing data about their
by Apple in early 2010. The idiosyncracies of this new users. Such data can become very important in cases of
portable device and the kind of data it may store open crime investigation, where it can be used as evidence in
new opportunities in the field of computer forensics. Given Court or can provide valuable clues to investigators. Since
that its design, both internal and external, is very similar advanced portable devices are usually closed embedded
to the iPhone, the current easiest way to obtain a forensic systems with their own idiosyncracies, not actually being
image is to install an ssh server and some tools, dump its fully fledged PCs, forensic data acquisition presents some
internal storage and transfer it to a remote host via wireless interesting challenges. That is specially relevant when it
networking. This approach may require up to 20 hours. In is necessary to use non-invasive methods, maintaining the
this paper, we present a novel approach that takes advantage device in the same state (or as similar as possible) as the
of an undocumented feature so it is possible to use a cheap one it was before the analysis began.
iPad accessory, the Camera Connection Kit, to image the Currently, the easiest method to obtain a forensic image
disk to an external hard drive attached via USB connection, of an iPad device (which can also be basically applied to an
greatly reducing the required time. iPhone) is to install an ssh server and some tools, retrieve its
Keywords: forensics, iPad, cybercrime, digital investigation, internal storage contents and transfer the data to a remote
Apple. host via wireless networking. This approach can take up
to 20 hours. In this paper, we present a different approach
1. Introduction which relies on a local USB connection with help of a cheap
and easily available peripheral, the Camera Connection Kit.
Portable devices have become a very important technol- This approach greatly reduces the time needed to create a
ogy in our society, allowing access to computing resources system image. Furthermore, as an additional contribution,
or services in an ubiquitous manner. On that regard, mobile the presented keeps a compromise in the amount data which
phones have become the clear spearhead, undergoing a great is modified during the acquisition process.
transformation in the last years, slowly becoming small The paper is structured as follows. Section 2 provides
computers that can be conveniently carried in our pockets an overview of the iPad architecture, focusing on those
and managed with one hand. However, as user require- characteristics specially relevant from a forensic analysis
ments start including new functionalities beyond those that standpoint. In Section 3, a literature review of the current
a mobile phone can realistically offer, advanced portable state of iPhone/iPad forensics is presented. The proposed
devices have been developed in order to fulfill them. Such forensic data acquisition method is described in Section
devices try to reach a compromise between a high degree of 4. Concluding the paper, Section 5 summarizes the paper
portability, usability and the ability to provide such advanced contributions and outlines further work.
functionalities (for example, being able to read or process
documents). 2. iPad architecture overview
The latest contender in the field of embedded portable
devices is the Apple iPad, a tablet computer which tries From the external point of view, the iPad is basically
to take advantage of its ancestor’s success, the iPhone. It a big (24x19 cm.) iPhone with a 9.7” screen, providing a
was announced by Apple in January 2010 and launched resolution of 1024x768. While its internals are very similar
in the U.S.A. and Europe between April and May 2010. to those of its antecesor, the iPad’s bigger form factor
After 80 days in the market, 3 million units had been makes it suitable for longer periods of use, which has
sold [1]. Given its popularity, it becomes evident that as motivated the apparition of lots of different applications of
every kind. Therefore, the iPad is able to perform tasks
perviously reserved to common computers or, up to some
point, netbooks.

2.1. Main features

The basic iPad internals are:

• Processor: A custom Apple A4 ARM processor based
on a single-core Cortex-A8, running at a 1 GHz.
• Volatile storage: 256 MB DRAM.
• Non-volatile storage: 16, 32 or 64 GB solid state
storage drive.
• Wireless connectivity: 802.11 a/b/g/n and Bluetooth
2.1, the same as every iPhone. Figure 1. iPad button configuration (iOS 4 and higher).
• In addition, the 3G model features an A-GPS (As-
sisted GPS), and hardware for communicating over
UMTS/HSDPA (820, 1900 and 2100 MHz) and 2.3. Partition scheme
GSM/EDGE (850, 900, 1800 and 1900 MHz.
In the process described in this paper, we will use the As noted by Zdziarski [2], all devices belonging to the
wireless (802.11) network, and the iPad “Dock” connector, iPhone family contain two partitions:
described in the next section. 1) A huge user data partition, holding all extra applica-
tions installed as well as all the user’s data.
2.2. Connectors and buttons 2) A small system partition containing iOS and the basic
applications.
The iPad connectors and buttons are very similar to the From a forensics standpoint, as far as the user data
iPhone’s. When placed over the short edge with the round partition is concerned, some iPad applications which may
button in the center, we find: hold relevant data include enterprise or office software,
• Top left: a 3.5” jack capable of functioning simultane- such as QuickOffice Connect Mobile Suite [3] or Apple’s
ously for several audio functionalities. iWork suite [4], [5]. They can all contain text documents
• Top right: “Lock” button. or spreadsheets, which are prone to including sensitive or
• Right edge, near the top: volume and mute controls. financial information. Although similar applications existed
In the previous iOS 3 branch, the mute button was in the iPhone, allowing for direct document editing with
a rotation lock switch instead; this function has since no need for an external computer, the iPad’s form factor
been moved to a ‘software switch’ in the device’s will no doubt boost the existence of documents stored only
graphical interface. within the device (and not, for instance, in the suspect’s main
• Bottom center, frontal face: round “Home” button. computer), being edited here and never travelling outside
• Bottom center, in the edge (below the “Home” button): the iPad (with the possible exception of device backups
Apple standard 30-pin “Dock” connector, the same used performed by iTunes).
in every iPhone and most iPods. Another possible source of information lies within Apple’s
. AirPrint framework released in November 2010 as a feature
Figure 1 shows the function of each button. Note that the of iOS 4.2 [6], which provides native printing capabilities to
“Lock” button performs several functions: when the device the iPhone and iPad. But long before AirPrint existed, other
is off, it will turn it on; when the device is on, a short press applications such as PrintCentral [7], already allowed the
will put the device to sleep or wake it form sleep, and a user to send most document types to a remote printer (con-
long press will show a dialogue to turn it off. For clarity, nected to a computer with the appropriate server software).
in this paper we will keep referring to this button as the These applications’ disk caches are likely to hold relevant
“Lock” button. Button configuration is important since, as information such as copies of printed documents.
will be explained in Section 4.1.1, it may be necessary to put The system partition contains the base iOS software that
the device in DFU mode (‘Download Firmware Update’) in comes bundled inside every iOS software update (which
order to setup the device for forensic imaging. When this is explains why they weight hundreds of megabytes). This
needed, installed software usually instructs the user to press includes the core operating system and graphical user in-
a particular combination of these buttons to have the device terface, as well as the standard set of bundled applications
enter DFU mode. such as: Safari, Mail, Calendar, iPod, etc. Note that only
the application binaries themselves lie within this partition, method may also be applied to an iPad and, in fact, all the
whereas the relevant data (for instance, user mail) is stored two major forensic approaches in order to recover a complete
in the data partition. image from the device are ultimately based on jailbreaking.
The main approach was proposed by Zdziarski [2], who
3. Current work on IPad forensics noted that the iPhone can communicate across several
different mediums, including the serial port, 802.11 Wi-Fi,
and Bluetooth. Due to the limitations of Bluetooth on the
A very basic approach to acquiring user data is connecting
iPhone, the two preferred methods are via the serial port
the device via the standard USB cable to a computer running
and Wi-Fi. He proposed a basic method for obtaining a
iTunes, Apple’s multimedia player which is in charge of
forensic image of the iPhone without tampering the user data
synchronizing content to the device. Using its AFC protocol
partition by jailbreaking the device and using SSH access
(Apple File Connect), iTunes syncs existing information
and the dd and netcat standard UNIX tools, which by that
(contacts, calendar, email accounts, apps...) and can even
time had already been ported as a part of the growing iPhone
retrieve a complete backup of the device; however this
jailbreaking community. Similar methods are explored by
presents two problems:
Rabaiotti [9] against a Microsoft Xbox. There was not,
1) The device needs to be correctly paired with the iTunes however, a known, public way to communicate with the
software in order to sync. device via its serial port, so Zdziarski had to send the
2) Even if the investigator has access to an iTunes forensic image via the device Wi-Fi interface, which is quite
backup of the device (say, found in the suspect’s main slow.
computer), it will not contain unallocated space, from Alternate approaches are provided by some forensics
which deleted data can be recovered. software vendors [10], [11], which have developed solutions
Consequently, more sophisticated methods are required. that use rather uncommon techniques to get a dump of
However, the iPad is distributed as a closed device, meaning the solid state storage drive. This is often accomplished by
that access to its internals is limited and only a those ap- using exploits against more or less known bugs on specific
plications approved by Apple may be installed or executed. iOS versions in order to execute arbitrary unapproved code,
With these set of restrictions in place, it is extremely difficult which is actually the same jailbreakers do in order to free
to acquire any kind of meaningful forensic data. Fortunately, their devices. However, these vendors do not need to install
even though the iPad is a very new device, its internal a complete set of tools in the device. Instead, they tend to
architecture is very similar to the iPhone’s and forensic upload a tiny, small-footprint software agent which ideally
approaches may be easily ported to the iPad. will take control of the system, dump the solid state storage
On July 6th 2007, just one week after the iPhone was drive through the serial port (dock connector), and will then
launched, George Hotz announced [8] the existence of a reboot the device without copying any data to the iPad
method to get a full, interactive shell. This was the first internal storage.
step towards bypassing Apple’s restrictions on their devices, These methods offers some advantages over the jailbreak
making it possible to execute any program and not only approach, being a more straightforward process, simpler to
those approved by Apple; a process that has been named the investigator and leaving little or no footprint on the
jailbreaking. In other mobile platforms, such as those run- acquired system. However, it also has some weak points.
ning Google’s Android operating system, a similar process First and most important, any propietary method ulti-
exists which is known as rooting. Vendors usually dislike mately makes use of an exploit against vulnerabilities of
this technique, although in most countries it is legal or at the iOS version of the device, because this is the only
least not definitely illegal. If you ever need to defend this way of take such control of the device bypassing every
in court, you can do a brief explanation of why jailbreaking vendor restriction. With every iOS update (usually every
the device: to get full access to the system, and thus to the few months, downloaded via iTunes), the forensics software
information stored in it, which is crucial in criminal cases must be updated, usually because bugs exploited in previous
which require forensic analysis of these kind of devices. versions are fixed in the newer version; but even if an
The jailbreaking process modifies the system partition exploit still works, exploitation parameters such as memory
without alteration of the data partition, which means that addresses are very likely to change.
it does not alter the user’s data, a very important requisite. Jansen [12] identified “the latency in coverage of newly
Even if we assume that some current or future jailbreak available phone models by forensic tools” as one of the
methods will modify the user data partition, we can still problems for forensic specialists working with mobile de-
obtain plenty of useful information, as long as we know vices. Jailbreaking in the iPad has been moving in a time-
what alterations we are responsible for. Ever since their de- frame of barely 1-5 days following iOS updates. We consider
velopment, the jailbreak tools have been updated to support very realistic that at some point in the near future, jailbreak
every new iPhone model and every new iOS version. This updates will be available days or even weeks before some
particular forensics software products get the same needed When this is needed, the software will give the user the
updates. necessary instructions.
In addition, many of these proprietary methods are closed Should we find a device with a recent iOS version for
and lack any public documentation. Therefore, they are which no jailbreak procedure exists, it could be acceptable to
difficult to audit and it cannot be guaranteed that no footprint downgrade to the latest jailbreakable version, although this
is actually left on the device. Knowing the process the device should be done only as a last resort, and always documenting
is going through, and the precise alterations that this process the steps taken. This would rarely succeed, however, because
causes to the device, is a good practice and very important Apple does not allow to downgrade a device’s iOS version
to the forensic investigator. after a newer version has been available for some time. There
Therefore, even though some of the proprietary methods are some workarounds for this but they are not of use in our
may be suitable for the analysis of the device under common scenario because they require that we have previously saved
circumstances, vendors of such products may fail to release some crucial data before installing its present iOS version.
in time an update to support newer iOS versions; they may Anyway, it is very unlikely that we hit a non-jailbreakable
even not release it at all if, say, the product is discontinued. iOS. Take, for instance, iOS 4.2.1 (the first iOS 4 release
Our approach offers what appears to be the best possible for the iPad): it was released in November 22 2010, and the
throughput, and this is acomplished with a generic UNIX appropriate tool for jailbreaking (in that case redsn0w) was
approach via jailbreaking, which is likely to live longer than released the next day [15].
most iPad forensics software products, thus guaranteeing that Once a new iOS version has been released, the first
it can be applied in future iOS versions. jailbreak methods will probably be tethered: a tethered
jailbreak means that it is only effective as long as the
4. Forensic data acquisition on iPad devices operating system is running. The moment it is rebooted (not
when the device is locked), the jailbreak is lost, meaning
In this chapter we will describe our method for fast iPad that two things will happen temporarily until the device
imaging via a USB connection. The method is divided in is rebooted again into a tethered jailbreak state with the
two general phases: device setup and imaging. Each phase is appropriate tool: (1) any jailbreak software installed will
also divided in several substeps which must be sequentially not work; and (2) some internal applications (for instance
followed. We will not provide detailed instructions about the Safari web browser) may not work, or in the worst case,
how to jailbreak an iPad. The description will focus on our the whole device might not work at all. We state again that
technique to recover an image of user data from an already this is only a temporary state, until the device is jailbroken
jailbroken iPad. again. It would be acceptable to use a tethered jailbreak for
imaging purposes, and in fact part of the tests performed in
4.1. Device setup this paper have taken place over an iPad running iOS 4.2.1,
for which tethered jailbreak is the only jailbreak method
As mentioned in Section 3, before any forensic analysis available at this time.
may be attempted, a special device setup is required in order It is important to note that jailbreaking a device does not
to bypass the access restrictions installed by the manufac- mean carrier-unlocking it. Jailbreak is just a precondition
turer. Once this phase is complete, low level access to the for carrier unlocking. Our proposal needs not perform carrier
device is actually possible. In addition, it is necessary to unlocking, and in fact this is rarely needed in the iPad given
install the extra packages needed for our proposed imaging that it is usually sold carrier-free.
approach.
4.1.2. Charge the battery. It may seem obvious, but it is
4.1.1. Jailbreak the device. The actual way to perform necessary to have the battery charged to, at least, about 20%.
the jailbreak varies depending on the iOS version installed This is because during the imaging process, the iPad’s dock
on the device. An iPad running iOS 3.2.1 (the initial iOS connector will be used for USB data transfer, so it will not
version preinstalled in most iPads) can be jailbroken by be possible to plug the device to a power point.
just browsing to http://www.jailbreakme.com, a
website that exploits a known vulnerability in Safari to take 4.1.3. Run Cydia and upgrade available packages.
control of the system. The exploits themselves and related After the device has been jailbroken, a new application
documentation can be found at [13]. For a complete, up- labeled Cydia [16] will appear in the home screen. This
to-date chart about jailbreaking tools for each iOS version, is the software manager that allows installing software not
refer to [14]. approved by Apple.
Many jailbreaking tools (redsn0w, PwnageTool, etc) When run for the first time, Cydia initializes the device’s
will require the user to put the device into DFU mode with a filesystem and exits. In the next execution, it presents a Who
combination of presses of the “Lock” and “Home” buttons. are you? prompt, offering three choices; we must choose
‘Developer (no filters)’, as it offers the widest range of Local access approach. We found at least two ways to apply
software. Afterwards, if there are available updates to install, this method without using a remote computer, although both
it is recommended to perform a ‘Complete upgrade’. The of them introduce additional complications to the process.
device will then restart. We re-open Cydia and, if asked for On one hand, it may be possible to install MobileTerminal
upgrades, we repeat the process. instead of openssh, and use the terminal application in the
iPad itself to mount the hard drive and image to it. However,
4.1.4. Install required software packages. Once Cydia has at the time of this writing, MobileTerminal does not work
finished upgrading itself, we use the ‘Search’ function in in iOS versions 4.x, and this software has a history of long
Cydia to find and install the following packages: delays before being updated to support newer iOS versions.
• openssh. This package contains the SSH server that we
On the other hand, another approach is to install openssh
will use to access the iPad. and run an SSH client on the iPad itself. There are many
• coreutils. This package contains the split command,
such applications in Apple’s App Store, although the fact of
which is needed due to reasons that will be exposed keeping this application running during the image generation
later. is likely to alter data and will possibly corrupt the image.
Thus, we prefer to use a remote computer and leave the iPad
The most important tool for this procedure, dd, need not
as untouched as possible. Remounting the partition read-only
be installed, as it is contained inside the essential coreutils-
is not a possible solution in this case, as will be explained
bin package, which is installed by default as part of the
in Section 4.2.1.
jailbreaking process.

4.1.5. Network and auto-lock settings. It is necessary to 4.2. Device imaging

connect the iPad to a wireless network. Another computer
in that network will be used to access the iPad via SSH. Once the device is connected to a wireless network,
Communication between the computer and the iPad will another computer in that same network is used to connect
be over SSH, and thus, encrypted. However, we strongly to the iPad via SSH. Using this connection, it is possible
advise to use encryption in the wireless network protocol, to remotely issue commands to the device to initiate the
and ideally, to use an isolated network for the computer and imaging process.
the iPad only. This is because there is a small window of At this point the iPad is accessible via the standard pass-
time in which the device will be accessible with default pass- word alpine, which works for both the standard mobile
words. There is at least one known worm which penetrates user as well as for the root user, which has full access to
jailbroken iOS devices using these default credentials [17], the device. The correct way to proceed would be to access
although nowadays it is nearly impossible to find that code the iPad via SSH as the root user, and immediately change
in the wild. its password and the password of the mobile user account,
To connect to a wireless network we use the relevant using the passwd command.
section inside the ‘Settings’ application. If no wireless
network is available, a laptop can be used to create an ad- 4.2.1. Mounting a USB hard drive. In this step we will
hoc network and have the iPad join it. The blue button next use Apple’s Camera Connection Kit for the iPad [18] in
to the network name reveals the IP address in use (usually order to access an external USB hard drive. According to
acquired via DHCP) and allows the user to manually specify Apple, “the iPad Camera Connection Kit gives you two
an IP address if needed. The IP address must be noted, as it ways to import photos and videos from a digital camera:
will be needed later for accessing the iPad from the remote using your camera’s USB cable or directly from an SD
computer. card” [18]. Thus, it consists of two adapters, one of them
Still in the ‘Settings’ application, section ‘General’, the being a SD card reader, and the other offering a USB female
‘Auto-Lock’ option must be set to ‘Never’. This will prevent connector; both of these adapters can plug (one at a time)
the device from going into sleep mode while the forensic to the iPad’s dock connector, placed in the base, below the
image is being generated, which could interrupt the process. “Home” button.
When not in use, the device should be locked (using the Initial vendor information suggested that the USB adapter
Lock button; see section 2) in order to save battery. only uses the PTP protocol [19] to access the images stored
We have not tested whether the multitasking capabilities in a camera, and that an actual camera, with its camera-to-
and persistent Wi-Fi in iOS 4 would allow the imaging USB cable, should be plugged into this connector for the
process to take place while the device is locked. Anyway, adapter to import the pictures. When this is done, the Photo
given that imaging is a long process that can take more application launches and allows the user to transfer photos
than hour in the biggest devices, we recommend to keep the and videos from the connected media to the iPad’s internal
device awake all the time. memory.
 We have found, however, that the iPad implements the iOS version 4 the problem gets bigger because the USB port
USB mass storage device class protocol. Thus, the iPad may will no longer emit 100 mA (as it did under iOS 3.x) but
mount the disk inserted (regardless of whether it is a hard only about 20 mA [23]. We found that best results were
or solid state storage drive) looking for a /DCIM directory achieved using a full-size external hard-drive with its own
as per CIPA DCF standard [20]. If this folder exists, the power adapter, or connecting the drive to a powered USB
Photo application will open, allowing the user to import hub.
contents; if the folder is not found, the device is unmounted This command mounts the first partition of the external
and ignored. We have exploited this undocumented feature drive in the /mnt directory of the device:
to manually mount an external USB hard drive with the
appropriate parameters. mount -t msdos /dev/disk1s1 /mnt
As for the filesystems supported, we have been success-
ful in mounting FAT and HFS+ (the standard Macintosh We were equally able to mount HFS+ partitions using
filesystem, which is also the one used for the iPad internal the -t hfs parameter. Due to the Macintosh EFI support,
storage). An important issue for Windows users is that their finding the correct partition name for HFS-formatted disks
operating system will refuse to format a drive larger than can be tricky. To view the full list of available partitions,
32 GB as FAT [21], although it can normally mount much we used the command ls /dev/disk1*, and we tried to
bigger FAT partitions and work with them flawlessly. These mount all of them until we succeeded.
users will need to use externals tools such as Fat32Format Zdziarski [2] recommended immediately remounting
[22]. Mac and Linux users will have no trouble with their the data partition in read-only mode (umount -f
standard Disk Utility and mkfs.msdos tools, respectively. /private/var; mount -r /private/var) prior
When we have connected the USB external drive to the to beginning the actual imaging. However, in our tests, we
iPad (see Figure 2), we can check its presence within the found that in both iOS 3 and iOS 4 the system halted if
SSH session by running the folowing command: the partition was unmounted; and forcing its remount with
mount -fru was not supported either.
ls /dev/disk1 It must be noted that imaging a mounted partition may
alter the integrity of the filesystem contained in the resulting
image. In fact we found out that it is possible to end up with
images that are unmountable. In order to reduce this risk, no
other activity should be taking place in the iPad (neither via
the touch screen, nor through the network) while imaging.
Once the disk has been mounted, the command df -h
/mnt can be used to show its free space and confirm that
the drive had been correctly recognized.

4.2.2. Obtaining the forensic image. At this point the

working directory was changed to that where the external
drive was mounted and the imaging process started with
the command:

dd if=/dev/rdisk0s2 bs=32M | split -b

4000m - part-
Figure 2. iPad connection to external hard drive via
Camera Connection Kit. The full command can be explained as follows:
• dd - The command dd is invoked,
The iPad internal storage disk is assigned the node name • if=/dev/rdisk0s2 - Taking as Input File (i.e.
/dev/disk0, so the presence of a /dev/disk1 implies reading from) the device rdisk0s2, which corre-
that the newly connected hard drive has been correctly sponds to the second slice of the iPad’s internal stor-
recognized. If we get an error and there is no /dev/disk1, age, containing the data partition. Due to the partition
the drive has not been recognized. In our tests, this was scheme used in Mac OS and iOS, it is equally accept-
usually accompanied by a dialog in the screen complaining able to image /dev/rdisk0s2s1.
that “this device requires too much power”, when trying • bs=32M - Using a block size of 32 MB; actually we
to connect certain big solid state storage drives and some found that the process works, with similar throughput,
portable hard drives that take power from USB only. Under for values of 1M and multiples of it.
 • | split - Instead of writing all these data to a 4.3. Performance Results
huge file in disk, the data is split.
• -b 4000m - Split file size, into smaller files of 4 GB We performed several experiments measuring the speed
(4000 MB) each. of our imaging process proposal via USB connection using
• - This dash means the input content to be split is the Camera Connection Kit. As can be seen in Figure 3,
coming from the previous command, in this case dd. the process offers a measured throughput of 15.9 MB/s
• part- - And this is prepended to the name of the or 0.95 GB/min. This was the highest transfer rate we
output files. The suffix will be two letters, starting could achieve, always using common serial-ATA hard drives
with aa, as this is the default behavior for the split connected through standard USB-to-SATA adapters. The
command. Figure represents the output of imaging a 64 GB iPad
As a result, several 4 GB chunks named part-aa, running iOS 4.2.1 to a Seagate ST3500418AS drive.
part-ab, etc. were generated. Splitting the image in In comparison, we tested the Zdziarski method over an ad-
smaller 4 GB files would not be necessary when imaging hoc 802.11n network operating at its maximum theoretical
to a HFS-formatted (Mac) drive. rate (108 Mbps), and we obtained a throughput of barely
When finished, the target drive must be unmounted before 1 MB/s, which means that a 16 GB iPad would be imaged
disconnecting it from the iPad. This can be done by either in 5 hours and a 64 GB one would require about 20 hours.
turning the iPad off or unmounting the drive by exiting the Our USB approach results in a speed boost of 15x over
/mnt folder and running umount /mnt. traditional Wi-Fi imaging.
Forensics software vendors do not seem to release speci-
4.2.3. Reconstructing the image. In order to obtain a full fications about the imaging times needed by their methods;
image that can be processed using standard tools, all the we could only find that information about Jonathan Zdziarski
fragments must be concatenated. This can be done with a who states [26] about “the latest version of the Zdziarski
variety of tools in different systems, but a simple command method, which is used in the automated tools available
that will probably work in Mac, Linux, and Windows, would free to law enforcement agencies worldwide”: “about 15-30
be: minutes is all it takes, regardless of whether you’re imaging
cat part-* > ipad.dmg a 4GB iPhone or a 32GB iPhone 3G[s]”. Assuming he is
able to image 32 GB in ‘about 30 minutes’, we think we
The resulting image can then be treated by the methods have come to the same limit. This is probably the maximum
described in [2] to recover data such as: emails, address book transfer rate of the device’s serial port, although it is hard to
contacts, pictures and videos, Google Maps data, and so on. tell whether this is a physical limit of the port or a software
As far as image reconstruction is concerned, it must be matter that could be improved in future iOS versions.
noted that, starting with iOS version 4, Apple introduced
a layer of hardware encryption services [24], which, if
activated in the device, will result in partial encryption of
the imaged data. Altogether with this, we found a new
protect option for the mount command, which is by de-
fault applied to the data partition. We have failed to find any
documentation about this parameter, although interestingly
enough, the string protect also appears inside the Mac OS
X mount command. Nevertheless, the inclusion of this iOS
version into the iPad is still very recent at the time of this
writing, so we didn’t have much time to experiment with it.
In this scenario, imaging the partition is possible although
the resulting image may not be mountable. We think that this
is probably due to a layer of encryption, which could be
circumvented if the keys are retrieved from the live system Figure 3. Throughput of system imaging a 64 GB iPad.
after gaining SSH access. Still, carving tools such as Scalpel
[25] may be able to recover certain file types.
If the device is just passcode-protected, jailbreaking 5. Conclusions and Future Work
and accessing via SSH is equally possible. The sim-
plest jailbreaking methods working in user-land, such as In this paper, we have presented a novel approach that
jailbreakme.com will not work given that we are un- takes advantage of a hidden feature in the iPad’s USB
able to obtain initial access to the device, but other methods adapter so it is possible to use a cheap, universally available
(redsn0w, Pwnage Tool...) could work. $30 accessory to image the device directly to a USB drive
attached to it. The main contribution of this approach is [9] J.R. Rabaiotti and C.J. Hargreaves, “Using a software
resulting speed boost to the process, which greatly outpaces exploit to image RAM on an embedded system ”, Digital
existing traditional Wi-Fi approaches, becoming one of the Investigation, vol. 6, pp. 95–103, 2010.
fastest ways to obtain a complete forensic dump of Apple’s [10] Katana Forensics, “Lantern”, http://katanaforensics.com/
iPad. In fact, we have apparently reached the speed limit of use-our-tools/lantern/.
the iPad’s dock connector.
Up to this day, similar transfer rates could only be [11] Forensic Telecommunications Services Ltd., “iXAM - Ad-
vanced iPhone Forensics Imaging Software”, http://www.
achieved using commercial tools which are paid and/or re- ixam-forensics.com/.
stricted to law enforcement agencies, opaque to the scientific
community and undocumented. Therefore, it is difficult to [12] Moenner L. Jansen W, Delaitre A, “Overcoming impediments
assess what is really happening during the imaging process to cell phone forensics”, in In Proceedings of the 41st Annual
Hawaii International Conference on System Sciences. 2008,
and whether the original data is being somehow altered. pp. 483 – 483, IEEE CSP.
As far as iPad forensics is concerned, a fast imaging
method opens some interesting research lines for the future. [13] Comex, “Comex ‘star’ GIT repository”, 2010, http://github.
The ones we find most interesting are live memory dump com/comex/star.
of the device, study of the iOS 4 encryption system, an [14] “Jailbreak Matrix”, 2010, http://www.jailbreakmatrix.com/
autonomous imaging from the iPad to the connected USB iPhone-iTouch-Jailbreak.
drive eliminating the need of a network and a remote
computer and analyzing of the forensic artifacts left by the [15] iPhone Dev Team, “Thanksgiving with Apple”,
AirPrint subsystem. 2010, http://blog.iphone-dev.org/post/1652053923/
thanksgiving-with-apple.
Acknowledgments [16] Jay Freeman ‘Saurik’, “Bringing Debian APT to the iPhone”,
2008, http://www.saurik.com/id/1.
This work was partially supported by the Spanish MCYT and the
FEDER funds under grant TSI2007-65406-C03-03 E-AEGIS and [17] Sophos Security, “First iPhone worm discovered
CONSOLIDER CSD2007-00004 ”ARES”, funded by the Spanish - ikee changes wallpaper to Rick Astley photo”,
Ministry of Science and Education. 2009, http://nakedsecurity.sophos.com/2009/11/08/
iphone-worm-discovered-wallpaper-rick-astley-photo/.
References [18] Apple Computer Inc, “Apple iPad Camera Connection Kit”,
2010, http://store.apple.com/us/product/MC531ZM/A.
[1] InformationWeek, “iPad is top selling tech gadget ever”,
2010, http://www.informationweek.com/showArticle.jhtml? [19] International Organization for Standarization (ISO), “ISO
articleID=227700347. 15740:2008 – Electronic still picture imaging – Picture trans-
fer protocol (PTP) for digital still photography devices ”,
[2] Jonathan Zdziarski, iPhone Forensics: Recovering Evidence, 2008.
Personal Data, and Corporate Assets, O’Reilly, 2008.
[20] Camera & Imaging Products Association, “Design rule for
[3] Quickoffice Inc., “Quickoffice Connect Mobile Suite for iPad Camera File system: DCF version 2.0”, 2010.
on the iTunes App Store”, 2010, http://itunes.apple.com/us/
app/quickoffice-connect-mobile/id376212724. [21] Microsoft Corp, “Limitations of the FAT32 File System
in Windows XP”, 2007, http://support.microsoft.com/kb/
[4] Apple Computer Inc, “Pages for iPad on the iTunes 314463/.
App Store”, 2010, http://itunes.apple.com/us/app/pages/
id361309726. [22] Ridgecrop Consultants Ltd., “Fat32Format”, 2009, http://
www.ridgecrop.demon.co.uk/index.htm?fat32format.htm.
[5] Apple Computer Inc, “Numbers for iPad on the iTunes
App Store”, 2010, http://itunes.apple.com/us/app/numbers/ [23] 9to5 Mac, “iOS 4.2 emits less USB
id361304891. power on iPad, Camera Connection Kit crip-
pled?”, 2010, http://www.9to5mac.com/40091/
[6] Apple Computer Inc., “Apple’s AirPrint Wireless Print- ios-4-2-emits-less-usb-power-on-ipad-camera-connection-kit-crippled.
ing for iPad, iPhone and iPod touch Coming to Users in
November”, 2010, http://www.apple.com/pr/library/2010/09/ [24] Apple Computer Inc, “iOS 4: Understanding data protection”,
15airprint.html. 2010, http://support.apple.com/kb/HT4175.

[7] EuroSmartz Ltd., “PrintCentral for iPad on the iTunes [25] LLC Digital Forensics Solutions, “Scalpel: A Fru-
App Store”, 2010, http://itunes.apple.com/us/app/ gal, High Performance File Carver”, 2006, http://www.
printcentral-for-ipad/id366020849. digitalforensicssolutions.com/Scalpel/.

[8] George Hotz, “iPhone serial hacked, full interactive shell”, [26] Jonathan Zdziarski, “iPhone Insecurity”, 2010, http://www.
2007, http://www.hackint0sh.org/f127/1408.htm. iphoneinsecurity.com/.