So I come home yesterday to a very, very dejected child. Apparently she somehow deleted all the slides for a school project due when she gets back from vacation. First off – iOS doesn’t have .Trash. Second, she hadn’t synced to iTunes in several months. Third, iCloud backup wasn’t turned on.
Not expecting too much, I took her iPad and scoured the Internet to see what I could find that would act as an undelete tool for iOS.
I tried a few things I found on the internet, but they either didn’t work, or didn’t work right in a Fusion VM. I hate downloading things from questionable sources, and may very well have some trojan running on one or more of my systems right now. Ugh.
What these failed tools did tell me is that when you’re in DFU mode of an iOS device, you can apparently do things. I’ve used DFU before when restoring a jailbroken iPhone to normal, so I had an idea what was going on here. Given that I’d last used DFU in the jailbreak world, I turned my google queries on that topic to see if any of the jailbreakers had found a way to mount or access an iPad filesystem via DFU mode.
What I found was a very slick tool: Automatic SSH Ramdisk This little java app will detect a usb connected device in DFU mode, and cause it to boot a rescue image with SSH enabled. You then ssh to localhost:2022 and you’re talking to the iPad via the USB connection.
With this, I was able to
scp -r the entire contents of her iPad back to my Mac. I was also able to make a copy of the iPad’s “harddrive” for even more analysis.
Looking through the contents of her iPad’s filesystem it became clear where I was going to find the files if they were still there. Each application lives in
/var/media/Applications/SOME-LONG-STRING-OF-HEX. Inside that directory is the Something.app directory with the app contents, a plist with the apple-id used to buy the app along with versioning info, the icon, and whatever private local data the app creates. In this case, I was able to find copies of her deleted files in the
SOME-LONG-STRING-OF-HEX/Cache directory and extract those out.
My kid however gave me the impression there were still other files that were lost (not true – I had recovered everything she’d done up to that point), so I decided that it would be worth doing some image forensics. I figured that finding deleted JPGs on an iOS HFS image was probably similar to what the FBI does on a regular basis to bust child pornographers. There should be some good linux tools to scan a disk image for the markers of graphics files.
I found two that looked promising: Foremost and Scalpel. I had a bit of a challenge getting the disk image off the iPad. “dd” wasn’t available on the rescue image, but I was able to ssh into my iPhone and copy it off of there onto the rescue image. Amazingly that worked (given the different iOS versions and chipsets). I also had a hell of a time actually opening any of the /dev/disk files. Eventually I hit upon using “
ssh -p 2022 root@localhost "cat /dev/rdisk0" | dd of=ipad.img ” as the workable method. An hour or so later, I had a 16G image file on my Mac.
Next step was to get that over to an Ubuntu box, and
apt-get install foremost.
man foremost for instructions, but I found that
dd if=rdisk0.img | foremost -Tvd -o recovered_stuff worked best for me. That recovered about 2800 or so files. Most of them were png files consisting of icons for applications. Foremost never found any of the images in her Photos, or any deleted Photos. Scalpel was based on foremost, so I tried it next. That required a compile and editing the config file to enable looking for png & jpg headers. The command here was
scalpel -i file_with_name_of_image -o recover-target -c ./scalpel.conf, but I suggest reading the man page too. Scalpel didn’t find any more files to recover than foremost did.
I wasn’t expecting much from the image level scanning. I’m not 100% sure the nature of the iDevice storage, but given it is flash memory, it probably has the same wear-leveling/trimming that occurs with PC SSDs, and that the flash will begin to zero out the blocks as soon as the files were deleted so they’ll be ready to accept new data. (Updated to add this link I had laying around: SSD firmware destroys digital evidence, researchers find | Flash Memory | Macworld.)
The moral of the story here is (as always) MAKE BACKUPS!. However if you didn’t take sysadmin 101, there is still a chance your files (or older versions) are lurking around inside your iOS device and could be recovered.
What I determined is that I need to build a throw-away windows VM that I can snapshot and revert as I try these random things I download off the internet, and that I also need a Linux forensic VM laying around with enough memory and storage to analyze these things.
I did find one useful tool for getting easy access to the iPad’s filesystem: iExplorer is a Windows or OSX tool for browsing files on the device. You can get direct access to the media files, and you can browse the contents of all your Apps. You can even FUSE mount the filesystem and browse it via a shell.