Upon hitting enter, it will appear as though nothing is happening however, the Mac is waiting for the other end of the connection. This command tells netcat to “listen” on port 7000 and to create the output file “rdisk0s2.dmg” on the desktop, based on the input from the other end of the tunnel (which is yet to be initiated). Katie-Strzempkas-Macbook:~ kstrzemp$ nc -l 7000 | dd of=~/Desktop/rdisk0s2.dmg bs=1048576 The first step is to run netcat on the Mac using the following command: This process, as well as imaging the raw disk, is all done within two commands (one on the Mac and one on the iPhone). One end of the tunnel must be set up on the forensic workstation and the other end configured on the iPhone. Netcat creates a tunnel that allows two devices to communicate and transfer files back and forth over a specified port. Using this technique, imaging is done over a program called netcat. Now that all of the necessary tools are installed, the imaging process can begin. Now, let us SSH back into the iPhone to make sure these files are where they should be: Those last two commands used “scp” (or “Secure Copy”) to transfer the nc and dd tools from the forensic workstation to the iPhone, and stored these tools in the /bin folder on the root of the device. 7.ĭump contents to screen or output to a text keychain_dumper > keychainresults.txt. Sign the entitlements into keychain_dumper using the following command (NO space between S and /var): ldid -S/var/tmp/entitlements.xml keychain_dumper. 5.ĭump “entitlements” (aka access groups) from the keychain database using the following command. Upload keychain_dumper to iPhone /usr/bin using scp (again, refer to Chapter 5).
#DECRYPT KEYCHAIN.PLIST HOW TO#
To do this, download the “Aptbackup” package from Cydia, then run the following command on the device (this can be done through the Mobile Terminal application from Cydia, or the command can be run through a remote connection): $ apt-get install ldid (Hint: for details on how to remotely connect to a jailbroken device, refer to Chapter 5 – “Acquisition – Jailbroken Device”). Make sure ldid is installed on the jailbroken iPhone. The developer steps the user through the installation process. Look at the README files for details on how to install. To acquire and use this tool, the following instructions should be followed: 1.
The “keychain_dumper” utility, developed by Patrick Toomey, is run from the device and can decrypt Keychain passwords on the fly. This method is successful only with a device running iOS 4 or higher, and the backup file must be encrypted.Īnother option is available on jailbroken devices only.
#DECRYPT KEYCHAIN.PLIST PASSWORD#
In Chapter 5, we discussed the possibility of using Elcomsoft's iPhone Password Breaker to decrypt an encrypted backup file, and therefore gain access to passwords within the keychain file.