justinnichols.com

One day I was asked, “Do you know of anyone who knows how to extract information from a factory-restored iPhone.” I replied, “No, but I expect as long as you can get access to the hard drive bit-by-bit, you could recover information just like you would a quick-formatted hard drive in a Mac or PC.” As it turns out, I was right. Of course, this begs the question: why would one want to extract information from a restored iPhone, or even an actively used iPhone? The answer is quite simple: forensic investigation in both criminal and civil matters.

If you are interested, as I have become, in such endeavors, the best place to start is by buying Jonathan Zdziarski’s book: iPhone Forensics: Recovering Evidence, Personal Data & Corporate Assets.

Jonathan, also known as “NerveGas”, has been part of the iPhone development community and is one of the foremost experts on low-level iPhone interaction and communication. He has classes on iPhone Forensics where he discusses his methods via shell scripts to retrieve and recover information. He licenses the scripts to Law Enforcement agencies for free, but for the private sector he licenses them for $5,000 per year — which in the field of forensics is fairly cheap. Since the release of his book, he has devised methods of getting access to the iPhone’s hard drive without having to jailbreak the phone and having it take only 15-30 minutes to get a full 32GB bit-by-bit copy of the data. This is a direct contrast to his book, where not only does he describe jailbreaking, but he also describes using some nice dd and netcat commands in order to transfer the data to another computer. This process takes about 7-8 hours for a 32GB phone. So you can see the appeal of using his new methods instead of the old ones.

Given that at the moment I do not have $5,000 to license Jonathan’s scripts, I have decided to learn more about this and try to become very knowledgeable about the lower level communication of the iPhone. I will be learning certain technology such as usbmux in an effort to figure out how to transfer the data in a much shorter amount of time. Thankfully I have the ability to stand on the shoulders of giants in this regard since a large amount of the difficult work has already been done for me, but there’s still a lot to learn.

Here are some useful resources that I’ve found thus far:

• A whitepaper based on iPhone Forensics: http://viaforensics.com/wpinstall/wp-content/uploads/2009/03/iPhone-Forensics-2009.pdf
• Jonathan Zdziarski’s site: http://www.zdziarski.com/blog/
• Jonathan’s webcast at O’Reilly: http://www.oreillynet.com/pub/e/949
• A Considerably updated webcast with Jonathan’s new method: http://www.youtube.com/watch?v=h75hrOxzQj0

More to come…

One of the most difficult things I had to learn when developing an iPhone application with Objective-C is the basics around Navigation. I understood the concept of pushing a view onto the stack, but given the old-natured, procedural code required for UINavigationController, it just wasn’t as simple if you’re on one “page” and you want to navigate to another “page” that you’ve already been to.

The idea is that you want to keep these pages in memory and provide a simple mapped method to get to each one. This is where three20 comes in. three20 is a “framework” (currently just source code, not bundled as a .framework) that gives some much needed guidance concerning UI navigation and UI standard elements/event handling. three20 is the framework behind the very popular Facebook application on the iPhone.

I would go into detail on exactly how helpful this framework is for navigation, but the author of three20 does a considerable better job than I ever could: http://three20.info/ui/navigation.