There are numerous and costly--and closed source--methods for recovery data from the Apple iPhone, iPod Touch, and iPad. If you are lucky enough to be part of Law Enforcement, then you have free access to Johnathan Zdziarski's tools and methodology (Thank you, Johnathan). But what to do if you don't have the proprietary tools, or they just don't work on the version of iOS you encounter?
Allow me to introduce the libimobiledevice project. It is a library that communicates to the aforementioned Apple devices, with the addition of Apple TV devices, but does not use any proprietary libraries, nor does it require jailbreaking to accomplish its goals. I'll let the description on the project home page take over from here: libimobiledevie "allows other software to easily access the device's filesystem, retrieve information about the device and it's internals, backup/restore the device, manage SpringBoard® icons, manage installed applications, retrieve addressbook/calendars/notes and bookmarks and (using libgpod) synchronize music and video to the device."
That said, it is not designed as a forensics tool. I may be characterizing it wrongly, but in short, it brings iTunes-like capabilities to Linux. It does not give full filesystem access to the device, just the media folder and sub folders. This means you can access the Photos and videos taken with the device, as well as access the music catalog through your file browser. But be careful--you have read/write access.
Best practice requires that you disable automounting in your system to avoid changing data on the device when you connect it to your system. This can be done in a Gnome desktop by using gconf-editor to disable automounting in nautilus ( apps | nautilus | preferences | media_automount [uncheck] ). It's a good idea to disable media_automount_open and enable media_autorun_never while you're at it. You won't find your iPhone with fdisk when you connect it, which might leave you wondering just how in the world you're going to mount it?
Libimobiledevice is incorporated into Ubuntu and Linux Mint Debian Edition (my preference) and uses the Gnome Virtual File System (GVFS) for mounting the Media folder of devices in the .gvfs/ folder of your home directory. But you've disabled automounting, so you need another method that allows read-only mounting. That's handled with ifuse, but you'll likely have to install it. With ifuse, the device can be mount read-only in a location you specifiy. The device is automatically identified unless you choose to identify the device by its UUID (only necessary if you have more than one device connected at a time). You mount with "ifuse [options] location", such as "iphone -o ro /mnt/analysis". If you happen to have a jailbroken device, then adding the '--root' parameter will give you full logical access to the user partition on the device.
Mounting with ifuse, on a device that has not been jailbroken, gives access to the same to the device as libimobiledevice through GVFS, only with write protection. Media files can be useful, as I indicated in an earlier post, but how does an investigator get to the meaty stuff, like SMS messages, call history, and the like?
Well, there are tools that have been built to use the imobiledevice library, aptly called imobiledevice-utils in the Debian package management system. The utilities consist of the following tools: idevicebackup, ideviceimagemounter, idevicescreenshot, ideviceenterrecovery, ideviceinfo, idevicesyslog, idevice_id, and idevicepair. Of particular interest are ideviceinfo, and idevicebackup.
The ideviceinfo tool displays data about the phone itself, including the device name, serial number, OS version, and phone number. Even locked phones provide useful data, though not as robust as an unlocked phone. The idevicebackup tool works like iTunes backup. It creates a device backup in a location specified by the user. idevicebackup2 is required for iOS 4.3. and above, but can only be obtained by building it from source, which is available through a link on the imobiledevice website. The backup includes photographs, videos, and databases from the device, including SMS messages, call history, address book, etc!
The files in an iPhone backup are renamed in hex and are referenced in two mbdb databases that index the original name, location and MAC times for the backup files. The mbdb_parse.py utility can be used to identify the files. I am working to modify mbdb_parse.py to automate renaming of the files, but the standard output can be used like an ls -lh output. The limitation of mbdb_parse.py is that it displays user/group values in hex and MAC times in unixepoch time. I have been able to modify the program to allow me to rename the files into their original names, but the program is not ready for release as yet.
I will cover forensic processing of the backup in a later post.