O'Reilly logo

Hacking and Securing iOS Applications by Jonathan Zdziarski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Copying the Raw Filesystem

If you noticed, copying the live filesystem from a process running on the device made the filesystem’s base encryption entirely transparent; the archive you recovered included decrypted copies of all data that wasn’t specifically protected using a protection class. The few files that are normally protected on the device, such as Mail and attachments, or third-party application data that is specifically marked for protection, remained encrypted and unreadable in the archive you downloaded. For the rest of the filesystem, however, the operating system automatically decrypted both the filesystem (EMF key) and all unprotected files (Dkey) before sending them. Because these two encryption keys are available as soon as the device is booted, any process running on the device can easily access the large caboodle of files that are encrypted with those keys.

Copying the live filesystem is by far the fastest way to acquire data from a device, as it transmits only the live portion of the filesystem. If you choose only specific files or directories, the transfer becomes even faster. In some cases, though, it makes more sense to take the extra time to transmit an entire raw disk image. This will send all allocated files, as well as unallocated space and the HFS journal. These can be used to restore files that have been recently deleted. You’ll learn how to do this in Chapter 6, and so you’ll need a payload capable of copying off the raw disk in order to perform this ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required