Difference between pages "Apple iPhone" and "TestDisk"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(Initial version)
 
Line 1: Line 1:
The '''iPhone''' is a smartphone made by [[Apple Inc.]] and sold with service through AT&T. It can be used to send/receive [[email]] (see [[IPhone Mail Header Format]]), keep schedules, surf the web, and view videos from YouTube. A large number of forensic products can process iPhones, see Tools section.
+
{{Infobox Software
 +
| logo = [[Image:TestDisk-logo.gif]]
 +
| name = TestDisk
 +
| developer = Christophe Grenier
 +
| maintainer = Christophe Grenier
 +
| latest_release_version = 6.8
 +
| latest_release_date = August 13, 2007
 +
| os = {{Linux}}, {{Windows}}, {{Mac OS X}}, Dos, BSD
 +
| interface = Command line interface
 +
| genre = Data recovery
 +
| license = GPLv2+
 +
| website = [http://www.cgsecurity.org/wiki/TestDisk TestDisk Wiki]
 +
}}
  
In December 2009, Nicolas Seriot presented a paper [http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf] in combination with a harvesting application named [http://github.com/nst/spyphone SpyPhone].  This application grabs data as sensitive as location data and a cache of keyboard words.  It neither requires jailbreaking nor makes Private API calls (which Apple's App Store does not allow in any application it distributes).
+
'''TestDisk''' is a free software data recovery utility licensed under the terms of the GNU General Public License (GPL). It was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table).
  
== Tools ==
+
==Summary==
* Black Bag Technology Mobilyze
+
TestDisk queries the BIOS or the operating system in order to find the hard disks and their characteristics (LBA size and Cylinder-head-sector geometry). TestDisk does a quick check of your disk's structure and compares it with your Partition Table for entry errors. If the Partition Table has entry errors, TestDisk can repair them.
* [http://www.cellebrite.com/forensic-solutions/ios-forensics.html Cellebrite UFED]
+
* EnCase Neutrino
+
* [http://www.ixam-forensics.com/ FTS iXAM]
+
* iPhone Analyzer
+
* [http://code.google.com/p/iphone-dataprotection/ iphone-dataprotection]; a set of tools that can image and decrypt an iPhone. The tools can even brute-force the iPhone's 4-digit numerical password.
+
* [http://www.iosresearch.org iOS Forensic Research]. [[Jonathan Zdziarski]] has released tools that will image iPhones, iPads and iPod Touch. (law enforcement only).
+
* [http://katanaforensics.com/products/ Katana Forensics Lantern]
+
* [http://www.libimobiledevice.org/ libimobiledevice] is a library with utilities for backing up iPhones. The output format is an iTunes-style backup that can be examined with traditional tools.  They are available in the Debian-testing packages '''libimobiledevice''' and '''libimobiledevice-utils'''.
+
* Logicube CellDEK
+
* MacLock Pick
+
* [[.XRY|Micro Systemation .XRY]]
+
* Mobile Sync Browser
+
* [[Nuix Desktop]] and [[Proof Finder]] can detect and analyse many databases from iOS and iPhones and can directly ingest HFSX dd images.
+
* [[Oxygen Forensic Suite 2010]]
+
* Paraben Device Seizure
+
* [http://github.com/nst/spyphone SpyPhone]
+
  
== Publications ==
+
However, it's up to the user to look over the list of possible partitions found by TestDisk and to select the one(s) which were being used just before the drive failed to boot or the partition(s) were lost. In some cases, especially after initiating a detailed search for lost partitions,
* Gómez-Miralles, Arnedo-Moreno. [http://openaccess.uoc.edu/webapps/o2/bitstream/10609/11862/1/iPadForensics.pdf Versatile iPad forensic acquisition using the Apple Camera Connection Kit.] Computers And Mathematics With Applications, Volume 63, Issue 2, 2012, pp.544-553.
+
TestDisk may show partition data which is simply from the remnants of a partition that had been deleted and overwritten long ago.
  
== External Links ==
+
TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.
* [http://www.apple.com/iphone/ Official web site]
+
 
* [http://en.wikipedia.org/wiki/IPhone Wikipedia: iPhone]
+
==Supported operating systems==
* [http://en.wikipedia.org/wiki/IOS_jailbreaking Wikipedia: IOS jailbraking]
+
* DOS (either real or in a Windows 9x DOS box);
* [http://theiphonewiki.com/wiki/Main_Page The iPhone Wiki]
+
* Microsoft Windows (NT4, 2000, XP, 2003, Vista);
* [http://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29 Slashdot: Malware Could Grab Data From Stock iPhones]
+
* Linux;
* [http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf Apple iOS Privacy], [http://seriot.ch/resources/talks_papers/ios_privacy_hashdays.pdf slides hash days presentation], by [[Nicolas Seriot]], in November 2010.
+
* FreeBSD, NetBSD, OpenBSD;
* [https://viaforensics.com/resources/white-papers/iphone-forensics/ iPhone Forensics], by [[Andrew Hoog]] and [[Katie Strzempka]], in November 2010. Covers 13x iOS forensic tools and provides detailed information on the results for the iPhone 3G.
+
* SunOS and
* [http://media.blackhat.com/bh-ad-11/Belenko/bh-ad-11-Belenko-iOS_Data_Protection.pdf Evolution of iOS Data Protection and iPhone Forensics: from iPhone OS to iOS 5], by [[Andrey Belenko]] and [[Dmitry Sklyarov]], 2011
+
* Mac OS X
* [http://www.exploit-db.com/wp-content/themes/exploit/docs/19767.pdf Forensic analysis of iPhone backups], by Satish B, 2012
+
 
* [http://www.sans.org/reading_room/whitepapers/forensics/forensic-analysis-ios-devices_34092 Forensic Analysis on iOS Devices], by [[Tim Proffitt]], November 5, 2012
+
==File systems==
 +
TestDisk can find lost partitions of the following file systems:
 +
* Be File System (BeOS]])
 +
* BSD disklabel (FreeBSD/OpenBSD/NetBSD)
 +
* Cramfs]], Compressed File System
 +
* DOS/Windows FAT 12, 16, and 32
 +
* HFS, HFS+ and HFSX, Hierarchical File System
 +
* IBM Journaled File System 2 (JFS2), IBM's Journaled File System
 +
* Linux ext2 and ext3
 +
* Linux RAID
 +
** RAID 1: mirroring
 +
** RAID 4: striped array with parity device
 +
** RAID 5: striped array with distributed parity information
 +
** RAID 6: striped array with distributed dual redundancy information
 +
* Linux Swap (versions 1 and 2)
 +
* LVM and LVM2, Linux Logical Volume Manager
 +
* Mac partition map
 +
* Novell Storage Services (NSS)
 +
* NTFS (Windows NT/2000/XP/2003/Vista/2008)
 +
* ReiserFS 3.5, 3.6 and 4
 +
* Sun Solaris i386 disklabel
 +
* Unix File System: UFS and UFS2 (Sun/BSD/...)
 +
* XFS, SGI's Journaled File System
 +
 
 +
== See also ==
 +
* [[PhotoRec]]
 +
 
 +
==External links==
 +
* [http://www.cgsecurity.org/wiki/TestDisk TestDisk Wiki]

Revision as of 05:05, 13 January 2008

TestDisk
Maintainer: Christophe Grenier
OS: Linux,Windows,Mac OS X, Dos, BSD
Genre: Data recovery
License: GPLv2+
Website: TestDisk Wiki

TestDisk is a free software data recovery utility licensed under the terms of the GNU General Public License (GPL). It was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table).

Summary

TestDisk queries the BIOS or the operating system in order to find the hard disks and their characteristics (LBA size and Cylinder-head-sector geometry). TestDisk does a quick check of your disk's structure and compares it with your Partition Table for entry errors. If the Partition Table has entry errors, TestDisk can repair them.

However, it's up to the user to look over the list of possible partitions found by TestDisk and to select the one(s) which were being used just before the drive failed to boot or the partition(s) were lost. In some cases, especially after initiating a detailed search for lost partitions, TestDisk may show partition data which is simply from the remnants of a partition that had been deleted and overwritten long ago.

TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.

Supported operating systems

  • DOS (either real or in a Windows 9x DOS box);
  • Microsoft Windows (NT4, 2000, XP, 2003, Vista);
  • Linux;
  • FreeBSD, NetBSD, OpenBSD;
  • SunOS and
  • Mac OS X

File systems

TestDisk can find lost partitions of the following file systems:

  • Be File System (BeOS]])
  • BSD disklabel (FreeBSD/OpenBSD/NetBSD)
  • Cramfs]], Compressed File System
  • DOS/Windows FAT 12, 16, and 32
  • HFS, HFS+ and HFSX, Hierarchical File System
  • IBM Journaled File System 2 (JFS2), IBM's Journaled File System
  • Linux ext2 and ext3
  • Linux RAID
    • RAID 1: mirroring
    • RAID 4: striped array with parity device
    • RAID 5: striped array with distributed parity information
    • RAID 6: striped array with distributed dual redundancy information
  • Linux Swap (versions 1 and 2)
  • LVM and LVM2, Linux Logical Volume Manager
  • Mac partition map
  • Novell Storage Services (NSS)
  • NTFS (Windows NT/2000/XP/2003/Vista/2008)
  • ReiserFS 3.5, 3.6 and 4
  • Sun Solaris i386 disklabel
  • Unix File System: UFS and UFS2 (Sun/BSD/...)
  • XFS, SGI's Journaled File System

See also

External links