iPhone Data Recovery – Obstacles

Hardware

iPhone Data Recovery
iPhone Data Recovery

When developing our iPhone data recovery process we had to make a few decisions about the devices we can support. The newer iPhones (4s +) are not accessible in the same way as older models.

With the iPhone 4 and below we can extract the data using a forensically clean process. What this means is that we can take the data off without writing anything to the NAND chips (storage) inside the iPhone. This fits in perfectly with our regular data recovery process as we never write data to a device we receive.

With the iPhone 4s, Apple changed the part of the system we use to access the iPhone’s memory. There is a chance that a new method of extraction for iPhone 4s will become available, but until it does we will not be recovering files from these devices.

Physical damage

iPhones store their data on NAND chips which are soldered to the main circuit board of the phone. The data can only be correctly decoded if we also have access to other parts of the circuit board, so it is crucial that the iPhone is electronically functional. If water damage has shorted the iPhone then we have no way to access the data externally. It’s not that it’s impossible, just that the work would be unreasonably expensive and time consuming.

Deleted Files

Another potential barrier for iPhone recovery is down to the way files are stored. Since iOS4 most files including iPhone camera photos and videos are encrypted before being written to storage, using unique encryption keys. This means every file ends up with a different header. When files are deleted there is nothing to distinguish a photograph from any other random collection of bytes.

Another problem with the file based encryption is that if you restore the iPhone using iTunes, those encryption keys get erased and new ones are generated. This prevents recovery of the old data, which is good for security but bad for data recovery.

 

Leave a Reply

Your email address will not be published. Required fields are marked *