Welcome to the source for law enforcement tools and documentation in iPhone Forensic research
Home to the only complete suite of forensic tools for the iPhone, iPhone 3G, and iPhone 3G[s].

Site Access and Tools Licensing

Site access is freely available to full time, active duty law enforcement or military personnel tasked with mobile forensic imaging as part of their duties. To quality as a law enforcement agency, the agency must have arrest and search/seizure powers. Contact us from your law enforcement email account to request free access.
To submit articles or white papers about iPhone security, please contact us.

Site access is NOT freely available to, and you may not share these tools with:
  • Commercial entities
  • Third party contractors (including forensics contractors)
  • Outside consultants (contracted through non-government entities)
  • Private investigators
  • Part-time personnel
  • Any personnel not specifically tasked with mobile forensic imaging as part of their duties
  • Any countries not considered a friend of the United States of America
ALL WEBSITE ACCESS IS LOGGED AND AUDITED.


April 28, 2010: Zdziarski Method FAQ
Many have written in with questions about the latest version of the Zdziarski method, which is used in the automated tools available free to law enforcement agencies worldwide. This is a quick rundown of the most frequently asked questions.

Q. Does this method "jailbreak" the device?
 No. In fact, the latest Zdziarski method has an extremely lightweight footprint and the device will boot back into its normal operating mode once the imaging process is complete. The latest methods do not rewrite the operating system partition, do not patch the NOR, do not patch the kernel, do not grant the examiner access to the device, and do not require a system restore. All of the available automated forensic tools on this site have been updated to use these new methods. The new technique does not use the 24K/Pwn exploit, widely touted by the hacking community.

Q. How can you image the device without jailbreaking?
The system components needed to image a device are loaded into the iPhone's RAM rather than written to disk. This allows the kernel and other components to be booted from memory. The imaging software is contained on a RAM disk, which is also booted from memory. Think of it as booting a Helix CD-ROM or a USB key chain. A small recovery agent is instituted in the protected operating system area of the device, but away from the user data partition. Once the imaging process is complete, the phone will reboot back into the same kernel it had when you seized it.

Q. Do you have to bypass the passcode to image the device?
No. The passcode and any other front-door security is all user-interface based, and the imaging software runs on a much lower level, transparent to the user interface. You'll be able to get a raw disk image from a device that is passcode protected, has backup encryption enabled, or even has been disabled by too many passcode attempts. With that said, these tools do offer the option to bypass these functions in the event that your case requires access to the device's user interface. For example, an active kidnapping case might call for intercepting phone calls or downloading email from the suspect's active accounts and put saving human life as a precedent over preserving the evidence. You may also want to defeat the passcode and backup encryption in order to make commercial triage tools, such as Celebrite, compatible.

Q. Does your tool write to any user data on the device?
No. The user data partition is treated as sacred and no writes are made to user data whatsoever. All of the soruce code for these tools is also available for peer-review by the law enforcement agencies using them, so you can verify this in the code itself.

Q. How long does it take to image a device?
About 15-30 minutes is all it takes, regardless of whether you're imaging a 4GB iPhone or a 32GB iPhone 3G[s]. The Zdziarski method makes use of high speed USB protocols, allowing device imaging to be conducted in record time, as opposed to other commercial tools which use the slower USB serial protocol, and can take 4-6 hours, or more. Some cases just can't wait that long, and most departments are now suffering through a backlog of iPhones. Ten iPhones would take a commercial tool 40-60 hours of time! The automated tools found on this site can do all ten in 2-5 hours, or concurrently in 15-30 minutes.

Q. What devices and firmware versions are supported?
As of 04-28-2010, all three devices (iPhone, iPhone 3G, and iPhone 3G[s]) running all firmware versions from 1.0 - 3.1.3 are supported. The iPad running the only version of firmware available (3.1.2) is also supported.

Q. Is the hardware encryption on the 3G[s] a problem?
No. The Zdziarski method invokes the device's hardware encryption chip to automatically decrypt the disk image prior to transfering it to the desktop. While the data is stored encrypted on the iPhone, you get the decrypted image on your desktop machine.

Q. What format is the disk image in?
The disk image is a standard HFS volume, and can either be mounted directly in Mac OS X as a .dmg file, or can be loaded into Encase, FTK, X-Ways, or a number of other tools capable of reading HFS images.

Q. Why is this stuff free? Shouldn't you be making millions off us?
I make a good living already. Someone needs to be supporting the good guys who are protecting our country, and since Apple won't do it, I'm doing what I can to make sure LE and the military have the tools they need to keep us safe. These tools have been used to prosecute criminals committing rape, murder, child exploitation, terrorism, and a host of other crimes where evidence has been stored on the device. If you really want to support my efforts, you're invited to host an Advanced iPhone Forensics workshop on your campus.

Q. Well I read that this other dude says your methods are jailbreaking
Not everyone who purports to be an expert in the world of digital forensics knows entirely what they're talking about; especially when it comes to the iPhone. Anyone who believes these methods constitute jailbreaking is quite frankly ignorant of the technical details. No jailbreaking is performed here, and anyone who does understand the technical details behind it can attest to it. Another good example of why an open source solution is so important - so you can see exactly what's happening and judge for yourself.

July 24, 2009: Bypassing 3Gs Passcode and Encryption
[ Video ] Bypassing Passcode and Backup Encryption
[ Video ] Forensic Recovery of Raw Disk
[ Video ] What Kind of Data Can You Steal in 2 Minutes?

These YouTube videos, courtesy of security researcher Jonathan Zdziarski, demonsrate just how easy it is to bypass the passcode and backup encryption in an iPhone 3G[s] within only a couple of minutes' time. A second video shows how easily tools can pull an unencrypted raw disk image from the device. The seriousness of the iPhone 3G[s]' vulnerabilities may make enterprises and government agencies think twice before allowing these devices to contain confidential data. Apple has been alerted to and aware of these vulnerabilities for many years, across all three models of iPhone, but has failed to address them. Jonathan adds:

The 3G[s] has penetrated the government/military markets as well as top fortune-100s, possibly under the misleading marketing term "hardware encryption", which many have taken at face value. Serious vulnerabilities such as these threaten to put our country's national security at risk. Unfortunately, the only way Apple seems to listen is through addressing such problems publicly, as all previous attempts to talk with them have failed. I sincerely hope they fix these issues before a breach occurs..

July 14, 2009: Seven Deadly Sins: What Enterprises Should Know
With buzzwords like, "hardware encryption" and "remote wipe", many enterprises have been misled into believing that the iPhone 3G[s] is secure enough to store confidential correspondence or other information. Apple is no doubt pushing the enterprise market, but is the iPhone truly secure enough?

While this subject truly warrants a complete white paper, take the following points into consideration. The following apply not only to the iPhone 3G[s], but also to earlier generation devices. Here are the top seven things every enterprise should know about the iPhone:

1. The 3G[s] passcode and encrypted backup password can easily be bypassed in about 30 seconds. This allows an identity thief who gains physical access to the device (for only a short time) to not only access the 3G[s], but to sync an unencrypted copy of its data through iTunes, creating a copy of the owner's contacts, correspondence, photos, and other valuable data. If it can be synced with iTunes, it can be stolen in a very short period of time.

2. The 3G[s] promised hardware encryption, but this hardware encryption does not protect the information on the iPhone from an information thief. The operating system needs to automatically decrypt the iPhone's disk in order to boot, allowing anyone with the right know-how to easily acquire all of the data - including deleted data - on the device, bypassing any encryption. In fact, the only useful benefit for hardware encryption thus far has been the ability to quickly format the device, discussed next.

3. Remote wipe and "LocateMe" features can easily be disabled by simply removing the SIM card. Any semi-intelligent thief looking to steal information from your corporate handsets can easily shut these features down within seconds, armed with only a paper clip.

4. If your device is stolen, not only is the iPhone's live information exposed, but also all of the deleted information on the device. Because the iPhone has such a large storage capacity, it can take six months or more to cycle through deleted data. The hardware itself is designed to minimize writing to the same place on disk, leaving a wealth of deleted data for an information thief.

5. The iPhone OS has a built-in keyboard "logger" which logs nearly everything you type into the device's keyboard to auto-learn the owner's typing habits. As a result, endless logs of data are being created containing information typed in by the user. Even fields with auto-correction turned off have been seen to have some of the data entered in them stored in this cache.

6. Every time your employee pushes the home button, the iPhone snaps a screenshot of the last thing they were doing. This is done for most built-in applications such as Mail and Safari, and has been observed for many third party applications as well. A large collection of screenshots of "the last thing" your employee was looking at are being stored on the device, exposing screenshots of potentially confidential information to anyone with the right know-how.

7. There is a wealth of information stored on the device that most users don't even realize is there. Information about your last GPS positions, which wireless networks you've joined and where, your search unread voicemail, and much more. Anything that goes through the iPhone is indefinitely stored on the iPhone.


Consider the risk to your enterprise should the confidential information on corporate iPhones be stolen. The iPhone is about the size of a small laptop disk drive, and is about as easy to copy information from should a thief steal or "borrow" it without your knowledge.

July 14, 2009: iPhone Forensics Whitepaper
Andrew Hoog, Chief Investigative Officer at Via Forensics, has put together an iPhone Forensics Whitepaper summarizing the available forensic techniques for recovering data from the iPhone. Depending on what kind of information you want to get, there are a number of different techniques you can use.


  All website content Copyright ©, All Rights Reserved. Reproduction prohibited without permission.
This website is in no way affiliated with or endorsed by Apple, Inc.