iPhone needs to be jailbroken to do this (tested on my iPhone 4, with iOS 4.0.1 using the www.jailbreakme.com jailbreaker). You don’t need OpenSSH installed, but I prefer it. If you install OpenSSH, connect using [email protected], password ‘alpine’ – I suggest changing this using the `passwd` command while you’re at it. MobileTerminal currently doesn’t work on iOS 4.0.1, atleast on the iPhone 4.
Pull image off iPhone using the following commands.
aknowles-mac:~ aknowles$ nc -l 30001 | dd of=iphone.img
iPhone:~ root# dd if=/dev/rdisk0s2s1 bs=1M | nc 192.168.1.1 30001
The first command uses `nc`, aka netcat, and opens a port up and listens using the -l switch. You run this on your destination computer, and pipe the output to the disk image file, i.e. iphone.img (filename unimportant).
On the iPhone itself, you point `nc` to the destination computer after it has been setup to listen. Pipe the output of `dd` reading the iPhone disk to the `nc` command and it will transfer. Note: I found the iPhone would not read the disk without the bs=1M switch.
The process can take a while. It’s taken about 20 minutes for 2.5gb to transfer over the wireless link I’ve setup between my laptop and my iPhone… For a 32gb iPhone, this will obviously take a while!!!
Once complete, analyse iphone.img with Scalpel or whichever forensics software you prefer.