Practical Mobile Forensics(Third Edition)
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

The recovery mode

During the boot-up process, if one step is unable to load or verify the next step, then the boot-up is stopped and the iPhone displays a screen as shown in the following screenshot:

iOS device recovery mode

This mode is known as the recovery mode. The recovery mode is required to perform upgrades or to restore the iPhone. To enter the recovery mode, perform the following steps:

  1. Turn off the device—press and hold down the Sleep/Power button located at the top of the iPhone until the red slider appears. Then, move the slider and wait for the device to turn off.
  2. Hold down the iPhone Home button and connect the device to a computer via a USB cable. The device should turn on.
  3. Continue holding the Home button until the Connect to iTunes screen appears. Then, you can release the Home button (on a jailbroken iOS device, this screen may appear with different icons). Most forensic tools and extraction methods will alert the examiner about the current state of the iOS device.
  4. To exit the recovery mode, reboot the iPhone. This can be completed by holding down the Home and Sleep/Power button until the Apple logo appears.

On older iOS devices, the iTunes icon will be blue and the cable will reflect the original Apple cable.

You can read more about the iOS device recovery mode at https://support.apple.com/en-in/HT201263.

Normally, the process of rebooting returns the iPhone from recovery mode to normal mode. This same methodology applies to the Apple Watch. The examiner may experience a situation where the iPhone constantly reboots into the recovery mode. This is known as a recovery loop. A recovery loop may occur when the user or examiner attempts to jailbreak the iOS device and an error occurs. To get the device out of a recovery loop, the device must be connected to iTunes, and a backup is restored to the device.

This makes changes to the evidence, so ensure that you have validated your acquisition methods on a test device prior to attempting methods on real evidence.

For older devices, exiting a recovery loop was much easier on both Windows and Mac computers. For older devices, several open source methods exist to repair a recovery loop. The following steps show the redsn0w tool used on a Mac, which can be used to exit a recovery loop:

  1. You can download the latest version of redsn0w at https://sites.google.com/a/iphone-dev.com/files/.
  2. Then, navigate to Extras | Recovery fix, as shown in the following screenshot. An external method or tool may not be required. Sometimes, placing the device in DFU mode and connecting the device to iTunes will properly reboot the iPhone:
The redsn0w recovery fix
上一章目录下一章