Acquisition via a custom ramdisk
Acquisition via a custom ramdisk is a novel method to acquire data from an iPhone. It gains access to the file system by loading a custom ramdisk into the memory and exploiting a weakness in the boot process while the device is in the DFU mode. A custom ramdisk contains the forensic tools necessary to dump the file system over USB via an SSH tunnel. Loading a custom ramdisk onto a device will not alter the user data, and thus the evidence will not be destroyed.
Imagine a computer that is protected with an OS-level password, we can still access the hard disk contents by booting with a live CD. Similarly, on the iPhone, we can load a custom ramdisk over USB and access the file system. However, the iPhone secure boot chain prevents us from loading the custom ramdisk. We can achieve this by exploiting a Boot ROM vulnerability and patching successive stages, as shown in the following figure:
An exploited boot chain of an iPhone in DFU mode
Hacker communities have...
