318 Chapter9·ForensicAnalysisofMobileMalware The devices to be captured include the block devices: /dev/disk0 The disk /dev/disk0s1 The system partition /dev/disk0s2 Media The media partition And the raw devices: /dev/rdisk0 The raw disk /dev/rdisk0s1 The system partition /dev/rdisk0s2 The media partition Always make a hash of the image that is transferred (using either MD5 or SHA256--or better, both). The command tool dd is available already compiled for the iPhone (for exam- ple, from www.iphone-hacks.com/downloads/file/10). iLiberty+ The iLiberty+ program is a free tool by Youssef Francis and Pepijn Oomen to unlock an iPhone or iPod and to install various payloads onto an iPhone or iPod. This tool allows the analyst to install the dd and nc tools needed to create the image. The iPhone's built-in digital signing utility generally only allows signed software to run. iLiberty+ uses a firmware hole to instruct the iPhone kernel to boot an unsigned RAM disk. The RAM disk deployed through iLiberty+ makes use of a proprietary payload delivery system in order to safely install a forensic toolkit into the device's RAM when booted. This does not alter the device kernel system at all. iPHUC The passcode protection in use on the iPhone may be circumvented with the use of the open source tool: iPhone Utility Client or iPHUC. This tool is available online from: http://code.google.com/p/iphuc (Mac OS X and Source Code) http://code.google.com/p/iphucwin32 (Windows Binary) Follow the instructions in the archive to prepare an environment using the correct read- line and iTunes Mobile Device dynamic libraries, and then install the utility client. Forensic Investigation of MM on a Mobile Device When you are conducting a forensic analysis of malcode found on a mobile device, always work with a copy of the image. When analyzing the code that has been extracted from this image, forensic analysts will seek to answer a number of questions, including the following: