iOS 5 iDevice Open Source Imaging using Lantern Lite v0.6
By: Sean Cavanaugh (@spcavanaugh)
scavanaugh@appleexaminer.com
January 2012
Disclaimer: I recommend testing and vetting this method/tool and practicing the process to avoid any inadvertent spoliation of evidentiary media.
Download this article in PDF format
Lantern Lite is an OS X-based open source application that was released to the forensics community by Katana Forensics. It is a cost-effective solution for creating forensic images of the following iOS 5 devices: iPod Touch 3G/4G, iPhone 3GS, GSM & CDMA iPhone 4, and iPad 1. Support for iOS 3 & 4 is currently in the works.
For this tutorial, A 16 GB CDMA iPhone 4 running iOS 5.0.1 (9A405) will be imaged utilizing Lantern Lite v0.6 and OS X Lion (version 10.7.2).
Lantern Lite requirements:
· Macintosh OS X 10.6.8+
· Intel-based Macintosh Computer
· 2 GB RAM
1. Download & Install Lantern Lite: https://github.com/KatanaForensics/LanternLite/downloads
a. Make sure to download v0.6 (LanternLite.zip)
b. Follow the directions on disabling Sleep Mode on your Macintosh computer.
c. From personal experience, I recommend disabling any screensaver & display sleep as well to prevent any interruption to the imaging process.
d. You will be required to log out and back in again upon completion of the installation of Lantern Lite.
2. Download and Install redsn0w v0.9.9b8:
https://sites.google.com/a/iphone-dev.com/files/home/redsn0w_mac_0.9.9b8.zip
3. Download the appropriate iOS 5.0 IPSW for the device.
a. Each is approximately 700-850 MB in size.
4. Place the appropriate IPSW file for the iDevice on your Desktop.
| iDevice | IPSW Download |
| iPod Touch 3G | http://appldnld.apple.com/iPhone4/061-8360.20111012.New3w/iPod3,1_5.0_9A334_Restore.ipsw |
| iPod Touch 4G | http://appldnld.apple.com/iPhone4/061-9622.20111012.Evry3/iPod4,1_5.0_9A334_Restore.ipsw |
| iPhone 3GS | http://appldnld.apple.com/iPhone4/041-8356.20111012.SQRDT/iPhone2,1_5.0_9A334_Restore.ipsw |
| iPhone 4 (GSM - AT&T) | http://appldnld.apple.com/iPhone4/041-8358.20111012.FFc34/iPhone3,1_5.0_9A334_Restore.ipsw |
| iPhone 4 (CDMA - Verizon) | http://appldnld.apple.com/iPhone4/041-9743.20111012.vjhfp/iPhone3,3_5.0_9A334_Restore.ipsw |
| iPad 1 | http://appldnld.apple.com/iPhone4/041-8357.20111012.DTOrM/iPad1,1_5.0_9A334_Restore.ipsw |
5. Place the redsn0w application bundle (redsn0w.app) on your Desktop.
a. The redsn0w application bundle can be copied & pasted from the Applications directory in the root of the OS X install.
b. An application bundle is a specialized directory that utilizes the .app extension and contains resources required for a particular application.
i. Examples: iPhoto.app, Safari.app, iTunes.app, etc.
6. Launch the Lantern Lite v0.6 application from your Applications directory.
7. When prompted, attach a compatible, powered-off iOS 5 device and put the device into Device Firmware Update (DFU) Mode, as seen in Figure 1.
a. To put an iDevice into DFU Mode:
i. Make sure the device is fully powered-off and connected to the computer. Also, make sure iTunes is not currently running and quit iTunes if it launches at any point.
ii. Hold down the Power button for 3 seconds.
iii. Without releasing the Power button, hold down the Home button for 10 seconds.
iv. Without releasing the Home button, release the Power button but keep holding the Home button for 15 seconds.
b. The screen on the iDevice will be black while in DFU Mode. If the Apple logo is displayed, the process was done incorrectly.
c. If DFU Mode has been successfully entered, the Lantern Lite window seen in Figure 2 will be automatically displayed.
d. Entering DFU Mode is the most common point of failure during the process. If the device does not enter DFU Mode on the first attempt, it is recommended to restart the process.
i. It is a common mistake to enter Recovery Mode by accident when first attempting to enter DFU Mode.
1. Making sure the first three steps of the process are followed correctly when attempting to enter DFU Mode can prevent this (in addition to practice!).
Figure 1 – DFU Mode instructions
Figure 2 – DFU Mode successfully entered
8. Once “Next” has been selected from the previous interface, the Lantern Lite options menu will appear, as seen in Figure 3.
a. By default, the “Save To” location is the Desktop of the logged in User and the “Save As” name will be “Acquisition” followed by the current date/time.
b. The Lantern Lite options include: Retrieve Keys (brute-forces simple passcodes), Image Data Partition, and Decrypt Data Partition Image (with recovered keys).
i. Data Protection (encryption) will be enabled if a passcode is set.
ii. A simple passcode can be brute-forced in a reasonable amount of time using Lantern Lite.
1. Simple passcode = 4 character numeric passcode
2. Utilizes a number pad to enter passcode
3. More common on personal devices
iii. If a complex passcode is present, a brute-force attack may take an extremely long time.
1. Complex passcode = longer and more complicated than a simple passcode.
a. Upper and lowercase letters, numbers, and special characters
b. Up to 37 characters long with 77 alphanumeric/special characters to choose from.
2. Utilizes full keyboard to enter password
3. Common on “work” devices with company E-mail, contacts, etc.
Figure 3 – Lantern Lite Options
9. If Retrieve Keys is selected, Lantern Lite will attempt to recover the passcode via a bruteforce attack.
a. The device will not be imaged until after the passcode has been retrieved if Retrieve Keys is selected.
b. Retrieve Keys & Decrypt Data Partition can be deselected if time is an issue.
i. As of this writing, Lantern Lite is unable to decrypt an encrypted data partition with a known passcode unless it has been recovered via Retrieve Keys.
10. If everything has been prepared properly, Lantern Lite will now modify the IPSW files (Figure 4) to create a custom RAM disk.
a. Common issues at this point in the acquisition are:
i. The Lantern Lite application bundle is not placed on the Desktop.
ii. The appropriate IPSW file is not located on the Desktop.
b. Make note of the warning message: “Once redsn0w reports ‘Done!’, quit redsn0w to continue”
i. This can be accomplished by clicking the “Cancel” button in redsn0w (Figure 5).
ii. Failure to follow the instructions may result in the altering of evidentiary media!
c. Lantern Lite will now announce that redsn0w is launching. The process will now move to the redsn0w application.
i. Redsn0w is used to load the custom RAM disk into the device’s memory. This is analogous to booting a computer to a live CD/DVD.
Figure 4 – Lantern Lite modifying the IPSW file
Figure 5 – Click “Cancel” in redsn0w when “Done!” is displayed
11. A screen similar to the one seen in Figure 6 may appear for a time without any apparent change to the application text or progress bar.
a. To confirm the imaging process is running:
i. Locate the directory for the current acquisition.
ii. Within the current acquisition directory, open the folder named “Raw”.
iii. There should be a DMG (Apple Disk Image) file named data_partition.dmg.
iv. Periodically refresh the window to confirm the data_partition.dmg file is growing in size, as seen in Figure 7.
1. Collapsing and expanding the “Raw” directory can accomplish this.
Figure 6 – The Lantern Lite interface while imaging
Figure 7 – The current acquisition directory
12. Upon completion of the imaging, the 16 GB iPhone 4 running iOS 5 resulted in a 14.75 GB DMG file (Figure 7).
a. If Decrypt Data Partition was selected and the encryption keys were successfully recovered, the decrypted version of data_partition.dmg will be located in the “Decrypted” folder.
13. Lantern Lite will now calculate a SHA1 hash value for the data_partition.dmg file, as seen in Figure 8.
Figure 8 – Lantern Lite calculating a SHA1 hash value for the data partition
14. Once the hashing is complete, the “Cancel” button and the progress bar will be grayed out. At this point, look in the root of the current acquisition directory on your Desktop for a log file named AcquisitionLog.txt.
a. The content of AcquisitionLog.txt can be seen below in Figure 9.
b. The log file will contain the imaging process start/finish time and the calculated SHA1 hash value for data_partition.dmg.
c. The acquisition of the 16 GB iPhone 4 took approximately 50 minutes.
Figure 9 – The content of the AquisitionLog.txt file
15. The SHA1 hash value calculated by Lantern Lite can be verified via OS X’s Terminal by using the following commands:
a. Type /usr/bin/openssl sha1 [do not hit Enter yet]
b. Locate the icon for data_partition.dmg and drag and drop it into the Terminal window or manually type the path to the file.
c. Hit “Enter” and wait for the hashing to complete.
d. Once complete, “SHA1” followed by the path to the file in parentheses will be displayed in addition to the calculated SHA1 hash value (Figure 10).
e. The Grab utility (located at /Applications/Utilities/Grab) can be used to document the verified SHA1 hash value by performing a screen or window capture.
Figure 10 – Verification of SHA1 hash in Terminal
16. Reboot and power off the iDevice and remove it from the computer.
a. Holding down the Power and Home buttons simultaneously for ten seconds will reboot the device into its normal operating mode.
17. Congratulations, you have just successfully created an image of an iDevice!
