It's time to perform filesystem acquisition. All we'll need is iproxy from libimobiledevice:
- Open a Command Prompt window and run iproxy with the following parameters:
- Open another Command Prompt window, change the directory to the one you want your image to be stored in, and run the following command:
ssh [email protected] -p 4444 "tar -cf - /private/var/" > userdata.tar
To connect via SSH, you will be prompted for the necessary password. The default password for SSH is alpine.
Once the process has finished, you'll find the created filesystem image in the directory you changed to before running the preceding command. It's a TAR archive and can be opened with many archivers, such as 7-Zip:
Filesystem image contents
Next, let's look at the Elcomsoft iOS Forensic Toolkit.