Research scientist and security expert Jonathan Zdziarski, recently discovered that the iPhone's restore mode still leaves personal data intact after preforming a restoration. Zdziarski writes, "While the restore process takes long enough to make most people assume the "disk" stored in NAND memory is formatted, it actually isn't.
As part of my work on a forensics toolkit for the iPhone, I decided to test whether user data could survive a full restore in iTunes. There have been rumors floating around that the entire NAND is flashed to 0xFF when the device is restored, but this is untrue - this only occurs in a different part of the iPhone (the NOR), but not the NAND. To confirm this theory, I first deleted any backups of my device and then forced the iPhone into recovery mode. From there, I performed a full firmware restore of my iPhone, ensuring that no backups or syncing were performed. I then performed a basic recovery of the raw disk using the forensic toolkit I put together, and analyzed it. What I discovered was that deleted mail, contacts, and pretty much all of my other personal information was still residing in unallocated space on the device. My personal information was safe and sound, and available to anyone with the right skills to recover it.
What does this mean? This means that when you do a restore through iTunes, it is only the equivalent of performing a "Quick Format" on your iPhone. And for those of you who use "Erase all Content and Settings," this has even less of an effect, as it doesn't even destroy the file system. In both cases, all of the personal information that was sitting on the device prior to the erase or restore is still left sitting in the unallocated blocks of the iPhone's NAND memory. To make matters worse, the restore process is likely to restore the original operating system files over the same location as the old ones, meaning very little data is likely to be corrupted at all."
Zdziarski goes on to report, "A verified detective from the Oregon State Police notified me that an out-of-the-box refurbished iPhone he purchased direct from Apple contained recoverable personal data including email, personal photos, and even financial information which he was able to recover using my forensic toolkit. The photos he sent me (see below) included the individual's name, which I've blurred out myself, but if you've ever had to return a defective iPhone, you might recognize this inbox. The more sensitive information hasn't been posted here for obvious reasons.
What you're looking at here is a partial list of the previous customer's files which were recovered from the iPhone's free space, and a screenshot that the iPhone took itself of the user's inbox, browser window, etc. when its user pressed the 'Home' button. Application snapshots are taken every time a program goes into the background to generate the zoom effects built into the device. And yes, the actual email and other personal data was also available."
So what can you do to make sure all your information is erased? Here are a few things to try:
1. Change passwords for all mail accounts that are synced to the iPhone or touch.
2. Make sure the device can no longer open the mail accounts.
3. Do an erase/restore of the iPhone or iPod touch, preferably using another computer or at least another account than the one the device was synced with.
4. Sync as many songs/videos of a non-compromising nature and nothing else to the newly restored device as will fit.
5. A good tool I recommend using to fill the drive up with data (songs/videos), is PhoneView. You can directly access the disk on your iPhone to totally fill it up.
6. After you have filled the drive up, do another erase/restore.
7. Repeat steps 4/5 with different content and erase/restore again. The more times you do this, the more times the data will be overwritten, thus having a less chance of recovery.
Final note: If you're having a problem with your iPhone/iPod touch and you are going to have Apple check it out, more than likely they will keep it and replace it with a refurbished unit, so make sure your iPhone/iPod touch is totally erased before you take it in. Oh, and one more thing. If the photos above look like they may be from your previous iPhone, please email us.
Mac Owners Support Group -- aka MacOSG -- was conceived by Dave Merten, the former 'Focus on Mac Support' guide at About.com. Since it's humble beginning as 'G5 Owners Support Group' back in February 2004, MacOSG has become one of the world's fastest-growing online Apple User Groups, dedicated to helping Mac users from all over the globe.
[url=http://www.macosg.com]MacOSG Home[/url] | [url=http://www.macosg.com/group/index.php]Support Forums[/url] | [url=http://macosg.com/group/viewtopic.php?t=78]Become a Member[/url]
[url=http://macosgpodcast.com]MacOSG Podcast[/url] | [url=http://mac611.com/]Mac611 Mobile Mac Support[/url]
Email us: admin AT macosg.com
"Macsimum News" is a proud supporter of [url=http://planetgumbo.org/]Planet Gumbo[/url], which feeds the hungry. We urge you to help them in their efforts.