Home / Uncategories / Forensics: When should an iPhone be jailbroken?
An iPhone, in reference to forensics should only be Jailbroken if the following occurs. A member of the hacking community has found a way to exploit the phone to garner full root privileges and a Forensic tool has been tested and approved by the courts to obtain a physical acquisition where Jailbreaking is required. Fortunately a GUI tool such as MPE+ by AccessData does not require a Jailbroken phone in order to get a physical acquisition of the device (see feature for MPE+ here http://www.accessdata.com/products/digital-forensics/mobile-phone-examiner) otherwise you have to settle for a logical acquisition. The problem with an investigator trying to Jailbreak a phone is that he runs the risk of corrupting the data on the iPhone. In other words once you are able to locate a kernel exploit and gained root access you have achieved a tethered jailbreak. If one is able to spot a vulnerability in the device’s hardware level security then the compromised device can be loaded into the boot ROM and executed every time the device is powered on which is known as an untethered jailbreak. However again unless you have a forensic tool that has been tested and validated by the courts, an investigator is better off just taking a logical acquisition of the device. Fortunately MPE+ does not require jailbreaking to take a physical acquisition.