Personal information is readily available even after a restore....

Discussion in 'iPhone' started by Vegeta-san, May 20, 2008.

  1. Vegeta-san macrumors 6502

    Joined:
    Aug 4, 2006
    #1
    Makes me paranoid about selling my iPhone on eBay before the 3G iPhone is released now....

    Someone named Jonathan Zdziarski has discovered, using a forensics toolkit for iPhone, that even after an iTunes restore, much of your personal information is still stored on the phone, readily available to anyone with the requisite knowledge....Paranoid now?

    http://www.zdziarski.com/
     
  2. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake with snow softly falling
    #2
    A few people have even reported getting a refurb with the data clearly in view. No erasing even tried at all. So much for quality control.

    Although leaving info on refurbs is pretty amateurish, the same is often true of other phones:

    Phone forensics

    The bigger question to me is, will the remote wipe coming in v2.0 actually do what it's supposed to do?
     
  3. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #3
    Restoring iPhone does NOT properly erase it!

    From TUAW:

    :eek:

    I sorta noticed that on my iPod touch, when I restored it it still showed a playlist I had on there before the restore, and it WASENT on iTunes so it wasent syncing from there... Just a warning to anyone who wants to sell their iPhone, try and do a NAND reformat.
     
  4. brn2ski00 macrumors 68020

    brn2ski00

    Joined:
    Aug 16, 2007
    #4
    Sold my first iPhone (4GB) 4 months back.... Didn't have any idea that a System Restore wouldn't completely erase the contents. Figures!
     
  5. onlycopunk macrumors 6502

    Joined:
    May 10, 2008
    Location:
    Newtown
    #5
    Sure the hard drives work the same way as a computer. Formatting doesn't really "erase" anything, it just turns all the 1's to 0's and until the 0's get written over again the old information is still recoverable.
     
  6. Vegeta-san thread starter macrumors 6502

    Joined:
    Aug 4, 2006
    #6
    Let's hope it doesn't take Apple that long (until June 9) to correct this problem. They can update iTunes and quickly get it out there to fix this issue.
     
  7. macidiot macrumors 6502a

    Joined:
    Aug 13, 2002
    #7
    Refurbished iPhones are an excellent source of previous users' data

    http://www.engadget.com/2008/05/20/refurbished-iphones-are-an-excellent-source-of-previous-users-d/

    Quote: "It looks like you might have to think twice before flipping that old iPhone on eBay when the 3G version finally hits -- it appears that restoring the phone doesn't actually erase the contents of the flash, meaning that your data is available to anyone with the proper tools until it's overwritten."

    I posted this here mostly because I am tired of uncredited submissions on MacBytes. :cool:
     
  8. onlycopunk macrumors 6502

    Joined:
    May 10, 2008
    Location:
    Newtown
    #8
    Duh, it works just like a computer. Data on a harddrive is still retrievable after a format until the data has been rewritten.
     
  9. Xjett macrumors member

    Joined:
    May 4, 2008
    Location:
    Miami, FL
    #9
    Ahh I just swapped my iPhone out due to the warranty, that really stinks.
     
  10. macidiot macrumors 6502a

    Joined:
    Aug 13, 2002
    #10
    The point is, a restore is not a reformat. And that Apple does not even reformat refurbs.
     
  11. wildcardd macrumors 6502a

    Joined:
    Mar 26, 2007
    Location:
    Denver, CO
    #11
    It takes certain tools to be able to read the data. It is not like I can get a refurb and read the other user's data by turning it on.

    Not sure if this requires only software, or software and hardware, but it does need CSI like stuff.
     
  12. JBaker122586 macrumors 65816

    Joined:
    Jun 21, 2007
    #12
    What sort of data would be on there?
    If it's just my name and phone number I wouldn't really care.
     
  13. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #13
    Whatever you put on your iPhone... From the link in the first post:
    If I were to reformat my HD, would I still be able to get data off it? Do I need to zero-out the data to stop it being read? Or does reformatting do that, anyway?
     
  14. wildcardd macrumors 6502a

    Joined:
    Mar 26, 2007
    Location:
    Denver, CO
    #14
    That hasn't been overwritten by new data that you have added.
     
  15. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #15
    So, basically, whatever is on there at the time of the restore, plus maybe a few things you deleted if you never replaced that stuff with new stuff.
     
  16. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #16
    I don't know if this really feels like news perse. Like others have said, it does a quick-format which is kind of what I expect it to do. However, it does seem as though Apple should offer a way for users to "securely" erase their iPhone by doing a low-level format. Also, this kind of format should DEFINITELY be done during a certification process for refurbished goods.
     
  17. wildcardd macrumors 6502a

    Joined:
    Mar 26, 2007
    Location:
    Denver, CO
    #17
    Kind of.

    When you delete something, it really isn't deleted. The sectors are "marked" meaning that when more data is added to the drive, it can be overwritten.

    Hard drives behave in a similar fashion. When I delete a file, it is still there, but that sector the file was in is available to be overwritten.

    So if you use a utility to recover deleted items, you might be able to get that data back IF the OS hasn't overwritten the data already.

    It takes specific software to do this on a particular OS. I am assuming that nobody has that software for the iPhone (yet?). So it may also require some hardware to take that data and reconstruct the info.

    I suppose it COULD be an issue in the future, but I wouldn't worry too much about it yet.
     
  18. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake with snow softly falling
    #18
    The iPhone doesn't use a hard drive, so this is immaterial.

    On a flash chip, which it does use, erasing turns all the data to 1's. The flash is organized in blocks of 256K bytes, all of which must be erased before you can write over a previously written location.

    Actually, it's retrievable even after being overwritten several times, with the right equipment. That's why there are special "NSA quality" erase programs available. But again, the iPhone doesn't use a hard drive.

    Probably the Restore function only touches the flash blocks that it needs to, and the other many gigabytes are left alone.
     
  19. wildcardd macrumors 6502a

    Joined:
    Mar 26, 2007
    Location:
    Denver, CO
    #19
    Kdarling, how is that possible if it has been rewritten? The 0 is now a 1. How does it know it was once a 0?

    Perhaps there are programs that take the fragments that haven't been written over and splices the data together...but remember what happened in Jurassic Park when they did that with DNA... bad juju. ;)
     
  20. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #20
    I found a guide on how to get rid of all the data! Clicky!
     
  21. WankerWeasel macrumors newbie

    Joined:
    Dec 10, 2004
    #21
    First thing to note is that it's 512 byte blocks, not 256 byte blocks (or 256KB as you wrote). 512 bytes is the ATA standard, the "bulk storage device" most modern devices follow is the ATA standard.

    Erasing data on the iPhone (and other flash devices) does not cause the OS to turn the data bits to 1s. That's why data recovery applications like FileSalvage and Data Rescue II can recover deleted files from these devices. The iPhone OS make an effort to write to the storage media as little as possible. This may be because flash media can only be written to a certain number of times.

    In theory the high points around the valley where data is written on a standard hard drive could retain some of the magnetic properties of the previous data even after the valley has been re-written with new data but it's pretty unlikely. Equipment like an electron microscope could possibly recover some of the data but there'd be no way to tell if it was the original or overwritten data and if it's fragmented then you're pretty much out of luck. To say that the data is recoverable after being overwritten several times is incorrect. For all practical purposes, when the data is overwritten once it's gone for good.

    The iPhone's memory is basically broken into 2 separate partitions. One for the system data and one for the user's data. The Restore function only restores the information on the system partition.

    That article clearly states that they admit that they haven't tested it.
     
  22. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake with snow softly falling
    #22
    You're confusing smart external flash drives and dumb internal flash memory.

    External flash drives have hardware to make them look like regular hard drives, and to do all the grunt work of handling bad sectors, wear leveling, etc.

    The flash used by the iPhone requires a totally different kind of file manager than the simple disk drive one you're talking about. It has to do the wear leveling, erase/write/ recopy to new blocks, etc on its own. It is nothing repeat nothing like using an external flash drive.

    The flash used by the iPhone is organized in 256K blocks. These blocks "only" have a 5,000 erase/write cycle lifetime. Again, nothing even close to a flash drive, which is 100,000 cycles or more.

    The flash used by the iPhone can come from the factory with up to 100MB missing per 4GB rating. In other words, a 32GB device can have 800MB of bad blocks and still be considered "good" from the factory. (I suspect "Other" will contain these bad blocks.)
     
  23. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #23
    Apple really needs to make sure there's a wiping function, even aside from the remote wipe, that actually scrubs the disk in 2.0...

    In the meantime, though, just to throw this out there... It would not be *that* hard to use Audacity or the like to create some white noise music files, clone them till you have ~7.3GB worth, import them into iTunes, and copy them to the iPhone. The net result would be overwriting the drive on the iPhone with random data. If one made several different white noise files, and cloned multiple sets of iPhone-sized data, one could even essentially do multipass overwrites...

    Obviously, this only covers areas of the phone where music can be loaded -- would that cover the same area where e-mails go (and contacts, I guess, although for me e-mails are a concern more than contacts)?

    I'm not sure if that's the same thing as the Securosis method? That link isn't loading for me....
     
  24. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake with snow softly falling
    #25
    It's because a magnetic hard drive doesn't write exactly 1's and 0's, or put the data at the exact same location each time. Each time you rewrite, the new data is affected by the previous state, and it also leaves side tracks.

    NSA has been at this kind of thing for decades. I haven't been with them for a long time, but over ten years ago it was publicly known how to recover at least two back layers of data, using various forms of scanning force microscopes. These days, it's commonly not considered erased unless you do at least ten rewrites.
     

Share This Page