Chris on March 30th, 2013

So I come home yesterday to a very, very dejected child. Apparently she somehow deleted all the slides for a school project due when she gets back from vacation. First off – iOS doesn’t have .Trash. Second, she hadn’t synced to iTunes in several months. Third, iCloud backup wasn’t turned on.

Not expecting too much, I took her iPad and scoured the Internet to see what I could find that would act as an undelete tool for iOS.

I tried a few things I found on the internet, but they either didn’t work, or didn’t work right in a Fusion VM. I hate downloading things from questionable sources, and may very well have some trojan running on one or more of my systems right now. Ugh.

What these failed tools did tell me is that when you’re in DFU mode of an iOS device, you can apparently do things. I’ve used DFU before when restoring a jailbroken iPhone to normal, so I had an idea what was going on here. Given that I’d last used DFU in the jailbreak world, I turned my google queries on that topic to see if any of the jailbreakers had found a way to mount or access an iPad filesystem via DFU mode.

What I found was a very slick tool: Automatic SSH Ramdisk This little java app will detect a usb connected device in DFU mode, and cause it to boot a rescue image with SSH enabled. You then ssh to localhost:2022 and you’re talking to the iPad via the USB connection.

With this, I was able to scp -r the entire contents of her iPad back to my Mac. I was also able to make a copy of the iPad’s “harddrive” for even more analysis.

Looking through the contents of her iPad’s filesystem it became clear where I was going to find the files if they were still there. Each application lives in /var/media/Applications/SOME-LONG-STRING-OF-HEX. Inside that directory is the Something.app directory with the app contents, a plist with the apple-id used to buy the app along with versioning info, the icon, and whatever private local data the app creates. In this case, I was able to find copies of her deleted files in the SOME-LONG-STRING-OF-HEX/Cache directory and extract those out.

My kid however gave me the impression there were still other files that were lost (not true – I had recovered everything she’d done up to that point), so I decided that it would be worth doing some image forensics. I figured that finding deleted JPGs on an iOS HFS image was probably similar to what the FBI does on a regular basis to bust child pornographers. There should be some good linux tools to scan a disk image for the markers of graphics files.

I found two that looked promising: Foremost and Scalpel. I had a bit of a challenge getting the disk image off the iPad. “dd” wasn’t available on the rescue image, but I was able to ssh into my iPhone and copy it off of there onto the rescue image. Amazingly that worked (given the different iOS versions and chipsets). I also had a hell of a time actually opening any of the /dev/disk files. Eventually I hit upon using “ssh -p 2022 root@localhost "cat /dev/rdisk0" | dd of=ipad.img ” as the workable method. An hour or so later, I had a 16G image file on my Mac.

Next step was to get that over to an Ubuntu box, and apt-get install foremost. man foremost for instructions, but I found that dd if=rdisk0.img | foremost -Tvd -o recovered_stuff worked best for me. That recovered about 2800 or so files. Most of them were png files consisting of icons for applications. Foremost never found any of the images in her Photos, or any deleted Photos. Scalpel was based on foremost, so I tried it next. That required a compile and editing the config file to enable looking for png & jpg headers. The command here was scalpel -i file_with_name_of_image -o recover-target -c ./scalpel.conf, but I suggest reading the man page too. Scalpel didn’t find any more files to recover than foremost did.

I wasn’t expecting much from the image level scanning. I’m not 100% sure the nature of the iDevice storage, but given it is flash memory, it probably has the same wear-leveling/trimming that occurs with PC SSDs, and that the flash will begin to zero out the blocks as soon as the files were deleted so they’ll be ready to accept new data. (Updated to add this link I had laying around: SSD firmware destroys digital evidence, researchers find | Flash Memory | Macworld.)

The moral of the story here is (as always) MAKE BACKUPS!. However if you didn’t take sysadmin 101, there is still a chance your files (or older versions) are lurking around inside your iOS device and could be recovered.

What I determined is that I need to build a throw-away windows VM that I can snapshot and revert as I try these random things I download off the internet, and that I also need a Linux forensic VM laying around with enough memory and storage to analyze these things.

I did find one useful tool for getting easy access to the iPad’s filesystem: iExplorer is a Windows or OSX tool for browsing files on the device. You can get direct access to the media files, and you can browse the contents of all your Apps. You can even FUSE mount the filesystem and browse it via a shell.

The Federal Reserve Bank of Atlanta did an analysis of how much annual benefit the average american get from their PC. $1700.

$1,700: The annual benefit the average American derives from personal computers

Despite all the wrenching change the computer age has brought, humanity is probably better off than it would have been if the PC had never been invented. Now, economists at the Federal Reserve Bank of Atlanta have taken a stab at figuring out exactly how much better off we are.

The economists — Karen Kopecky and Jeremy Greenwood – traced the history of the computer market back to the introduction of the Apple II in 1977 to calculate how much value, or “utility”, American consumers derive from a given amount of computing power. They then looked at how much we actually paid for that computing power, in the form of desktop PCs, laptops, notebooks , software and so on. The difference, known as the “welfare gain”, is the benefit we get from personal computers above and beyond what we pay for them.

Back in the days of magnetic-tape memory, the annual benefit was pretty small — somewhere between zero and about $6 for the average American, adjusted for inflation, depending on the method of calculation. But by 2009, the price of computing power had fallen more than 99.8% and personal computers had become a lot better and more widely used. As a result, the welfare gain rose to somewhere between $1,300 and $2,100 per person, the economists’ estimates suggest. Ballpark average: $1,700.

That’s a massive benefit, adding up to about $500 billion, or 5% of total consumer spending in 2009.

To be sure, the economists’ estimates are based on some assumptions that, while common in the world of economics, are open to debate. For one, they assume that people are extremely rational, and always buy exactly the number of personal computers that maximizes their utility. To the extent that irrational impulses drive people to buy computers, or to the extent that the use of computers entails costs people don’t recognize say, attention-span deficits or Internet addiction, then the actual benefit could be significantly smaller.

That said, those who want to test the estimates can pose themselves a question: How much money would somebody have to give you to take away all your personal-computing gadgets permanently? If it’s a lot more than you paid, Ms. Kopecky and Mr. Greenwood are probably not too far from right.

Chris on February 2nd, 2013

Kid’s Mac’s TimeMachine backups were broken.
“Time Machine completed a verification of your backups. To improve reliability, Time Machine must create a new backup for you.”
Rather than starting from scratch, I found this:

http://www.garth.org/archives/2011,08,27,169,fix-time-machine-sparsebundle-nas-based-backup-errors.html

Chris on December 7th, 2012

If you’re reading this, you know I rarely visit my blogs. That presents a problem, as I never get the nag from WordPress that my version is so out of date, my site has been taken over by Russian Yakuza using it to spy against the Chinese on behalf of Syria or something. Below is a simple little script that can be thrown in cron and will bug you when WordPress releases a new version and you’ve not updated.

DIRS="Insert list of directories with wordpress here"

for dir in $DIRS ; do
current_file=$dir/wordpress/wp-includes/version.php
if [ -f $current_file ] ; then
current=`grep ^\\$wp_version $current_file | awk '{print $NF}' | sed s/\;//g | sed s/\'//g`
survey_says=`wget -O - -o /dev/null http://api.wordpress.org/core/version-check/1.0/?version=$current`
if [ $survey_says != "latest" ] ; then
echo "$dir Needs an upgrade!!!!"
echo "Currently $current"
fi
else
echo "$current_file does not exist!"
fi
done

The key here is the URL “http://api.wordpress.org/core/version-check/1.0/?version=”. Append a version number to the end of that, and it will tell you if you’re at the latest or need to upgrade.

Seems Pretty Straight Forward:
sudo apt-get update
sudo apt-get install netatalk
sudo apt-get install avahi-daemon

Add:
/huge/TimeMachine "TimeMachine" options:tm to
/etc/netatalk/AppleVolumes.default

Create /etc/avahi/services/afpd.service with contents:
<service-group>
<name replace-wildcards=”yes”>%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>

Restart everything:
sudo service netatalk restart && sudo service avahi-daemon restart

Chris on February 17th, 2012

Get rid of the annoying network stores:
defaults write com.apple.desktopservices DSDontWriteNetworkStores true
Stop telling me shit I already know:
defaults write com.apple.LaunchServices LSQuarantine -bool NO

Chris on May 12th, 2011

viking_kittens

Chris on March 7th, 2011

Encrypt files for safety | Utilities | Macworld.

Useful for your macbook pro.

Chris on February 5th, 2011

So Read-it-later is a webs service that allows you to book mark articles to read later. The did an interesting analysis of what people read when and on what devices. Their results compare pretty much to my usage profile for the iPhone and iPad.

The iPad is a couch consumption device. I use it for reading email, quick email replies, reading facebook, surfing the web, and as an e-reader. I don’t find it good for creating content out side of the most basic snark-attacks on someone’s wall.

The iPhone for me, before it started sucking wind, was what the Read it Later people say it was – a downtime device. Something to due while waiting in line, stuck in traffic, or during a boring meeting.

When I want to do real content creation, I do it on my Mac. Nothing beats a full-sized keyboard, a 27″ monitor, multiple windows open, etc.

That is why I don’t expect Apple to do away with their MacOSX product line. iOS is great for consumption. OSX is great for creation. Sure some guy claims he edited a movie on his iPad. That means it can be done, not that that is the way it should be done.

Chris on January 28th, 2011

“Ask ten different scientists about the environment, population control, genetics, and you’ll get ten different answers, but there’s one thing every scientist on the planet agrees on. Whether it happens in a hundred years or a thousand years or a million years, eventually our Sun will grow cold and go out. When that happens, it won’t just take us. It’ll take Marilyn Monroe, and Lao-Tzu, and Einstein, and Buddy Holly, and Aristophanes…[and] all of this…all of this…was for nothing. Unless we go to the stars”. – Commander Jeffrey Sinclair, Babylon 5