User (rdisk0s2s1)

The System disk contains the iOS installation itself, and is unencrypted. This User disk is the part that contains all the iOS device owner's information (emails, messages, and so forth) and is -- understandably -- encrypted.

Copying the System disk takes about 10 minutes, but copying the User disk can take anywhere from half an hour to several hours depending on the size of the disk. Our test unit took just under an hour to copy a 32GB iPhone disk. By default it copies the disks to your Home directory as .DMG files, although you can specify another location.

You can also download the user's files as a (the TAR file format combines multiple files into a single file). This is faster than copying the Image Disk as it copies just the files and not the unused space. As with copying the User file as an Image Disk this takes considerable time, but is faster than copying the entire Image file. We imagine detailed forensics will require the more thorough approach.

Once you've got the files you still can't access them. Instead you have to go through the process of getting the keys (which are the internal codes used to access the User data) and the passcode (the pin number you use to access the device). Getting the keys is a matter of seconds, but requires you to either have the passcode or the Escrow file (which is stored on a Mac that is synced with the device). Escrow only works with iOS 4 or earlier and is located in / var/db/lockdown (it is the UDID number of the device followed by .plist).