iOS Forensics for Investigators E-Book

iOS Forensics for Investigators

Take mobile forensics to the next level by analyzing, extracting, and reporting sensitive evidence

Gianluca Tiepolo

BIRMINGHAM—MUMBAI

iOS Forensics for Investigators

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Vijin Boricha

Senior Editor: Athikho Sapuni Rishana

Content Development Editor: Sayali Pingale

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Associate Project Manager: Neil Dmello

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Roshan Kawale

Marketing Coordinator: Sanjana Gupta

First published: April 2022

Production reference: 1110422

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

978-1-80323-408-3

www.packt.com

Dedicated to those who try, whether they fail or succeed.

Contributors

About the author

Gianluca Tiepolo is a cybersecurity researcher who specializes in mobile forensics and incident response. He holds a BSc degree in computer science and an MSc in information security, as well as several security-related certifications.

Over the past 12 years, he has performed security monitoring, threat hunting, incident response, and intelligence analysis as a consultant for dozens of organizations, including several Fortune 100 companies. Gianluca is also the co-founder of the start-up Sixth Sense Solutions, which developed AI-based anti-fraud solutions. Today, Gianluca works as a Security Delivery Team Lead for consulting firm Accenture Security.

In 2016, he authored the book Getting Started with RethinkDB, published by Packt Publishing.

Mobile forensics is a field that is exploding with potential and opportunities. I am fortunate to work with some of the most talented analysts, examiners, and investigators who have supported me throughout the writing of this book and contributed much to the book's contents.

Writing a book is no easy task, and no work is truly the result of one mind.

I want to thank Vijin Boricha, who was the first person to believe in this project and set the conditions that led to the publishing of this book. I want to particularly thank Neil Dmello — my project coordinator — who supported me through the many iterations and rewrites, yet always remained encouraging. Thank you to my editors — Sayali Pingale and Athikho Sapuni Rishana — for their feedback and guidance. Thanks also to my technical reviewer, Domenica Lee Crognale. This book is so much better thanks to her tremendously insightful suggestions.

To the entire Packt Publishing team who pulled this all together, my sincere thanks to you all.

This book has been an amazing journey into the world of iOS forensics, the outcome of which would never have been possible without the contributions of the entire community. I would like to thank all the people who work in the DFIR industry who are driven by their passion and dedication.

About the reviewer

Domenica Lee Crognale has worked in digital forensics for more than 16 years, with 13 years specifically dedicated to mobile devices. She has performed mobile forensic investigations for both law enforcement and the intelligence community in support of the US federal government. She received a BSc in business administration from Old Dominion University, and her master's in cybersecurity management from Purdue Global University. She is currently employed by the SANS Institute full time, where she co-authors and instructs a six-day course, FOR585, focusing on smartphone forensic analysis. She also serves as a faculty advisor for candidates enrolled in the SANS Technology Institute's masters in cybersecurity degree program.

I'd like to thank my family and friends who understand the time and commitment it takes to research and test data that is constantly changing. Working in this field would not be possible without the supportive mobile forensics community that has developed over the last several years. Thank you to all of the trailblazers who make this field an exciting place to work each and every day. We are grateful for everything you do!

Table of Contents

iOS Forensics for Investigators

Contributors

About the author

About the reviewer

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Disclaimer

Get in touch

Share Your Thoughts

Section 1 – Data Acquisition from iOS Devices

Chapter 1: Introducing iOS Forensics

Understanding mobile forensics

The new golden age for iOS forensics

Challenges in iOS forensics

Dissecting the iOS operating system

Understanding the iOS filesystem

Understanding iOS security

User authentication

Encryption and Data Protection

Establishing a workflow

Seizure and identification

Preservation

Acquisition

Analysis

Validation

Reporting

Summary

Chapter 2: Data Acquisition from iOS Devices

Understanding acquisition methods

Logical acquisitions

Physical acquisitions

Filesystem acquisitions

Jailbreaking the device

Jailbreaking with checkra1n

Triaging the device

Deciding the best acquisition method

Performing a logical acquisition

Logical acquisition with Cellebrite UFED

Logical acquisition with Elcomsoft iOS Forensic Toolkit

Performing a filesystem acquisition

Checkm8 full filesystem acquisition using Cellebrite UFED

Agent-based full filesystem acquisition

Summary

Section 2 – iOS Data Analysis

Chapter 3: Using Forensic Tools

Understanding forensic tools

Tool validation

Working with Cellebrite Physical Analyzer

Loading evidence and selective decoding

Viewing decoded data

Using the AppGenie

Working with Magnet AXIOM

Loading evidence and on-the-fly processing

Analyzing evidence with AXIOM Examine

Using open source tools

Apollo

iLEAPP

iOS Triage

Sysdiagnose

Analyzing data with iLEAPP

Summary

Chapter 4: Working with Common iOS Artifacts

Understanding the importance of validation

Working with iOS artifacts

Introducing SQLite

Tables, columns, and rows

Running SQL queries

Pages, vacuuming, and write-ahead logs

Recovering deleted data

Working with property lists

Working with protocol buffers

Locating common artifacts

Summary

Chapter 5: Pattern-of-Life Forensics

Introducing pattern-of-life forensics

Meaningful SQLite databases

Working with timestamps

Unix timestamps

Mac timestamps

Logs, events, and user interaction

The KnowledgeC database

Analyzing application usage

Analyzing user interaction

Introducing Apollo

Summary

Chapter 6: Dissecting Location Data

Introducing location data

GPS fixes, cell towers, and Wi-Fi networks

Satellite GPS

Cell towers

Wi-Fi and Bluetooth

Locating location artifacts

Analyzing location data

Understanding Significant Locations

Analyzing Wi-Fi locations

Understanding Harvested Locations

Analyzing harvested cell tower data

Analyzing harvested Wi-Fi data

Advanced iOS location artifacts

Analyzing location data using forensic tools

Viewing location data with Physical Analyzer

Analyzing location data with Apollo

Summary

Chapter 7: Analyzing Connectivity Data

Introducing cellular forensics

Analyzing the PowerLog

Analyzing the address book

Analyzing the call log

Analyzing networking data

Analyzing network usage

Introducing Bluetooth forensics

Understanding Safari forensics

Analyzing Safari history

Introducing private browsing

Summary

Chapter 8: Email and Messaging Forensics

Introducing email forensics

Extracting email metadata

Analyzing email content

Understanding messaging forensics

Analyzing SMS and iMessage artifacts

Introducing third-party messaging apps

Recovering deleted messages

Detecting deleted messages using Mirf

Summary

Chapter 9: Photo, Video, and Audio Forensics

Introducing media forensics

Analyzing photos and videos

Understanding Photos.sqlite

Introducing EXIF metadata

Viewing EXIF metadata

Analyzing user viewing activity

Summary

Chapter 10: Analyzing Third-Party Apps

Introducing iOS applications

Identifying installed applications

Tracking application GUIDs

Dynamic application analysis

Connecting to the test device

Using cda to locate an application's containers

Using fsmon to monitor filesystem events

Using mitmproxy to monitor network activity

Advanced application analysis

Practical third-party applications forensics

Social networking applications

Messaging applications

Productivity applications

Multimedia applications

Summary

Chapter 11: Locked Devices, iTunes Backups, and iCloud Forensics

Acquiring locked devices

Using lockdown pairing records to access the device

Passcode cracking

BFU acquisition of locked devices

Performing a BFU acquisition using the Elcomsoft iOS Forensic Toolkit

Performing a BFU acquisition using the Cellebrite UFED

Introducing iTunes backups

Locating backup files

Analyzing iTunes backups

Cracking iTunes backup passwords

Introducing iCloud forensics

iCloud backups

iCloud synced data

Accessing iCloud data

Introducing iCloud Keychain

Extracting iCloud Keychain and synced data

Extracting iCloud backups

Summary

Section 3 – Reporting

Chapter 12: Writing a Forensic Report and Building a Timeline

Mobile forensics reporting

Writing a forensic report

Creating reports using Cellebrite Physical Analyzer

Generating a preliminary device report

Generating a complete report

Introducing timelines

Building a timeline with Magnet AXIOM

Summary

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Preface

Over the past few years, digital forensic examiners have seen a remarkable increase in requests to extract and analyze data from iOS and Android mobile devices. Smartphones and the rich data associated with them have become the single most important source of evidence in virtually every type of investigation. The examination and extraction of data from these devices present numerous unique challenges: modern devices contain so much data that it takes someone with training and experience to add context to the data and understand where that data comes from, how it was generated, and what it means for the investigation.

Finding artifacts on a mobile device is the easy part but recognizing whether those artifacts are evidence can be much harder. Too often, mobile examiners rely on automated tools to extract and process the data, simply allowing the software to identify it without completely comprehending how the actual file that contains this data was created, what it means, and what is going on behind the scenes. Forensic tools and commercial software definitely have their place, but they're not enough. The modern investigator needs to take an in-depth look at the artifacts and learn how to recognize which artifacts are potentially evidence and which are just noise.

Most technical books tend to be tool-focused and often take on a cookbook approach to mobile forensics. This book takes a completely different approach, by guiding you through logical steps that explain what's going on behind the scenes and how to interpret the data. By the end of this book, the examiner will be able to collect the data from an iOS device using multiple techniques and demonstrate unequivocally where the data came from and what it entails for the investigation.

Who this book is for

This book is intended specifically for forensic analysts or digital investigators who need to acquire and analyze information from mobile devices running iOS. This book may also be useful for cybersecurity experts and researchers, as it provides an in-depth look at how iOS devices work behind the scenes.

What this book covers

The way this book is organized is to start with an overview of mobile forensics and what you should know about it. The first section goes over the forensic process and discusses different options to acquire data from iOS devices. The second section describes approaches and best practices to analyze the data, such as manually parsing through the artifacts. This section also covers the most popular forensic tools that are used in an examination. The final section of the book discusses how to build a timeline and best practices for the creation of a forensic report.

Chapter 1, Introducing iOS Forensics, introduces the topic of mobile forensics by describing the forensic process and the iOS operating system.

Chapter 2, Data Acquisition from iOS Devices, describes all available options to successfully acquire the data from an iOS device. We'll discuss logical, physical, and filesystem acquisitions, and much more, such as agent-based extractions.

Chapter 3, Using Forensic Tools, describes why forensic tools are important and how an investigator can benefit by using them. The chapter takes an in-depth look at some of the most popular tools, such as Cellebrite Physical Analyzer and Magnet AXIOM.

Chapter 4, Working with Common iOS Artifacts, introduces common artifacts that can be found on iOS devices, such as SQLite databases and Property lists. We'll learn how to identify these artifacts, where to find them, and how to analyze them.

Chapter 5, Pattern-of-Life Forensics, focuses on artifacts that can help an investigator understand a user's day-to-day activities, such as what apps were used and for how long.

Chapter 6, Dissecting Location Data, is all about extracting, analyzing, and understanding location-related artifacts.

Chapter 7, Analyzing Connectivity Data, discusses cellular forensics, networking data, Bluetooth and Wi-Fi artifacts, and browsing history.

Chapter 8, Email and Messaging Forensics, describes different email clients and messaging applications and how to analyze their data.

Chapter 9, Photo, Video, and Audio Forensics, dives deep into multimedia forensics.

Chapter 10, Analyzing Third-Party Apps, introduces third-party applications. You will learn how to analyze any kind of application and how to quickly locate artifacts from the most popular iOS apps.

Chapter 11, Locked Devices, iTunes Backups, and Cloud Forensics, discusses more advanced topics, such as working with locked devices and extracting forensic data from iCloud.

Chapter 12, Writing a Forensic Report and Building a Timeline, puts together all the knowledge acquired in the previous chapters by teaching you how to produce a comprehensive timeline report.

To get the most out of this book

This book is designed to allow you to use any kind of operating system, so most of the examples can be replicated by using Windows, macOS, or Linux; however, it should be noted that some commercial forensic tools are only available on Windows.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803234083_ColorImages.pdf

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "We're providing a ZIP archive as the input file and we're exporting the report to the output folder."

A block of code is set as follows:

SELECT ROWID, text FROM message

ORDER BY ROWID DESC

LIMIT 5;

Any command-line input or output is written as follows:

python3 ileapp.py -t zip -i ../iphone_dump.zip -o output

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Once you've added all evidence sources to the case, click on GO TO PROCESSING DETAILS to continue."

Tips or Important Notes

Appear like this.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Neither Packt Publishing nor the author of this book takes any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorization from the appropriate persons responsible.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read iOS Forensics for Investigators, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1 – Data Acquisition from iOS Devices

You will learn the correct iOS device workflow and understand the basics of how the iOS operating system works. At the end of part one, you will be able to successfully extract a full filesystem image from an iOS device.

This part of the book comprises the following chapters:

Chapter 1: Introducing iOS Forensics

Over the past decade, smartphones have undergone a profound revolution, impacting our lives in all possible ways: our devices are no longer just smart phones – they have become data hubs that store all kinds of information from our digital (and not so digital) life.

Today, from the palm of our hand, we can surf the web, buy theater tickets, get food delivered to our door, or call an Uber. We're using our devices to read eBooks, take notes, engage in creative tasks, and share our lives with our followers through social media. We have progressively replaced our digital cameras with our iPhone camera roll. Smartphones can keep track of physical activity, interact with external devices, give us directions, and remind us of that important meeting that we might forget. We use productivity apps to get stuff done and we make payments using Apple Pay. And – of course – we use our iPhones to get in touch with people on the other side of the world. With the massive spread of iPads and tablets in general, our devices are no longer just communication devices. They have become an almost unlimited content platform where we can enjoy movies, TV series, or simply listen to our favorite music.

To be able to provide these amazing features, mobile devices collect huge amounts of data that is processed by iOS and sometimes synced to iCloud. This information documents and reveals the thoughts and activity of a user substantially more than any data stored in any desktop computer.

Mobile forensics is all about collecting this data, preserving it, assessing it, validating it, and extracting meaningful insights that can be presented as evidence.

In this chapter, we will cover the following topics:

Understanding mobile forensics

Apple devices are popular all over the world due to the user experience they provide, their magnificent design, and their revolutionary features, so it shouldn't come as a surprise that in 2016, Apple announced that over one billion iPhones had been sold. Over the past 5 years, mobile device usage has grown particularly fast, with data from 2021 indicating that there were one billion active iOS devices.

The information that's stored on a smartphone can help address crucial questions in an investigation, revealing whom an individual has been in contact with, where they have been, and what they've been doing with the device. As new features are added to the device and more apps are made available through the App Store, the amount of information that's stored on iOS devices is continuously growing.

Mobile forensics can be defined as the process of recovering digital evidence from a mobile device under forensically sound conditions using validated means.

The kind of evidence we can recover from a device depends on the device itself and what techniques are used for data extraction, but generally, smartphones contain personal information such as call history, messages, emails, photos, videos, memos, passwords, location data, and sensor data. No other computing device is as personal as a mobile phone.

Typically, the examination process should reveal all digital evidence, including artifacts that may have been hidden, obscured, or deleted. Evidence is gained by applying established scientifically based methods and should describe the content and state of the data fully, including where it is located, the potential significance, and how different data sources relate to each other. The forensic process begins by extracting a copy of the evidence from the mobile device. Once a copy is available, the next step involves analyzing the data, identifying evidence, and developing the contents of a final report.

The new golden age for iOS forensics

Over the past 3 years, the digital forensics industry has undergone a major revolution.

In 2019, the discovery of the checkm8 exploit for iOS devices was a complete game-changer as it opened new doors for digital forensics investigators, allowing full filesystem extractions of hundreds of millions of Apple devices. If you've never seen a full filesystem extraction before, you'll probably be surprised by the extent and variety of data that the device stores!

Checkm8 is based on an un-patchable hardware flaw that lives directly on the chips of iOS devices, ranging from devices running Apple's A11 chip down to the A5 generation. This includes devices from the iPhone 4S to iPhone X and several iPads.

This vulnerability is specifically a BootROM exploit, which means it takes advantage of a security flaw in the initial code that iOS devices load during the boot process, and it can't be overwritten or patched by Apple through a software update.

At the end of 2019, checkra1n was released, the first public, closed source jailbreak based on the checkm8 exploit. Digital investigators and forensics analysts have quickly adopted checkra1n to get access to the device's filesystem and keychain; however, as with all jailbreaks, this solution has several drawbacks as using a jailbreak inevitably modifies some data on the device's filesystem and is not considered forensically sound.

For these reasons, vendors such as Cellebrite, Elcomsoft, and Oxygen Forensic have developed proprietary solutions based on the original checkm8 exploit that work by patching the device's RAM. These tools allow investigators to perform full filesystem extractions without touching system and user partitions and without making any changes to the device as the exploit runs in memory.

In other words, on selected devices, the checkm8 vulnerability can be exploited to extract the full filesystem without actually jailbreaking the device. The following table shows the list of devices that are vulnerable to the checkm8 exploit:

Table 1.1 – Devices that are vulnerable to the checkm8 exploit

To exploit checkm8 for a filesystem extraction, your device must be compatible, and it must be running a supported iOS version. This is a major drawback as newer devices, such as the latest iPhone 13, are not supported. There are, however, other options.

In 2020, vendors such as Elcomsoft and Belkasoft introduced agent-based extraction, a new acquisition method that allows full filesystem extractions without jailbreaking the device. Once installed on the device, the agent escapes the sandbox through software exploits, gaining unrestricted access to the device and establishing a connection between the device and the computer. Agent-based extraction is forensically safe, and it is usually a lot faster and safer than most jailbreaks. At the time of writing, supported devices include all iPhones from the 5s up to the iPhone 12, running iOS versions 9.0 to 14.3.

In May 2020, a major update for the unc0ver jailbreak was released, adding support for devices based on A12-A13 chips. At the time of writing, unc0ver supports jailbreaking all devices from the iPhone 5s up to the iPhone 12. Supported iOS versions range from iOS 11 to iOS 14.3.

Although jailbreaking a device allows full filesystem extraction, it's not considered a forensically sound process. An investigator should consider safer options such as checkm8 or agent-based extractions first if they're supported.

Tip

It's important to note the difference between checkm8-based extractions and jailbreaking the device through checkra1n or unc0ver. Tools such as Cellebrite UFED and Elcomsoft iOS Forensics Toolkit leverage the checkm8 exploit to temporarily provide access to the entire filesystem by running the exploit in the device's RAM. When the extraction is complete, the device will reboot as normal. No permanent changes will be made to the device.

On the other hand, jailbreaking the device will leave permanent traces and will also require installing third-party packages such as Cydia or AFC2, making additional changes to the device.

Challenges in iOS forensics

Smartphones are considered live, dynamic systems, and for this reason, they pose several challenges from a forensic perspective because data and files are constantly changing.

One of the main complications that a digital investigator may face is dealing with a locked device: recent iOS updates make passcode cracking almost impossible and other options will have to be considered to extract as much data as possible.

The growing number of devices and the variety of the software they run makes it extremely difficult to develop a single tool and a consistent workflow to address all eventualities. This is usually because a particular method that's used to extract data from one device will stop working when a new version of iOS is released; in fact, forensic extraction tools usually rely on security vulnerabilities to gain access to the device's filesystem and extract a lot more data than what you would normally find in an iTunes backup, or even to unlock a device when the passcode is unknown. When a new iOS update is released, these vulnerabilities could potentially be patched, thus rendering the tools useless.

The modern investigator will have to take these issues into account when approaching an Apple device and decide, on a case-by-case basis, what the best technique will be to obtain the broadest amount of valuable evidence.

Dissecting the iOS operating system

Performing a forensic examination of digital evidence from a mobile device requires not only a full understanding of the data but also basic knowledge of how the device itself works and how that data was generated. This is particularly challenging on iOS devices due to the closed source nature of the platform, which makes it difficult to understand how exactly iOS interfaces with all this data and what's going on behind the scenes on the device.

Apple invests heavily in restricting the operating system and application software that can run on their hardware through several security features: applications running on Apple devices don't interact directly with the underlying hardware – they do so through a system interface. The iOS can be defined as an intermediary between the device's hardware components and the applications on the device.

Tip

Many publications provide information regarding iOS hardware. For a full list of iPhone components and devices, you can refer to the Apple Support page: https://support.apple.com/specs/iphone.

Understanding the iOS filesystem

Since iOS 10, Apple File System (APFS) has replaced HFS+ as the default filesystem. APFS is a proprietary filesystem that has been designed with mobile devices in mind: it's optimized for SSD storage and supports strong encryption. On iOS devices, the filesystem is configured into two logical disk partitions – the system partition and the user partition:

Where is data stored on the iOS filesystem?

One of the examples of how iOS manages communication between applications and hardware is sandboxing, which enables users to interact with an application without accessing the filesystem directly, ensuring that each app is contained within one or more specified containers that are automatically created when a new app is installed on the device. This organization makes things a lot easier for investigators as all the files related to a specific app are grouped in specific locations.

Each container has a specific role:

The following diagram shows the containers for each application:

Figure 1.1 – A representation of application containers

The data container contains several different folders:

As you can see, all application files are perfectly organized into their respective data containers. However, you may be wondering where exactly these containers are stored on the device's filesystem. Each application on a device is identified through a globally unique identifier (GUID), also known as a BundleID identifier. This identifier is uniquely generated when an application is first installed and can change if the app is updated or reinstalled.

Application bundle containers are stored at the following path on the iOS filesystem:

/private/var/containers/Bundle/Application/<app-GUID>/

Application data containers are stored at the following path:

/private/var/mobile/Containers/Data/Application/<app-GUID>/

Group containers are stored at the following path:

/private/var/mobile/Containers/Shared/AppGroup/<app-GUID>/

Tip

In this section, we've seen where applications store data on the iOS filesystem. But what about system artifacts? System-related data is stored all over the filesystem, so we won't find everything all in one place! We'll dive deep into system artifacts and where to find them in Chapter 4, Working with Common iOS Artifacts.

How is data stored on the iOS filesystem?

So far, we've learned how iOS organizes application data into containers and where these containers are stored on the filesystem. Now, let's discuss the types of files that commonly contain useful evidence within the iOS filesystem.

Other than user-generated content (such as documents, photos, videos, or text files), data stored on an iOS device usually consists of the following items:

This is what a property list looks like in XML format:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

    <dict>

        <key>UUID</key>

        <string>3bdd52c7-ee36-4689-8517-c5fed2c98s5</string>

        <key>ClientID</key>

        <string>3bdd52c7-ee36-4689-8517-c5fed2c98s5</string>

        <key>ClientEnabled</key>

        <false/>

     </dict>   

</plist>

In the following chapters, we will do a deep dive into the details to understand what the best practices are for parsing plists and querying SQLite databases, how to handle SQLite temporary files in a forensically sound way, and where to locate core iOS artifacts.

Understanding iOS security

Apple devices are widely known for their ability to secure user data. With every release of a new iOS device or update to the iOS operating system, Apple works hard to improve security by introducing new features and by patching known vulnerabilities. In the following sections, we'll go over the key elements of Apple's security model.

User authentication

To secure physical access to the device, some form of user authentication is required. iOS devices implement authentication through two mechanisms:

By default, Apple devices suggest a six-digit numeric passcode, although the user can choose a four-digit passcode too or a custom alphanumeric code. Once a passcode has been set, the user will have to enter it every time the device is turned on and when it wakes up.

To improve the user experience while maintaining high-security standards, with the iPhone 5s, Apple introduced biometric authentication through Touch ID, which uses fingerprints as a passcode. With the release of the iPhone X, Apple introduced Face ID, which employs face recognition to unlock the device.

Unlocking passcode-protected iOS devices is one of the main challenges in mobile forensics.

Because there are a relatively small number of numeric passcodes, brute-force guessing attacks could theoretically be used to exploit authentication. However, this is extremely risky as iOS is designed to rate-limit passcode entry attempts, and data can be permanently deleted from the device if too many failed attempts occur.

This passcode is not just used to unlock the device itself – it's one of the key features of the iOS data protection model: the passcode, combined with the hardware encryption key, is used to generate a unique and extremely strong encryption key that is used by an algorithm to encrypt user data.

Encryption and Data Protection

While user authentication provides a degree of security in preventing unauthorized access to the physical device, these mechanisms could still be bypassed by exploiting vulnerabilities in software or hardware. A compromised device could potentially allow unauthorized access to the device's filesystem. For this reason, starting with the iPhone 4, the entire filesystem is encrypted using strong cryptography algorithms. However, with the release of the iPhone 5s, Apple set a new precedent in mobile security by introducing a technology called Data Protection, which relies on multiple dedicated components to support encryption and biometrics.

Secure Enclave

At the heart of iOS's security is Secure Enclave, a dedicated system on a chip (SoC) isolated from the main processor and operating system that provides cryptographic operations for data protection and key management.

Secure Enclave's main components are as follows:

The following diagram shows the different components of Secure Enclave:

Figure 1.2 – Secure Enclave components

Secure Enclave is responsible for several different security-related operations, including generating and storing keys necessary for encrypting data on the device and evaluating biometric data from Touch ID and Face ID.

SEP uses the UID to generate cryptographic keys that are tied to the specific device. This adds another layer of security: if the device's SSD storage is physically moved to a different device, files can't be decrypted and thus will be inaccessible, since every device has a unique UID and the original UID is required to decrypt files.

iOS Data Protection keys

Data protection on iOS is implemented by generating and managing a hierarchy of cryptographic keys.