O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Learning iOS Forensics

Book Description

A practical hands-on guide to acquire and analyze iOS devices with the latest forensic techniques and tools

In Detail

Mobile device forensics relates to the recovery of data from a mobile device. It has an impact on many different situations including criminal investigations and intelligence gathering. iOS devices, with their wide range of functionality and usability, have become one of the mobile market leaders. Millions of people often depend on iOS devices for storing sensitive information, leading to a rise in cybercrime. This has increased the need to successfully retrieve this information from these devices if stolen or lost.

Learning iOS Forensics will give you an insight into the forensics activities you can perform on iOS devices. You will begin with simple concepts such as identifying the specific iOS device and the operating system version and then move on to complex topics such as analyzing the different recognized techniques to acquire the content of the device. Throughout the journey, you will gain knowledge of the best way to extract most of the information by eventually bypassing the protection passcode. After that, you, the examiner, will be taken through steps to analyze the data. The book will give you an overview of how to analyze malicious applications created to steal user credentials and data.

What You Will Learn

  • Identify an iOS device among various models (iPhone, iPad, and iPod Touch) and verify the iOS version installed
  • Crack or bypass the passcode protection chosen by the user
  • Acquire detailed physical or logical info of an iOS device
  • Retrieve extra information from side channel data leaks
  • Recover information from a local backup and eventually crack the backup password
  • Download backup information stored on iCloud
  • Analyze the system, user, and third-party information from a device, backup, or iCloud
  • Examine malicious apps to identify the stolen data and credentials

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Learning iOS Forensics
    1. Table of Contents
    2. Learning iOS Forensics
    3. Credits
    4. About the Author
    5. Acknowledgments
    6. About the Author
    7. Acknowledgments
    8. About the Reviewers
    9. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
    10. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Downloading the color images of this book
        2. Errata
        3. Piracy
        4. Questions
    11. 1. Digital and Mobile Forensics
      1. Digital forensics
      2. Mobile forensics
      3. Digital evidence
      4. Identification, collection, and preservation of evidence
        1. Chain of custody
      5. Going operational – from acquisition to reporting
        1. Evidence integrity
      6. SIM cards
        1. SIM security
      7. Summary
      8. Self-test questions
    12. 2. Introduction to iOS Devices
      1. iOS devices
        1. iPhone
          1. iPhone (first model)
          2. iPhone 3G
          3. iPhone 3GS
          4. iPhone 4
          5. iPhone 4s
          6. iPhone 5
          7. iPhone 5c
          8. iPhone 5s
          9. iPhone 6
          10. iPhone 6 Plus
        2. iPad
          1. iPad (first model)
          2. iPad 2
          3. iPad 3 (the new iPad)
          4. iPad 4 (with Retina display)
          5. iPad Air
          6. iPad mini
          7. iPad mini second generation
          8. iPad mini third generation
        3. iPod touch
          1. iPod touch (first model)
          2. iPod touch (second generation)
          3. iPod touch (third generation)
          4. iPod touch (fourth generation)
          5. iPod touch (fifth generation)
      2. iOS devices matrix
      3. iOS operating system
      4. iDevice identification
      5. iOS file system
        1. The HFS+ file system
        2. Device partitions
        3. System partition
        4. Data partition
        5. The property list file
        6. SQLite database
      6. Summary
      7. Self-test questions
    13. 3. Evidence Acquisition from iDevices
      1. iOS boot process and operating modes
      2. iOS data security
        1. Hardware security features
        2. File data protection
      3. Unique device identifier
        1. Case study – UDID calculation on iPhone 4s
      4. Lockdown certificate
      5. Search and seizure
      6. iOS device acquisition
        1. Direct acquisition
        2. Backup or logical acquisition
          1. Acquisition with iTunes backup
          2. Logical acquisition with forensic tools
          3. Case study – logical acquisition with Oxygen Forensic® Suite
        3. Advanced logical acquisition
          1. Case study – advanced logical acquisition with UFED Physical Analyzer
        4. Physical acquisition with forensic tools
          1. Case study – physical acquisition with UFED Physical Analyzer
      7. The iOS device jailbreaking
        1. Case study – jailbreaking and physical acquisition with Elcomsoft iOS Forensic Toolkit
      8. Apple support for law enforcement
      9. Search and seizure flowchart
      10. Extraction flowchart
      11. Summary
      12. Self-test questions
    14. 4. Analyzing iOS Devices
      1. How data are stored
        1. Timestamps
        2. Databases
        3. The property list files
      2. The iOS configuration files
      3. Native iOS apps
        1. Address book
        2. Audio recordings
        3. Calendar
        4. Call history
        5. E-mail
        6. Images
        7. Maps
        8. Notes
        9. Safari
        10. SMS/iMessage
          1. Voicemail
      4. Other iOS forensics traces
        1. Clipboard
        2. Keyboard
        3. Location
        4. Snapshots
        5. Spotlight
        6. Wallpaper
      5. Third-party application analysis
        1. Skype
        2. WhatsApp
        3. Facebook
        4. Cloud storage applications
          1. Dropbox
          2. Google Drive
      6. Deleted data recovery
        1. File carving – is it feasible?
        2. Carving SQLite deleted records
      7. Case study – iOS analysis with Oxygen Forensics Suite 2014
      8. Summary
      9. Self-test questions
    15. 5. Evidence Acquisition and Analysis from iTunes Backup
      1. iTunes backup
        1. iTunes backup folders
        2. iTunes backup content
      2. iTunes backup structure
        1. Standard backup files
      3. iTunes backup data extraction
        1. Case study – iTunes backup analysis with iPBA
      4. Encrypted iTunes backup cracking
        1. Case study – iTunes encrypted backup cracking with EPPB
      5. Summary
      6. Self-test questions
    16. 6. Evidence Acquisition and Analysis from iCloud
      1. iCloud
      2. iDevice backup on iCloud
      3. iDevice backup acquisition
        1. Case study – iDevice backup acquisition and EPPB with usernames and passwords
        2. Case study – iDevice backup acquisition and EPPB with authentication token
        3. Case study – iDevice backup acquisition with iLoot
      4. iCloud Control Panel artifacts on the computer
      5. Summary
      6. Self-test questions
    17. 7. Applications and Malware Analysis
      1. Setting up the environment
        1. The class-dump-z tool
        2. Keychain Dumper
        3. dumpDecrypted
      2. Application analysis
        1. Data at rest
        2. Data in use
        3. Data in transit
      3. Automating the analysis
        1. The iOS Reverse Engineering Toolkit
        2. idb
      4. Summary
      5. Self-test questions
    18. A. References
      1. Publications freely available
      2. Tools, manuals, and reports
      3. Apple's official documentation
      4. Device security and data protection
      5. Device hardening
      6. iTunes backup
      7. iCloud Backup
      8. Application data analysis
      9. Related books
    19. B. Tools for iOS Forensics
      1. Acquisition tools
      2. iDevice browsing tools and other nonforensic tools
      3. iDevice backup analyzer
      4. iDevice encrypted backup
      5. iCloud Backup
      6. Jailbreaking tools
        1. iOS 8
        2. iOS 7
        3. iOS 6
      7. Data analysis
        1. Forensic toolkit
        2. SQLite viewer
        3. SQLite record carver
        4. Plist viewer
        5. iOS analysis suite
        6. App analysis tools
        7. Consolidated.db
        8. App reverse engineering tools
    20. C. Self-test Answers
      1. Chapter 1: Digital and Mobile Forensics
      2. Chapter 2: Introduction to iOS Devices
      3. Chapter 3: Evidence Acquisition from iDevices
      4. Chapter 4: Analyzing iOS Devices
      5. Chapter 5: Evidence Acquisition and Analysis from iTunes Backup
      6. Chapter 6: Evidence Acquisition and Analysis from iCloud
      7. Chapter 7: Applications and Malware Analysis
    21. Index