O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Learning iOS Forensics - Second Edition

Book Description

A practical guide to analyzing iOS devices with the latest forensics tools and techniques

About This Book

  • This book is a comprehensive update to Learning iOS Forensics
  • This practical book will not only cover the critical aspects of digital forensics, but also mobile forensics
  • Whether you're a forensic analyst or an iOS developer, there's something in this book for you
  • The authors, Mattia Epifani and Pasquale Stirparo, are respected members of the community, they go into extensive detail to cover critical topics

Who This Book Is For

The book is for digital forensics analysts, incident response analysts, IT security experts, and malware analysts. It would be beneficial if you have basic knowledge of forensics

What You Will Learn

  • Identify an iOS device between various models (iPhone, iPad, iPod Touch) and verify the iOS version installed
  • Crack or bypass the protection passcode chosen by the user
  • Acquire, at the most detailed level, the content of an iOS Device (physical, advanced logical, or logical)
  • Recover information from a local backup and eventually crack the backup password
  • Download back-up information stored on iCloud
  • Analyze system, user, and third-party information from a device, a backup, or iCloud
  • Examine malicious apps to identify data and credential thefts

In Detail

Mobile forensics is used within many different domains, but is chiefly employed in the field of information security. By understanding common attack vectors and vulnerability points, security professionals can develop measures and examine system architectures to harden security on iOS devices. This book is a complete manual on the identification, acquisition, and analysis of iOS devices, updated to iOS 8 and 9.

You will learn by doing, with various case studies. The book covers different devices, operating system, and apps. There is a completely renewed section on third-party apps with a detailed analysis of the most interesting artifacts. By investigating compromised devices, you can work out the identity of the attacker, as well as what was taken, when, why, where, and how the attack was conducted. Also you will learn in detail about data security and application security that can assist forensics investigators and application developers. It will take hands-on approach to solve complex problems of digital forensics as well as mobile forensics.

Style and approach

This book provides a step-by-step approach that will guide you through one topic at a time.

This intuitive guide focuses on one key topic at a time. Building upon the acquired knowledge in each chapter, we will connect the fundamental theory and practical tips by illustrative visualizations and hands-on code examples.

Table of Contents

  1. Learning iOS Forensics Second Edition
    1. Learning iOS Forensics Second Edition
    2. Credits
    3. About the Authors
    4. About the Reviewer
    5. www.packtpub.com
      1. Why subscribe?
    6. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
      7. Downloading the color images of this book
      8. Errata
      9. Piracy
      10. Questions
    7. 1. Digital and Mobile Forensics
      1. Mobile forensics
      2. Digital evidence
        1. Handling of mobile evidence
          1. Preservation of evidence
          2. Acquisition of evidence
          3. Evidence integrity
        2. SIM cards
          1. SIM security
      3. Summary
      4. Self-test questions
    8. 2. Introduction to iOS Devices
      1. Types of iOS device
        1. iPhone versions
          1. iPhone (first model)
          2. iPhone 3G
          3. iPhone 3GS
          4. iPhone 4
          5. iPhone 4s
          6. iPhone 5
          7. iPhone 5c
          8. iPhone 5s
          9. iPhone 6
          10. iPhone 6 Plus
          11. iPhone 6s
          12. iPhone 6s Plus
          13. iPhone SE
          14. iPad
          15. iPad (first model)
          16. iPad 2
          17. iPad 3 (the new iPad)
          18. iPad 4 (with Retina display)
          19. iPad Air
          20. iPad Air 2
          21. iPad Pro (12.9 inch)
          22. iPad Pro (9.7 inch)
          23. iPad mini
          24. iPad mini second generation
          25. iPad mini third generation
          26. iPad mini fourth generation
        2. iPod touch
          1. iPod touch (first generation)
          2. iPod touch (second generation)
          3. iPod touch (third generation)
          4. iPod touch (fourth generation)
          5. iPod touch (fifth generation)
          6. iPod touch (sixth generation)
        3. Apple TV
          1. Apple TV (first generation)
          2. Apple TV (second generation)
          3. Apple TV (third generation)
          4. Apple TV (third generation Rev. A)
          5. Apple TV (fourth generation)
        4. Apple Watch
      2. iOS devices connectors
      3. iOS devices matrix
      4. iOS operating system
      5. iDevice identification
      6. iOS filesystem
        1. The HFS+ filesystem
        2. Device partitions
        3. System partition
        4. Data partition
        5. The property list file
        6. SQLite databases
      7. Summary
      8. Self-test questions
    9. 3. Evidence Acquisition from iDevices
      1. iOS boot process and operating modes
      2. iOS data security
        1. Hardware security features
        2. File data protection
      3. Unique device identifier
        1. Case study - UDID calculation on iPhone 6s
      4. Lockdown certificate
      5. Search and seizure
      6. iOS device acquisition
        1. Apple File Conduit acquisition
          1. Case study - AFC acquisition with iBackupBot
        2. iTunes backup
          1. Acquisition with iTunes
          2. Acquisition with forensic tools
          3. Case study - iTunes backup acquisition with Oxygen Forensic Analyst
        3. Advanced logical acquisition
          1. Case study - advanced logical acquisition with UFED Physical Analyzer
        4. Physical acquisition with forensic tools
          1. Case study - physical acquisition with UFED Physical Analyzer
      7. Dealing with a locked iDevice
      8. iOS device jailbreaking
        1. Case study - physical acquisition with Elcomsoft iOS Forensic Toolkit
      9. Apple support for law enforcement
        1. Apple versus FBI - The San Bernardino shooting case
      10. iOS Acquisition - choose the best method
        1. iPhone 3G/3GS/4, iPad 1
        2. iPhone 4s, 5, 5c, iPad 2/3/4, iPad Mini 1
        3. iPhone 5s, 6, 6Plus, 6s, 6s Plus, iPad Air 1/2, iPad Mini 2/3/4, iPad Pro
        4. Apple TV
        5. Apple Watch
      11. Summary
      12. Self-test questions
    10. 4. Evidence Acquisition and Analysis from iTunes Backup
      1. iTunes backup
        1. iTunes backup folders
        2. iTunes backup content
      2. iTunes backup structure
        1. Standard backup files
        2. Case study - parsing Manifest.mbdb with Mbdbls Python script
      3. iTunes backup relevant files
      4. iTunes backup data extraction
        1. Case study - iTunes backup parsing with iBackupBot
        2. Case study - iTunes backup analysis with iPBA
        3. Case study - iTunes backup analysis with Oxygen Forensic Analyst
      5. Encrypted iTunes backup cracking
        1. Case study - iTunes encrypted backup cracking with EPB
      6. Summary
      7. Self-test questions
    11. 5. Evidence Acquisition and Analysis from iCloud
      1. The iCloud service
      2. iDevice backup on iCloud
      3. iDevice backup acquisition
        1. Case study - iDevice backup acquisition and EPPB with username and password
        2. Case study - iDevice backup acquisition and EPPB with authentication token
        3. Case study - iDevice backup acquisition with iLoot
        4. Case study - iDevice backup acquisition with InflatableDonkey
        5. Case study - WhatsApp backup acquisition with Elcomsoft Explorer for WhatsApp
      4. iCloud Control Panel artifacts on the computer
      5. Acquiring data from Cloud with stored tokens
        1. Case study - Cloud data acquisition with UFED Cloud Analyzer
        2. Case study - cloud data acquisition with Oxygen Forensic Detective
      6. Summary
      7. Self-test questions
    12. 6. Analyzing iOS Devices
      1. How data is stored
        1. Timestamps
        2. Databases
        3. The property list files
      2. The iOS configuration files
      3. Native iOS apps
        1. Address book
        2. Audio recordings
        3. Calendar
        4. Call history
        5. E-mail
        6. Images and photos
        7. Maps
        8. Notes
        9. Safari
        10. SMS/iMessage
          1. Voicemail
      4. Other iOS forensic traces
        1. Clipboard
        2. Keyboard
        3. Location
        4. Snapshots
        5. Wallpaper
        6. iOS crash reports
        7. Tracking device usage
      5. Third-party application analysis
        1. Social Network and Instant Messaging applications
          1. Skype
          2. WhatsApp
          3. Facebook and Messenger
          4. Telegram
          5. Signal
        2. Cloud storage applications
          1. Dropbox
          2. Google Drive
      6. Deleted data recovery
        1. File carving - is it feasible?
        2. Carving SQLite deleted records
      7. Case study - iOS analysis with Oxygen Forensics
      8. Summary
      9. Self-test questions
    13. 7. Applications and Malware Analysis
      1. Setting up the environment
        1. class-dump
        2. Keychain Dumper
        3. dumpDecrypted
      2. Application analysis
        1. Data at rest
        2. Data in use
        3. Data in transit
      3. Automating the analysis
        1. idb
      4. Summary
      5. Self-test questions
    14. A. References
      1. Publications freely available
      2. Tools, manuals, and reports
      3. Apple's official documentation
      4. Device security and data protection
      5. Device hardening
      6. iTunes backup
      7. iCloud
      8. Application data analysis
      9. Related books
    15. B. Tools for iOS Forensics
      1. Acquisition tools
      2. iDevice browsing tools and other non-forensic tools
      3. iDevice backup analyzer
      4. iDevice encrypted backup
      5. iCloud Backup
      6. Jailbreaking tools
        1. iOS 9
        2. iOS 8
        3. iOS 7
        4. iOS 6
      7. Data analysis
        1. Forensic toolkit
        2. SQLite viewer
        3. SQLite record carver
        4. Plist viewer
        5. iOS analysis suite
        6. App analysis tools
        7. Consolidated.db
        8. App reverse engineering tools
    16. C. Self-test Answers
      1. Chapter 1: Digital and Mobile Forensics
      2. Chapter 2: Introduction to iOS Devices
      3. Chapter 3: Evidence Acquisition from iDevices
      4. Chapter 4: Evidence Acquisition and Analysis from iTunes Backup
      5. Chapter 5: Evidence Acquisition and Analysis from iCloud
      6. Chapter 6: Analyzing iOS Devices
      7. Chapter 7: Applications and Malware Analysis