One of the widely used techniques to acquire data from iPhone is via custom ramdisk. We have already studied the concept of iOS secure bootchain in the Chapter 1, Introducing iOS Application Security. The iOS secure bootchain provides a security mechanism right from the booting process. Therefore, in order to perform live forensics using a custom ramdisk, there should be bootrom exploit available to break the chain of trust. Interestingly, as these exploits work at hardware level, manufacturer won't be able to fix it without a hardware revision.

Let's study bit details about iOS devices different operating modes as normal mode, Device Firmware Upgrade (DFU) mode and recovery mode: