O'Reilly logo

Practical Mobile Forensics - Second Edition by Satish Bommisetty, Rohit Tamma, Heather Mahalik

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Physical acquisition

iOS devices have two types of memory: volatile (RAM) and non-volatile (NAND Flash). RAM is used to load and execute the key parts of the operating system or the application. The data stored on the RAM is lost after a device reboots. RAM usually contains very important application information, such as active applications, usernames, passwords, and encryption keys. Though the information stored in the RAM can be crucial in an investigation, currently there is no easy method or tool available to acquire the RAM memory from a live iPhone.

Unlike RAM, NAND is non-volatile memory and retains the data stored in it even after a device reboots. NAND flash is the main storage area and contains the system files and user data (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required