killchain-compendium/Forensics/iOS.md

# iOS Devices

If a device has been accessed, disable the auto lock setting so it gets not
locked while you are working on it.

## Trust Certificates

Exchanged between 'Trusted' devices and the charging iOS device.
These certificates can be found under `C:\ProgramData\Apple\Lockdown`.

These certificates have an expiration date of 30 days.

* iTunes access to the iOS device has elevated permissions using the cert.
* Keychain may be extracted through iTunes.

## Backups

Create a backup through iTunes for investigation purposes.
Encrypted and unencrypted backups can be chosen in the iTunes menu.
An encrypted backup contains sensitive data like passwords, unencrypted do not
contain this level of sensitive data.

Using libimobiledevice creating a backup can be done in the following way.

```sh
idevicebackup2 -i encryption on
idevicebackup2 backup --full ./backup
```

### Interesting Files

Here is a list of interesting files a backup may contain.

* `ResetCounter.plist`, hard Reset diagnostic counter
* `com.apple.preferences.datetime.plist`
* DB tables at `/var/db`
    * Atendee
    * Task
    * Event
* Mail
* Cookies
* Pictures at `/CameraRollDomain/media/DCIM`
* Addressbook at `HomeDomain/Library/Addressbook`
* Calendar at `HomeDomain/Library/Calendar`
* SMS
* Voicemail
* WiFi Keys
* WiFi history at `/SystemPreferencesDomain`
* (Safari) Web browser history and bookmarks at `HomeDomain/Library/Safari`
* GPS history
* Call history
* User data at `/var/mobile`
* Keychains at `/var/keychains`
* Log files at `/var/log`

## Preference Lists (Plists)

Contain settings as metadata, either structured as XML or in binary format.

## Filesystem

### HFS+

Deprecated. Does indexing of data. Does not encrypt the partition by default.
No integrity checksums.

### APFS

Full disk encryption. GPT partition. Metadata protection. Integrity checksums.
A per app sandbox containing a virtual filesystem inside for each app environment.

APFS is seperated into the following domains

* **System**, OS related data which is read only
* **Shared**, data share betweent virtual filesystems of apps by the same developer
* **Cache**, cached data
* **Data**, conventional filesystem data of a user

## Tools

* [iFunbox](https://www.i-funbox.com/en/page-about-us.html)
* [O.MG cable](https://shop.hak5.org/products/o-mg-cable)
* libimobiledevice
* 3uTools
further restructuring 2022-11-12 23:18:06 +01:00			`# iOS Devices`

added details about iOS 2024-06-25 23:39:32 +02:00			`If a device has been accessed, disable the auto lock setting so it gets not`
			`locked while you are working on it.`

further restructuring 2022-11-12 23:18:06 +01:00			`## Trust Certificates`
added details about iOS 2024-06-25 23:39:32 +02:00
			`Exchanged between 'Trusted' devices and the charging iOS device.`
			These certificates can be found under `C:\ProgramData\Apple\Lockdown`.

			`These certificates have an expiration date of 30 days.`

further restructuring 2022-11-12 23:18:06 +01:00			`* iTunes access to the iOS device has elevated permissions using the cert.`
			`* Keychain may be extracted through iTunes.`

added details about iOS 2024-06-25 23:39:32 +02:00			`## Backups`

			`Create a backup through iTunes for investigation purposes.`
			`Encrypted and unencrypted backups can be chosen in the iTunes menu.`
			`An encrypted backup contains sensitive data like passwords, unencrypted do not`
			`contain this level of sensitive data.`

			`Using libimobiledevice creating a backup can be done in the following way.`

			```sh
			`idevicebackup2 -i encryption on`
			`idevicebackup2 backup --full ./backup`
			```

			`### Interesting Files`

			`Here is a list of interesting files a backup may contain.`

further restructuring 2022-11-12 23:18:06 +01:00			* `ResetCounter.plist`, hard Reset diagnostic counter
			* `com.apple.preferences.datetime.plist`
added details about iOS 2024-06-25 23:39:32 +02:00			* DB tables at `/var/db`
further restructuring 2022-11-12 23:18:06 +01:00			`* Atendee`
			`* Task`
			`* Event`
			`* Mail`
			`* Cookies`
added details about iOS 2024-06-25 23:39:32 +02:00			* Pictures at `/CameraRollDomain/media/DCIM`
			* Addressbook at `HomeDomain/Library/Addressbook`
			* Calendar at `HomeDomain/Library/Calendar`
further restructuring 2022-11-12 23:18:06 +01:00			`* SMS`
			`* Voicemail`
			`* WiFi Keys`
added details about iOS 2024-06-25 23:39:32 +02:00			* WiFi history at `/SystemPreferencesDomain`
			* (Safari) Web browser history and bookmarks at `HomeDomain/Library/Safari`
			`* GPS history`
			`* Call history`
			* User data at `/var/mobile`
			* Keychains at `/var/keychains`
			* Log files at `/var/log`
further restructuring 2022-11-12 23:18:06 +01:00
added details about iOS 2024-06-25 23:39:32 +02:00			`## Preference Lists (Plists)`

			`Contain settings as metadata, either structured as XML or in binary format.`

			`## Filesystem`

			`### HFS+`

			`Deprecated. Does indexing of data. Does not encrypt the partition by default.`
			`No integrity checksums.`
further restructuring 2022-11-12 23:18:06 +01:00
added details about iOS 2024-06-25 23:39:32 +02:00			`### APFS`

			`Full disk encryption. GPT partition. Metadata protection. Integrity checksums.`
			`A per app sandbox containing a virtual filesystem inside for each app environment.`

			`APFS is seperated into the following domains`

			`* System, OS related data which is read only`
			`* Shared, data share betweent virtual filesystems of apps by the same developer`
			`* Cache, cached data`
			`* Data, conventional filesystem data of a user`
further restructuring 2022-11-12 23:18:06 +01:00
			`## Tools`
added details about iOS 2024-06-25 23:39:32 +02:00
further restructuring 2022-11-12 23:18:06 +01:00			`* [iFunbox](https://www.i-funbox.com/en/page-about-us.html)`
			`* [O.MG cable](https://shop.hak5.org/products/o-mg-cable)`
added details about iOS 2024-06-25 23:39:32 +02:00			`* libimobiledevice`
			`* 3uTools`