diff --git a/Forensics/iOS.md b/Forensics/iOS.md index 642ba92..e78c1b7 100644 --- a/Forensics/iOS.md +++ b/Forensics/iOS.md @@ -1,32 +1,84 @@ # iOS Devices +If a device has been accessed, disable the auto lock setting so it gets not +locked while you are working on it. + ## Trust Certificates -* Exchanged between 'Trusted' devices and the charging iOS device. + +Exchanged between 'Trusted' devices and the charging iOS device. +These certificates can be found under `C:\ProgramData\Apple\Lockdown`. + +These certificates have an expiration date of 30 days. + * iTunes access to the iOS device has elevated permissions using the cert. * Keychain may be extracted through iTunes. -## Interesting Files +## Backups + +Create a backup through iTunes for investigation purposes. +Encrypted and unencrypted backups can be chosen in the iTunes menu. +An encrypted backup contains sensitive data like passwords, unencrypted do not +contain this level of sensitive data. + +Using libimobiledevice creating a backup can be done in the following way. + +```sh +idevicebackup2 -i encryption on +idevicebackup2 backup --full ./backup +``` + +### Interesting Files + +Here is a list of interesting files a backup may contain. + * `ResetCounter.plist`, hard Reset diagnostic counter * `com.apple.preferences.datetime.plist` -* DB tables +* DB tables at `/var/db` * Atendee * Task * Event * Mail -* Safari * Cookies -* Pictures -* Addressbook +* Pictures at `/CameraRollDomain/media/DCIM` +* Addressbook at `HomeDomain/Library/Addressbook` +* Calendar at `HomeDomain/Library/Calendar` * SMS * Voicemail * WiFi Keys +* WiFi history at `/SystemPreferencesDomain` +* (Safari) Web browser history and bookmarks at `HomeDomain/Library/Safari` +* GPS history +* Call history +* User data at `/var/mobile` +* Keychains at `/var/keychains` +* Log files at `/var/log` -## Backups -Encrypted and unencrypted backups can be chosen in the iTunes menu. +## Preference Lists (Plists) +Contain settings as metadata, either structured as XML or in binary format. + +## Filesystem + +### HFS+ + +Deprecated. Does indexing of data. Does not encrypt the partition by default. +No integrity checksums. + +### APFS + +Full disk encryption. GPT partition. Metadata protection. Integrity checksums. +A per app sandbox containing a virtual filesystem inside for each app environment. + +APFS is seperated into the following domains + +* **System**, OS related data which is read only +* **Shared**, data share betweent virtual filesystems of apps by the same developer +* **Cache**, cached data +* **Data**, conventional filesystem data of a user ## Tools + * [iFunbox](https://www.i-funbox.com/en/page-about-us.html) * [O.MG cable](https://shop.hak5.org/products/o-mg-cable) - - +* libimobiledevice +* 3uTools