whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added details about iOS

This commit is contained in:
Stefan Friese 2024-06-25 23:39:32 +02:00
parent 54ecb707e6
commit f58719ad6a
1 changed files with 62 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
Forensics/iOS.md
View File

@ -1,32 +1,84 @@
# iOS Devices # iOS Devices
If a device has been accessed, disable the auto lock setting so it gets not
locked while you are working on it.
## Trust Certificates ## Trust Certificates
* Exchanged between 'Trusted' devices and the charging iOS device.
Exchanged between 'Trusted' devices and the charging iOS device.
These certificates can be found under `C:\ProgramData\Apple\Lockdown`.
These certificates have an expiration date of 30 days.
* iTunes access to the iOS device has elevated permissions using the cert. * iTunes access to the iOS device has elevated permissions using the cert.
* Keychain may be extracted through iTunes. * Keychain may be extracted through iTunes.
## Interesting Files ## Backups
Create a backup through iTunes for investigation purposes.
Encrypted and unencrypted backups can be chosen in the iTunes menu.
An encrypted backup contains sensitive data like passwords, unencrypted do not
contain this level of sensitive data.
Using libimobiledevice creating a backup can be done in the following way.
```sh
idevicebackup2 -i encryption on
idevicebackup2 backup --full ./backup
```
### Interesting Files
Here is a list of interesting files a backup may contain.
* `ResetCounter.plist`, hard Reset diagnostic counter * `ResetCounter.plist`, hard Reset diagnostic counter
* `com.apple.preferences.datetime.plist` * `com.apple.preferences.datetime.plist`
* DB tables * DB tables at `/var/db`
* Atendee * Atendee
* Task * Task
* Event * Event
* Mail * Mail
* Safari
* Cookies * Cookies
* Pictures * Pictures at `/CameraRollDomain/media/DCIM`
* Addressbook * Addressbook at `HomeDomain/Library/Addressbook`
* Calendar at `HomeDomain/Library/Calendar`
* SMS * SMS
* Voicemail * Voicemail
* WiFi Keys * WiFi Keys
* WiFi history at `/SystemPreferencesDomain`
* (Safari) Web browser history and bookmarks at `HomeDomain/Library/Safari`
* GPS history
* Call history
* User data at `/var/mobile`
* Keychains at `/var/keychains`
* Log files at `/var/log`
## Backups ## Preference Lists (Plists)
Encrypted and unencrypted backups can be chosen in the iTunes menu.
Contain settings as metadata, either structured as XML or in binary format.
## Filesystem
### HFS+
Deprecated. Does indexing of data. Does not encrypt the partition by default.
No integrity checksums.
### APFS
Full disk encryption. GPT partition. Metadata protection. Integrity checksums.
A per app sandbox containing a virtual filesystem inside for each app environment.
APFS is seperated into the following domains
* **System**, OS related data which is read only
* **Shared**, data share betweent virtual filesystems of apps by the same developer
* **Cache**, cached data
* **Data**, conventional filesystem data of a user
## Tools ## Tools
* [iFunbox](https://www.i-funbox.com/en/page-about-us.html) * [iFunbox](https://www.i-funbox.com/en/page-about-us.html)
* [O.MG cable](https://shop.hak5.org/products/o-mg-cable) * [O.MG cable](https://shop.hak5.org/products/o-mg-cable)
* libimobiledevice
* 3uTools