# iOS Devices If a device has been accessed, disable the auto lock setting so it gets not locked while you are working on it. ## Trust Certificates Exchanged between 'Trusted' devices and the charging iOS device. These certificates can be found under `C:\ProgramData\Apple\Lockdown`. These certificates have an expiration date of 30 days. * iTunes access to the iOS device has elevated permissions using the cert. * Keychain may be extracted through iTunes. ## Backups Create a backup through iTunes for investigation purposes. Encrypted and unencrypted backups can be chosen in the iTunes menu. An encrypted backup contains sensitive data like passwords, unencrypted do not contain this level of sensitive data. Using libimobiledevice creating a backup can be done in the following way. ```sh idevicebackup2 -i encryption on idevicebackup2 backup --full ./backup ``` ### Interesting Files Here is a list of interesting files a backup may contain. * `ResetCounter.plist`, hard Reset diagnostic counter * `com.apple.preferences.datetime.plist` * DB tables at `/var/db` * Atendee * Task * Event * Mail * Cookies * Pictures at `/CameraRollDomain/media/DCIM` * Addressbook at `HomeDomain/Library/Addressbook` * Calendar at `HomeDomain/Library/Calendar` * SMS * Voicemail * WiFi Keys * WiFi history at `/SystemPreferencesDomain` * (Safari) Web browser history and bookmarks at `HomeDomain/Library/Safari` * GPS history * Call history * User data at `/var/mobile` * Keychains at `/var/keychains` * Log files at `/var/log` ## Preference Lists (Plists) Contain settings as metadata, either structured as XML or in binary format. ## Filesystem ### HFS+ Deprecated. Does indexing of data. Does not encrypt the partition by default. No integrity checksums. ### APFS Full disk encryption. GPT partition. Metadata protection. Integrity checksums. A per app sandbox containing a virtual filesystem inside for each app environment. APFS is seperated into the following domains * **System**, OS related data which is read only * **Shared**, data share betweent virtual filesystems of apps by the same developer * **Cache**, cached data * **Data**, conventional filesystem data of a user ## Tools * [iFunbox](https://www.i-funbox.com/en/page-about-us.html) * [O.MG cable](https://shop.hak5.org/products/o-mg-cable) * libimobiledevice * 3uTools