whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Forensics/iOS.md

2.3 KiB
Raw Blame History

iOS Devices

If a device has been accessed, disable the auto lock setting so it gets not locked while you are working on it.

Trust Certificates

Exchanged between 'Trusted' devices and the charging iOS device. These certificates can be found under C:\ProgramData\Apple\Lockdown.

These certificates have an expiration date of 30 days.

  • iTunes access to the iOS device has elevated permissions using the cert.
  • Keychain may be extracted through iTunes.

Backups

Create a backup through iTunes for investigation purposes. Encrypted and unencrypted backups can be chosen in the iTunes menu. An encrypted backup contains sensitive data like passwords, unencrypted do not contain this level of sensitive data.

Using libimobiledevice creating a backup can be done in the following way.

idevicebackup2 -i encryption on
idevicebackup2 backup --full ./backup

Interesting Files

Here is a list of interesting files a backup may contain.

  • ResetCounter.plist, hard Reset diagnostic counter
  • com.apple.preferences.datetime.plist
  • DB tables at /var/db
    • Atendee
    • Task
    • Event
  • Mail
  • Cookies
  • Pictures at /CameraRollDomain/media/DCIM
  • Addressbook at HomeDomain/Library/Addressbook
  • Calendar at HomeDomain/Library/Calendar
  • SMS
  • Voicemail
  • WiFi Keys
  • WiFi history at /SystemPreferencesDomain
  • (Safari) Web browser history and bookmarks at HomeDomain/Library/Safari
  • GPS history
  • Call history
  • User data at /var/mobile
  • Keychains at /var/keychains
  • Log files at /var/log

Preference Lists (Plists)

Contain settings as metadata, either structured as XML or in binary format.

Filesystem

HFS+

Deprecated. Does indexing of data. Does not encrypt the partition by default. No integrity checksums.

APFS

Full disk encryption. GPT partition. Metadata protection. Integrity checksums. A per app sandbox containing a virtual filesystem inside for each app environment.

APFS is seperated into the following domains

  • System, OS related data which is read only
  • Shared, data share betweent virtual filesystems of apps by the same developer
  • Cache, cached data
  • Data, conventional filesystem data of a user

Tools