85 lines
2.3 KiB
Markdown
85 lines
2.3 KiB
Markdown
# iOS Devices
|
|
|
|
If a device has been accessed, disable the auto lock setting so it gets not
|
|
locked while you are working on it.
|
|
|
|
## Trust Certificates
|
|
|
|
Exchanged between 'Trusted' devices and the charging iOS device.
|
|
These certificates can be found under `C:\ProgramData\Apple\Lockdown`.
|
|
|
|
These certificates have an expiration date of 30 days.
|
|
|
|
* iTunes access to the iOS device has elevated permissions using the cert.
|
|
* Keychain may be extracted through iTunes.
|
|
|
|
## Backups
|
|
|
|
Create a backup through iTunes for investigation purposes.
|
|
Encrypted and unencrypted backups can be chosen in the iTunes menu.
|
|
An encrypted backup contains sensitive data like passwords, unencrypted do not
|
|
contain this level of sensitive data.
|
|
|
|
Using libimobiledevice creating a backup can be done in the following way.
|
|
|
|
```sh
|
|
idevicebackup2 -i encryption on
|
|
idevicebackup2 backup --full ./backup
|
|
```
|
|
|
|
### Interesting Files
|
|
|
|
Here is a list of interesting files a backup may contain.
|
|
|
|
* `ResetCounter.plist`, hard Reset diagnostic counter
|
|
* `com.apple.preferences.datetime.plist`
|
|
* DB tables at `/var/db`
|
|
* Atendee
|
|
* Task
|
|
* Event
|
|
* Mail
|
|
* Cookies
|
|
* Pictures at `/CameraRollDomain/media/DCIM`
|
|
* Addressbook at `HomeDomain/Library/Addressbook`
|
|
* Calendar at `HomeDomain/Library/Calendar`
|
|
* SMS
|
|
* Voicemail
|
|
* WiFi Keys
|
|
* WiFi history at `/SystemPreferencesDomain`
|
|
* (Safari) Web browser history and bookmarks at `HomeDomain/Library/Safari`
|
|
* GPS history
|
|
* Call history
|
|
* User data at `/var/mobile`
|
|
* Keychains at `/var/keychains`
|
|
* Log files at `/var/log`
|
|
|
|
## Preference Lists (Plists)
|
|
|
|
Contain settings as metadata, either structured as XML or in binary format.
|
|
|
|
## Filesystem
|
|
|
|
### HFS+
|
|
|
|
Deprecated. Does indexing of data. Does not encrypt the partition by default.
|
|
No integrity checksums.
|
|
|
|
### APFS
|
|
|
|
Full disk encryption. GPT partition. Metadata protection. Integrity checksums.
|
|
A per app sandbox containing a virtual filesystem inside for each app environment.
|
|
|
|
APFS is seperated into the following domains
|
|
|
|
* **System**, OS related data which is read only
|
|
* **Shared**, data share betweent virtual filesystems of apps by the same developer
|
|
* **Cache**, cached data
|
|
* **Data**, conventional filesystem data of a user
|
|
|
|
## Tools
|
|
|
|
* [iFunbox](https://www.i-funbox.com/en/page-about-us.html)
|
|
* [O.MG cable](https://shop.hak5.org/products/o-mg-cable)
|
|
* libimobiledevice
|
|
* 3uTools
|