iOS Forensics for Investigators
eBook - ePub

iOS Forensics for Investigators

Take mobile forensics to the next level by analyzing, extracting, and reporting sensitive evidence

  1. 316 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

iOS Forensics for Investigators

Take mobile forensics to the next level by analyzing, extracting, and reporting sensitive evidence

About this book

Extract crucial data and lead successful criminal investigations by infiltrating every level of iOS devicesKey Featuresโ€ข Explore free and commercial tools for carrying out data extractions and analysis for digital forensicsโ€ข Learn to look for key artifacts, recover deleted mobile data, and investigate processed dataโ€ข Get up and running with extracting full filesystem images and jailbreak devices to gather the most data possibleBook DescriptionProfessionals working in the mobile forensics industry will be able to put their knowledge to work with this practical guide to learning how to extract and analyze all available data from an iOS device. This book is a comprehensive, how-to guide that leads investigators through the process of collecting mobile devices and preserving, extracting, and analyzing data, as well as building a report. Complete with step-by-step explanations of essential concepts, practical examples, and self-assessment questions, this book starts by covering the fundamentals of mobile forensics and how to overcome challenges in extracting data from iOS devices. Once you've walked through the basics of iOS, you'll learn how to use commercial tools to extract and process data and manually search for artifacts stored in database files. Next, you'll find out the correct workflows for handling iOS devices and understand how to extract valuable information to track device usage. You'll also get to grips with analyzing key artifacts, such as browser history, the pattern of life data, location data, and social network forensics. By the end of this book, you'll be able to establish a proper workflow for handling iOS devices, extracting all available data, and analyzing it to gather precious insights that can be reported as prosecutable evidence.What you will learnโ€ข Become familiar with the mobile forensics workflowโ€ข Understand how to legally seize iOS devices and preserve their dataโ€ข Extract evidence through logical and filesystem acquisitionsโ€ข Perform a deep-dive analysis of user data and system dataโ€ข Gain insights by analyzing third-party applicationsโ€ข Get to grips with gathering evidence stored on iCloudWho this book is forForensic analysts and investigators interested in extending their skills to extract data from iOS devices, including system logs, device usage, and third-party application data, will find this book useful. Anyone familiar with the principles of digital forensics and looking to expand their knowledge base in deep iOS examinations will also benefit from this book.Knowledge of mobile forensic principles, data extraction, Unix/Linux terminal, and some hands-on understanding of databases and SQL query language is assumed.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weโ€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere โ€” even offline. Perfect for commutes or when youโ€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access iOS Forensics for Investigators by Gianluca Tiepolo in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Networking. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2022
eBook ISBN
9781803242514
Edition
1
Topic
Computer Science
Subtopic
Computer Networking
Index
Computer Science

Section 1 โ€“ Data Acquisition from iOS Devices

You will learn the correct iOS device workflow and understand the basics of how the iOS operating system works. At the end of part one, you will be able to successfully extract a full filesystem image from an iOS device.
This part of the book comprises the following chapters:
  • Chapter 1, Introducing iOS Forensics
  • Chapter 2, Data Acquisition from iOS Devices

Chapter 1: Introducing iOS Forensics

Over the past decade, smartphones have undergone a profound revolution, impacting our lives in all possible ways: our devices are no longer just smart phones โ€“ they have become data hubs that store all kinds of information from our digital (and not so digital) life.
Today, from the palm of our hand, we can surf the web, buy theater tickets, get food delivered to our door, or call an Uber. We're using our devices to read eBooks, take notes, engage in creative tasks, and share our lives with our followers through social media. We have progressively replaced our digital cameras with our iPhone camera roll. Smartphones can keep track of physical activity, interact with external devices, give us directions, and remind us of that important meeting that we might forget. We use productivity apps to get stuff done and we make payments using Apple Pay. And โ€“ of course โ€“ we use our iPhones to get in touch with people on the other side of the world. With the massive spread of iPads and tablets in general, our devices are no longer just communication devices. They have become an almost unlimited content platform where we can enjoy movies, TV series, or simply listen to our favorite music.
To be able to provide these amazing features, mobile devices collect huge amounts of data that is processed by iOS and sometimes synced to iCloud. This information documents and reveals the thoughts and activity of a user substantially more than any data stored in any desktop computer.
Mobile forensics is all about collecting this data, preserving it, assessing it, validating it, and extracting meaningful insights that can be presented as evidence.
In this chapter, we will cover the following topics:
  • Understanding mobile forensics
  • Dissecting the iOS operating system
  • Understanding iOS security
  • Establishing a workflow

Understanding mobile forensics

Apple devices are popular all over the world due to the user experience they provide, their magnificent design, and their revolutionary features, so it shouldn't come as a surprise that in 2016, Apple announced that over one billion iPhones had been sold. Over the past 5 years, mobile device usage has grown particularly fast, with data from 2021 indicating that there were one billion active iOS devices.
The information that's stored on a smartphone can help address crucial questions in an investigation, revealing whom an individual has been in contact with, where they have been, and what they've been doing with the device. As new features are added to the device and more apps are made available through the App Store, the amount of information that's stored on iOS devices is continuously growing.
Mobile forensics can be defined as the process of recovering digital evidence from a mobile device under forensically sound conditions using validated means.
The kind of evidence we can recover from a device depends on the device itself and what techniques are used for data extraction, but generally, smartphones contain personal information such as call history, messages, emails, photos, videos, memos, passwords, location data, and sensor data. No other computing device is as personal as a mobile phone.
Typically, the examination process should reveal all digital evidence, including artifacts that may have been hidden, obscured, or deleted. Evidence is gained by applying established scientifically based methods and should describe the content and state of the data fully, including where it is located, the potential significance, and how different data sources relate to each other. The forensic process begins by extracting a copy of the evidence from the mobile device. Once a copy is available, the next step involves analyzing the data, identifying evidence, and developing the contents of a final report.

The new golden age for iOS forensics

Over the past 3 years, the digital forensics industry has undergone a major revolution.
In 2019, the discovery of the checkm8 exploit for iOS devices was a complete game-changer as it opened new doors for digital forensics investigators, allowing full filesystem extractions of hundreds of millions of Apple devices. If you've never seen a full filesystem extraction before, you'll probably be surprised by the extent and variety of data that the device stores!
Checkm8 is based on an un-patchable hardware flaw that lives directly on the chips of iOS devices, ranging from devices running Apple's A11 chip down to the A5 generation. This includes devices from the iPhone 4S to iPhone X and several iPads.
This vulnerability is specifically a BootROM exploit, which means it takes advantage of a security flaw in the initial code that iOS devices load during the boot process, and it can't be overwritten or patched by Apple through a software update.
At the end of 2019, checkra1n was released, the first public, closed source jailbreak based on the checkm8 exploit. Digital investigators and forensics analysts have quickly adopted checkra1n to get access to the device's filesystem and keychain; however, as with all jailbreaks, this solution has several drawbacks as using a jailbreak inevitably modifies some data on the device's filesystem and is not considered forensically sound.
For these reasons, vendors such as Cellebrite, Elcomsoft, and Oxygen Forensic have developed proprietary solutions based on the original checkm8 exploit that work by patching the device's RAM. These tools allow investigators to perform full filesystem extractions without touching system and user partitions and without making any changes to the device as the exploit runs in memory.
In other words, on selected devices, the checkm8 vulnerability can be exploited to extract the full filesystem without actually jailbreaking the device. The following table shows the list of devices that are vulnerable to the checkm8 exploit:
Table 1.1 โ€“ Devices that are vulnerable to the checkm8 exploit
To exploit checkm8 for a filesystem extraction, your device must be compatible, and it must be running a supported iOS version. This is a major drawback as newer devices, such as the latest iPhone 13, are not supported. There are, however, other options.
In 2020, vendors such as Elcomsoft and Belkasoft introduced agent-based extraction, a new acquisition method that allows full filesystem extractions without jailbreaking the device. Once installed on the device, the agent escapes the sandbox through software exploits, gaining unrestricted access to the device and establishing a connection between the device and the computer. Agent-based extraction is forensically safe, and it is usually a lot faster and safer than most jailbreaks. At the time of writing, supported devices include all iPhones from the 5s up to the iPhone 12, running iOS versions 9.0 to 14.3.
In May 2020, a major update for the unc0ver jailbreak was released, adding support for devices based on A12-A13 chips. At the time of writing, unc0ver supports jailbreaking all devices from the iPhone 5s up to the iPhone 12. Supported iOS versions range from iOS 11 to iOS 14.3.
Although jailbreaking a device allows full filesystem extraction, it's not considered a forensically sound process. An investigator should consider safer options such as checkm8 or agent-based extractions first if they're supported.
Tip
It's important to note the difference between checkm8-based extractions and jailbreaking the device through checkra1n or unc0ver. Tools such as Cellebrite UFED and Elcomsoft iOS Forensics Toolkit leverage the checkm8 exploit to temporarily provide access to the entire filesystem by running the exploit in the device's RAM. When the extraction is complete, the device will reboot as normal. No permanent changes will be made to the device.
On the other hand, jailbreaking the device will l...

Table of contents

  1. iOS Forensics for Investigators
  2. Contributors
  3. Preface
  4. Section 1 โ€“ Data Acquisition from iOS Devices
  5. Chapter 1: Introducing iOS Forensics
  6. Chapter 2: Data Acquisition from iOS Devices
  7. Section 2 โ€“ iOS Data Analysis
  8. Chapter 3: Using Forensic Tools
  9. Chapter 4: Working with Common iOS Artifacts
  10. Chapter 5: Pattern-of-Life Forensics
  11. Chapter 6: Dissecting Location Data
  12. Chapter 7: Analyzing Connectivity Data
  13. Chapter 8: Email and Messaging Forensics
  14. Chapter 9: Photo, Video, and Audio Forensics
  15. Chapter 10: Analyzing Third-Party Apps
  16. Chapter 11: Locked Devices, iTunes Backups, and iCloud Forensics
  17. Section 3 โ€“ Reporting
  18. Chapter 12: Writing a Forensic Report and Building a Timeline
  19. Other Books You May Enjoy