Logo
RSS Feed

๐ŸŽ iOS Evidence Collection


Created: 12.10.2020

General Considerations

First of all, all the Apple devices support remote wiping which has evolved significantly over the year and now support Bluetooth. When I say wiping over Bluetooth, it doesn’t mean that the person wiping and the device need to be in the Bluetooth range (which is quite short). It could be an examiner with a Bluetooth enabled standing near the iPhone with Bluetooth on and the person of interest somewher within the range of the first responder. I didn’t try this myself, but I should. This is based on the interview given on the Surviving Digital Forensics podcast on T1 and T2 Apple devices and the challenges the forensic examiners now face.

File System

Older iOS systems had HFS and HFS+; now, it’s APFS (the same as for the macOS). While some challenges are associated with imaging disks formatted as APFS, it’s not the main issue with mobile devices.

Logical

Logical acquisition is the same when you copy files from the phone, like with AirDrop or over the wire. That means that you miss the slack and are unallocated. There are file managers for iOS out there, but they won’t be able to provide a bit-by-bit copy of the contents unless the device is jailbroken.

๐Ÿ—’ I have read the article Deleted Chat Case Study, Nikhil Mahadeshwar (eForensics magazine, Linux Forensics), which mentions recovering deleted data from iOS. Not sure if they jailbroke it or not.

Imaging

As mentioned above, without a jailbreak it’s impossible to image iOS device. But that doesn’t mean you need to jailbreak it FULLY. If you read this article, https://www.cyberdefensemagazine.com/iphone-extraction/, you will notice that these guys have come up with some chain of exploits on iOS to jailbreak the sandbox while affecting the RAM only.

A little recap on the jailbreak types:

  • Tethered jailbreaks don’t persist through reboots, so re-applying jailbreaks requires the device to be connected (tethered) to a computer during every reboot. The device may not reboot at all if the computer is not connected.
  • Semi-tethered jailbreaks can’t be re-applied unless the device is connected to a computer during reboot. The device can also boot into non-jailbroken mode on its own.
  • Semi-untethered jailbreaks allow the device to boot on its own, but the kernel patches (or user-land modifications) for disabling code signing aren’t applied automatically. The user must re-jailbreak the device by starting an app or visiting a website (not requiring a connection to a computer, hence the term untethered).
  • Untethered jailbreaks are the most popular choice for end users because they need to be applied only once, after which the device will be permanently jailbroken.

The method mentioned in the article sounds a lot like a tethered jailbreak, meaning they still require some faults in the OS system (which means, they won’t probably work in future) as well as writing exploits and running them on the device. That means quite a lot of change on the device to call this method fully forensically sound. Nevertheless, since it’s impossible to collect RAM without a jailbreak and even the best methods and exploits require reboot or respring, which effectively erases all the RAM contents, we really only care about the data on disk. In this case, some slack and unallocated space might get overwritten (since the agent needs to be installed), but the author insists that nothing else get written on the disk. So, sounds like the best option so far.

๐Ÿงช I was really curious if it’s at all possible to make a bit-by-bit copy of SOME data on the iDevice without a jailbreak. I have collected some informaiton on the matter, but I have not got any good practicle results yet. iFun and other similar tools won’t give the ability to mount the device and that’s exactly what is required in order to do the proper imaging. https://reincubate.com/support/how-to/mount-iphone-files/#fuse https://stackoverflow.com/questions/67155330/installing-ifuse-with-homebrew-results-in-error-message https://github.com/telepresenceio/telepresence/issues/1654 https://sudonull.com/post/25455-Mount-iOS-under-OSX-using-ifuse I would like to try those options and make the really work (which at the moment of this wrtiting they seem not) and get the maximum value out of the non-jailbroken option.