(book) Practical Mobile Forensics - Fourth Edition

1. 소스

reference : https://learning.oreilly.com/library/view/practical-mobile-forensics/9781838647520/

Practical Mobile Forensics - Fourth Edition

2. 정리

* Below is an excerpt sourced from the data acquisition chapter in iOS forensics section.

* This summary is for my own study. For more detailed explanation, you should buy a book.

 

[Data Acquisition from iOS Devices]
 : The fundamental principle of any acquisition method is to obtain as much data as possible.

 

[iOS device operating mode]

 i) normal mode

  : Most regular activities(calling, texting, and so on) are performed.

  : When an iPhone is turned on, it goes through a secure boot chain.

  : (secure boot chain) Boot ROM -> LLB -> iBOOT -> iOS kernel

   : Boot ROM is the first significant piece of code that runs on an iPhone.

   : The boot ROM code contains the Apple root certificate authority (CA) public key.

   : AP executes the code from the boot ROM.

   : The boot ROM verifies LLB and loads it. (only with A9 or earlier A-series processor)

   : When the LLB finishes its tasks, it verifies and loads the second-stage boot loader (iBoot)

   : iBoot verifies and loads the iOS kernel.

   : The iOS kernel verifies and runs user applications.

 

 ii) recovery mode

  : During the boot-up process, if one step is unable to load or verify the next step, the mode is on.

  : This mode is known as recovery mode and is required to perform upgrades or restore the iPhone.

  : (revocvery loop) A recovery loop may occur when the user or examiner attempts to jailbreak the iOS device and an error occurs. To get the device out of a recovery loop, the device must be connected to iTunes so that a backup can be restored to the device.

 

 iii) DFU mode

 : During the boot-up process, if the Boot ROM is unable to load or verify the LLB or iBOOT (on newer devices), the iPhone enters DFU mode. 

 : DFU mode is a low-level diagnostic mode and is designed to perform firmware upgrades for iPhones.

 

[Password protection and potential bypasses]

 : using lockdown file on trusted PC

 : fingerprint molds to trick Toudh ID

 : a mask to trick Face ID

 : NAND mirroring

 

[Logical acquisition]

 : A logical acquisition captures a part of what is accessible to the user. 

 : it is an iTunes backup.
 : (tools) libimobiledevice, belkasoft acquisition tool, magnet acquire

 

[Filesystem acquisition]

 : Secure enclave has made it impossible to extract the encryption keys that are required to decrypt the device image, so performing physical acquisition is useless.

 : In most cases it requires the iOS device to be jailbroken.

 : (tools) libimobiledevice, elcomsoft iOS Forensic Toolkit