You are previewing Learning iOS Forensics - Second Edition.
O'Reilly logo
Learning iOS Forensics - Second Edition

Book Description

A practical guide to analyzing iOS devices with the latest forensics tools and techniques

About This Book

  • This book is a comprehensive update to Learning iOS Forensics

  • This practical book will not only cover the critical aspects of digital forensics, but also mobile forensics

  • Whether you’re a forensic analyst or an iOS developer, there’s something in this book for you

  • The authors, Mattia Epifani and Pasquale Stirparo, are respected members of the community, they go into extensive detail to cover critical topics

  • Who This Book Is For

    The book is for digital forensics analysts, incident response analysts, IT security experts, and malware analysts. It would be beneficial if you have basic knowledge of forensics

    What You Will Learn

  • Identify an iOS device between various models (iPhone, iPad, iPod Touch) and verify the iOS version installed

  • Crack or bypass the protection passcode chosen by the user

  • Acquire, at the most detailed level, the content of an iOS Device (physical, advanced logical, or logical)

  • Recover information from a local backup and eventually crack the backup password

  • Download back-up information stored on iCloud

  • Analyze system, user, and third-party information from a device, a backup, or iCloud

  • Examine malicious apps to identify data and credential thefts

  • In Detail

    Mobile forensics is used within many different domains, but is chiefly employed in the field of information security. By understanding common attack vectors and vulnerability points, security professionals can develop measures and examine system architectures to harden security on iOS devices. This book is a complete manual on the identification, acquisition, and analysis of iOS devices, updated to iOS 8 and 9.

    You will learn by doing, with various case studies. The book covers different devices, operating system, and apps. There is a completely renewed section on third-party apps with a detailed analysis of the most interesting artifacts. By investigating compromised devices, you can work out the identity of the attacker, as well as what was taken, when, why, where, and how the attack was conducted. Also you will learn in detail about data security and application security that can assist forensics investigators and application developers. It will take hands-on approach to solve complex problems of digital forensics as well as mobile forensics.

    Style and approach

    This book provides a step-by-step approach that will guide you through one topic at a time.

    This intuitive guide focuses on one key topic at a time. Building upon the acquired knowledge in each chapter, we will connect the fundamental theory and practical tips by illustrative visualizations and hands-on code examples.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. Learning iOS Forensics Second Edition
      1. Learning iOS Forensics Second Edition
      2. Credits
      3. About the Authors
      4. About the Reviewer
      5. www.packtpub.com
        1. Why subscribe?
      6. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
        7. Downloading the color images of this book
        8. Errata
        9. Piracy
        10. Questions
      7. 1. Digital and Mobile Forensics
        1. Mobile forensics
        2. Digital evidence
          1. Handling of mobile evidence
            1. Preservation of evidence
            2. Acquisition of evidence
            3. Evidence integrity
          2. SIM cards
            1. SIM security
        3. Summary
        4. Self-test questions
      8. 2. Introduction to iOS Devices
        1. Types of iOS device
          1. iPhone versions
            1. iPhone (first model)
            2. iPhone 3G
            3. iPhone 3GS
            4. iPhone 4
            5. iPhone 4s
            6. iPhone 5
            7. iPhone 5c
            8. iPhone 5s
            9. iPhone 6
            10. iPhone 6 Plus
            11. iPhone 6s
            12. iPhone 6s Plus
            13. iPhone SE
            14. iPad
            15. iPad (first model)
            16. iPad 2
            17. iPad 3 (the new iPad)
            18. iPad 4 (with Retina display)
            19. iPad Air
            20. iPad Air 2
            21. iPad Pro (12.9 inch)
            22. iPad Pro (9.7 inch)
            23. iPad mini
            24. iPad mini second generation
            25. iPad mini third generation
            26. iPad mini fourth generation
          2. iPod touch
            1. iPod touch (first generation)
            2. iPod touch (second generation)
            3. iPod touch (third generation)
            4. iPod touch (fourth generation)
            5. iPod touch (fifth generation)
            6. iPod touch (sixth generation)
          3. Apple TV
            1. Apple TV (first generation)
            2. Apple TV (second generation)
            3. Apple TV (third generation)
            4. Apple TV (third generation Rev. A)
            5. Apple TV (fourth generation)
          4. Apple Watch
        2. iOS devices connectors
        3. iOS devices matrix
        4. iOS operating system
        5. iDevice identification
        6. iOS filesystem
          1. The HFS+ filesystem
          2. Device partitions
          3. System partition
          4. Data partition
          5. The property list file
          6. SQLite databases
        7. Summary
        8. Self-test questions
      9. 3. Evidence Acquisition from iDevices
        1. iOS boot process and operating modes
        2. iOS data security
          1. Hardware security features
          2. File data protection
        3. Unique device identifier
          1. Case study - UDID calculation on iPhone 6s
        4. Lockdown certificate
        5. Search and seizure
        6. iOS device acquisition
          1. Apple File Conduit acquisition
            1. Case study - AFC acquisition with iBackupBot
          2. iTunes backup
            1. Acquisition with iTunes
            2. Acquisition with forensic tools
            3. Case study - iTunes backup acquisition with Oxygen Forensic Analyst
          3. Advanced logical acquisition
            1. Case study - advanced logical acquisition with UFED Physical Analyzer
          4. Physical acquisition with forensic tools
            1. Case study - physical acquisition with UFED Physical Analyzer
        7. Dealing with a locked iDevice
        8. iOS device jailbreaking
          1. Case study - physical acquisition with Elcomsoft iOS Forensic Toolkit
        9. Apple support for law enforcement
          1. Apple versus FBI - The San Bernardino shooting case
        10. iOS Acquisition - choose the best method
          1. iPhone 3G/3GS/4, iPad 1
          2. iPhone 4s, 5, 5c, iPad 2/3/4, iPad Mini 1
          3. iPhone 5s, 6, 6Plus, 6s, 6s Plus, iPad Air 1/2, iPad Mini 2/3/4, iPad Pro
          4. Apple TV
          5. Apple Watch
        11. Summary
        12. Self-test questions
      10. 4. Evidence Acquisition and Analysis from iTunes Backup
        1. iTunes backup
          1. iTunes backup folders
          2. iTunes backup content
        2. iTunes backup structure
          1. Standard backup files
          2. Case study - parsing Manifest.mbdb with Mbdbls Python script
        3. iTunes backup relevant files
        4. iTunes backup data extraction
          1. Case study - iTunes backup parsing with iBackupBot
          2. Case study - iTunes backup analysis with iPBA
          3. Case study - iTunes backup analysis with Oxygen Forensic Analyst
        5. Encrypted iTunes backup cracking
          1. Case study - iTunes encrypted backup cracking with EPB
        6. Summary
        7. Self-test questions
      11. 5. Evidence Acquisition and Analysis from iCloud
        1. The iCloud service
        2. iDevice backup on iCloud
        3. iDevice backup acquisition
          1. Case study - iDevice backup acquisition and EPPB with username and password
          2. Case study - iDevice backup acquisition and EPPB with authentication token
          3. Case study - iDevice backup acquisition with iLoot
          4. Case study - iDevice backup acquisition with InflatableDonkey
          5. Case study - WhatsApp backup acquisition with Elcomsoft Explorer for WhatsApp
        4. iCloud Control Panel artifacts on the computer
        5. Acquiring data from Cloud with stored tokens
          1. Case study - Cloud data acquisition with UFED Cloud Analyzer
          2. Case study - cloud data acquisition with Oxygen Forensic Detective
        6. Summary
        7. Self-test questions
      12. 6. Analyzing iOS Devices
        1. How data is stored
          1. Timestamps
          2. Databases
          3. The property list files
        2. The iOS configuration files
        3. Native iOS apps
          1. Address book
          2. Audio recordings
          3. Calendar
          4. Call history
          5. E-mail
          6. Images and photos
          7. Maps
          8. Notes
          9. Safari
          10. SMS/iMessage
            1. Voicemail
        4. Other iOS forensic traces
          1. Clipboard
          2. Keyboard
          3. Location
          4. Snapshots
          5. Wallpaper
          6. iOS crash reports
          7. Tracking device usage
        5. Third-party application analysis
          1. Social Network and Instant Messaging applications
            1. Skype
            2. WhatsApp
            3. Facebook and Messenger
            4. Telegram
            5. Signal
          2. Cloud storage applications
            1. Dropbox
            2. Google Drive
        6. Deleted data recovery
          1. File carving - is it feasible?
          2. Carving SQLite deleted records
        7. Case study - iOS analysis with Oxygen Forensics
        8. Summary
        9. Self-test questions
      13. 7. Applications and Malware Analysis
        1. Setting up the environment
          1. class-dump
          2. Keychain Dumper
          3. dumpDecrypted
        2. Application analysis
          1. Data at rest
          2. Data in use
          3. Data in transit
        3. Automating the analysis
          1. idb
        4. Summary
        5. Self-test questions
      14. A. References
        1. Publications freely available
        2. Tools, manuals, and reports
        3. Apple's official documentation
        4. Device security and data protection
        5. Device hardening
        6. iTunes backup
        7. iCloud
        8. Application data analysis
        9. Related books
      15. B. Tools for iOS Forensics
        1. Acquisition tools
        2. iDevice browsing tools and other non-forensic tools
        3. iDevice backup analyzer
        4. iDevice encrypted backup
        5. iCloud Backup
        6. Jailbreaking tools
          1. iOS 9
          2. iOS 8
          3. iOS 7
          4. iOS 6
        7. Data analysis
          1. Forensic toolkit
          2. SQLite viewer
          3. SQLite record carver
          4. Plist viewer
          5. iOS analysis suite
          6. App analysis tools
          7. Consolidated.db
          8. App reverse engineering tools
      16. C. Self-test Answers
        1. Chapter 1: Digital and Mobile Forensics
        2. Chapter 2: Introduction to iOS Devices
        3. Chapter 3: Evidence Acquisition from iDevices
        4. Chapter 4: Evidence Acquisition and Analysis from iTunes Backup
        5. Chapter 5: Evidence Acquisition and Analysis from iCloud
        6. Chapter 6: Analyzing iOS Devices
        7. Chapter 7: Applications and Malware Analysis