iOS forensic acquisition methods
Vladimir Katalov published, on ElcomSoft‘s blog, a good post about forensic acquisition techniques for iOS devices.
It’s a really interesting paper, from which I’d like to share some highlights:
Logical acquisition is the fastest, simplest, and most compatible acquisition method that works for all iOS devices running all iOS versions. All you need is the iOS (iPadOS, WatchOS, tvOS) device itself, plus the Lightning cable (for Apple Watch, also the iBUS adapter).
With logical acquisition, you can obtain:
- Extended device information
- Device backup (iTunes style); may be password-protected
- Media files (plus some system databases that may contain info on deleted files)
- Crash and diagnostic logs
- Shared application data
Full file system acquisition
Even a password-protected backup contains significantly less information than actually exists on the device. The device stores enormous amounts of data: system databases (with detailed location data), third-party application data even from secure messengers, SQLite write-ahead logs (WAL) that may contain deleted data, temporary files, WebKit data, AplePay transactions, notifications from all applications, and a lot of other critical evidence.
That’s actually the hidden gem. Initially, iCloud acquisition was all about the backups. Today, the role of iCloud backups had diminished significantly; the iCloud backups are even more limited than local iTunes backups with no password set. Most iPhones and iPads also sync a lot of data with the cloud. Just about everything can be sunced from contacts to photos and messages, as well as the keychain. Also, the iCloud keychain, contrary to Apple’s doc, may contain not just passwords but also authentication tokens. There is also iCloud Drive with many files and documents, usually including Documents and Desktop folders from Mac computers. And all that is collected not just from a single iPhone but from all devices connected to the account.
For technical details, please refers to ElcomSoft‘s post