🍎 Part 4 of 6

iOS Forensics

🕑 120-150 minutes 📖 Intermediate Level 📱 Module 2

Introduction

Apple's iOS powers iPhones, which represent approximately 25-30% of the Indian smartphone market but often contain high-value evidence due to their user demographics. iOS forensics presents unique challenges due to Apple's strong encryption and security measures, but also benefits from standardized architecture across all devices.

📚 Learning Objectives

By the end of this part, you will understand iOS security architecture, perform iTunes/Finder backup extraction and analysis, acquire data from iCloud where legally permissible, and analyze the iOS keychain for stored credentials.

iOS Security Architecture

iOS implements a multi-layered security model that presents significant challenges for forensic examiners. Understanding these layers is essential for determining what data can be accessed.

iOS Security Layers
Hardware Security
Secure Enclave Processor (SEP), Hardware UID, Device Key
System Security
Secure Boot Chain, Code Signing, Sandboxing, ASLR
Data Protection
File-level encryption, Protection Classes, Keychain
User Data
Messages, Photos, App Data, Health Data

Secure Enclave Processor (SEP)

The Secure Enclave is a coprocessor that handles all cryptographic operations and stores sensitive data like fingerprint templates and Face ID data. Key forensic implications:

  • Passcode attempts are rate-limited by hardware (escalating delays after failed attempts)
  • Encryption keys are derived from both user passcode and hardware UID
  • Keys cannot be extracted even with physical access to the chip
  • After 10 failed attempts, device can auto-wipe (if enabled)

Data Protection Classes

iOS uses four protection classes that determine when data is accessible:

Complete Protection (Class A)
Most secure. Data only accessible when device is unlocked. Keys are discarded when device locks.
Example: Mail database, Health data
Protected Unless Open (Class B)
Files remain accessible while open, even after device locks. Key available until file is closed.
Example: Mail attachments being downloaded
Protected Until First User Authentication (Class C)
Data accessible after first unlock until device restarts. Most common class.
Example: Photos, Messages, most app data
No Protection (Class D)
Always accessible. Only encrypted with device key, not passcode-derived key.
Example: System files needed at boot
🍎 AFU (After First Unlock) State

The "After First Unlock" state is forensically significant because Class C files (majority of user data) remain accessible. If a device has been unlocked at least once since boot, tools like GrayKey can potentially access this data even without the passcode.

iOS File System

iOS uses the Apple File System (APFS), which provides strong encryption, space efficiency, and crash protection.

/ (root)
  /private/var/mobile/ -- User data root
    /Library/ -- System databases and preferences
      /SMS/sms.db -- SMS/iMessage database
      /AddressBook/AddressBook.sqlitedb -- Contacts
      /CallHistoryDB/CallHistory.storedata -- Call logs
      /Notes/notes.sqlite -- Notes app data
      /Safari/ -- Safari bookmarks, history
    /Containers/Data/Application/ -- App sandboxes
      /[UUID]/Documents/ -- App documents
      /[UUID]/Library/ -- App preferences, caches
    /Media/ -- Photos, videos, voice memos
      /DCIM/ -- Camera photos
      /PhotoData/ -- Photos.sqlite database
  /private/var/wireless/ -- Cellular and location data
    /Library/CallHistory/ -- Call history
  /private/var/root/ -- Root user data

Key iOS Databases

Data Type Database Location Notes
SMS/iMessage /private/var/mobile/Library/SMS/sms.db Contains messages, attachments metadata
Contacts /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb All contact information
Call History /private/var/mobile/Library/CallHistoryDB/CallHistory.storedata Calls, FaceTime calls
Safari /private/var/mobile/Library/Safari/History.db Browsing history, bookmarks
Photos /private/var/mobile/Media/PhotoData/Photos.sqlite Photo metadata, albums, locations
Calendar /private/var/mobile/Library/Calendar/Calendar.sqlitedb Events, reminders
Notes /private/var/mobile/Library/Notes/notes.sqlite Notes content and metadata

iTunes/Finder Backup Extraction

iTunes (Windows/older macOS) or Finder (macOS Catalina+) backups are the primary method for logical iOS acquisition. These backups contain substantial user data.

Backup Types

  • Unencrypted Backup: Contains most user data but excludes sensitive items (passwords, Health data, HomeKit). Easier to analyze but less complete.
  • Encrypted Backup: Contains ALL data including Keychain, Health, Wi-Fi passwords. Requires backup password but provides most comprehensive logical acquisition.

Backup Locations

iTunes Backup Locations by OS
# Windows
%APPDATA%\Apple Computer\MobileSync\Backup\
C:\Users\[username]\Apple\MobileSync\Backup\ (Microsoft Store version)
# macOS
~/Library/Application Support/MobileSync/Backup/
# Backup folder naming
[UDID]/ or [UDID]-[timestamp]/

Key Backup Files

File Purpose
Info.plist Device info: name, UDID, iOS version, phone number, IMEI
Manifest.plist Backup metadata, encryption status, date created
Manifest.db SQLite database mapping backup files to original paths
Status.plist Backup status and version information
[hash] files Actual backup data (renamed using SHA-1 of domain-path)
Encrypted Backup Consideration

If a backup password is unknown, tools like Elcomsoft Phone Breaker or Passware can attempt to recover it through brute-force or dictionary attacks. For forensic purposes, if possible, create a new encrypted backup with a known password (requires unlocked device and trust establishment).

Creating Forensic Backup

libimobiledevice Commands for Backup
# Install libimobiledevice (Linux/macOS)
brew install libimobiledevice # macOS
apt install libimobiledevice-utils # Linux
# List connected devices
idevice_id -l
# Get device information
ideviceinfo
# Create unencrypted backup
idevicebackup2 backup --full ./backup_folder/
# Create encrypted backup (prompts for password)
idevicebackup2 backup --full -e ./backup_folder/

iCloud Data Acquisition

iCloud stores substantial data that may not be present on the physical device. Legal acquisition requires proper authorization.

iCloud Data Types

  • iCloud Backup: Full device backup (similar to iTunes backup)
  • iCloud Drive: Documents and app data
  • iCloud Photos: Photo library (may be only copy if "Optimize Storage" enabled)
  • Messages in iCloud: Synced iMessage/SMS history
  • Health Data: If iCloud sync enabled
  • Keychain: Synced passwords (end-to-end encrypted)
  • Find My: Location history

Acquisition Methods

Credential-Based (with consent)
Using Apple ID and password with proper legal authority. Requires bypassing 2FA if enabled.
Tools: Elcomsoft Phone Breaker, Cellebrite Cloud
Token-Based
Extract authentication tokens from unlocked device or trusted computer to access iCloud without credentials.
Tools: Elcomsoft, Oxygen Forensic Cloud
Legal Request to Apple
Formal legal process (MLAT for India) requesting Apple provide available data.
Apple provides account data, backups if available
🍎 Advanced Data Protection

Apple's Advanced Data Protection (ADP) feature provides end-to-end encryption for almost all iCloud data. If enabled, even Apple cannot access the data, and law enforcement requests may yield encrypted data only. Check device settings for ADP status.

Keychain Analysis

The iOS Keychain stores sensitive credentials including passwords, certificates, and encryption keys. It's encrypted and protected by the Secure Enclave.

Keychain Contents

  • Safari saved passwords and usernames
  • Wi-Fi network passwords
  • App-stored credentials (if using Keychain API)
  • Email account passwords
  • VPN credentials
  • Digital certificates
  • Credit card information (Apple Pay cards)

Accessing Keychain Data

Keychain data requires specific conditions for access:

  • Encrypted iTunes Backup: Includes Keychain - requires backup password
  • Jailbroken Device: Direct access to keychain-2.db possible
  • Physical Extraction: Advanced tools can extract Keychain with exploit
  • iCloud Keychain: End-to-end encrypted, extremely difficult to access
Keychain Database Location
# Keychain database (on jailbroken device)
/private/var/Keychains/keychain-2.db
# In encrypted backup
Keychain data embedded in backup, extracted by forensic tools
Legal Consideration

Accessing Keychain data reveals highly sensitive personal information. Ensure your legal authority specifically covers credential extraction. Document justification for Keychain analysis in forensic reports.

iOS Forensic Tools

Several commercial and open-source tools support iOS forensics:

Tool Capabilities Cost
Cellebrite UFED Full physical extraction (with exploits), logical, cloud Commercial (high)
GrayKey Passcode bypass, full file system extraction Commercial (very high)
Elcomsoft iOS Forensic Toolkit Physical extraction (checkm8 exploit), backup analysis Commercial (moderate)
Oxygen Forensic Detective Logical extraction, backup analysis, cloud Commercial (moderate)
libimobiledevice Backup creation, basic file access Free/Open Source
iBackupBot Backup browsing and extraction Free/Shareware
📚 Key Takeaways
  • iOS security relies on hardware (Secure Enclave), software, and encryption layers working together
  • Data Protection Classes determine when data is accessible - Class C (AFU) is forensically significant
  • iTunes/Finder encrypted backups provide most comprehensive logical acquisition including Keychain
  • iCloud contains substantial data but may be end-to-end encrypted with Advanced Data Protection
  • Keychain stores passwords and credentials - accessible only from encrypted backup or with advanced tools
  • Key databases: sms.db (messages), AddressBook.sqlitedb (contacts), Photos.sqlite (photos)
  • Commercial tools like GrayKey and Cellebrite offer advanced extraction capabilities
  • Always verify legal authority before accessing sensitive iOS data
Previous: Android Forensics Next: Mobile Messaging Analysis