iOS Forensics is the process of gathering and analyzing digital evidence from iOS devices, such as iPhones, MacBooks, and iPads. With the increasing use of mobile devices in our daily lives, digital forensics has become an essential area of investigation in many criminal cases.
For example, an Olympic runner named Oscar Pistorius was convicted of killing his girlfriend. Forensic experts used his iPad, including browser history and deleted data, as evidence in court.
This shows that iPhones and iPads can provide important information in such scenarios. It’s important to understand the device’s features, such as security, file structure, and internal workings, before conducting a forensic examination.
iOS has advanced security features that make it difficult for digital forensic investigators to extract evidence. But with the right tools and techniques, they can still gather and analyze important information from these devices.
iOS Security Model
- iOS Secure Boot Chain
- iOS Application Signing
- iOS Application Sandbox
The iOS secure boot chain system uses a secure boot chain mechanism to provide security in the booting process. Additionally, signing your app allows iOS to identify who signed your app and verify that your app hasn’t been modified since you signed it.
Application sandboxing features have been built by iOS that prevent the applications from accessing the data or files of other applications.
Also see: What is Cloud Security?
iOS Secure Boot Chain
The iOS Secure Boot Chain is a series of processes that ensure only trusted code is loaded during the boot-up process of an iOS device. This security feature helps prevent unauthorized access to the device’s operating system and data.
To provide security during the booting process, it employs a secure boot chain mechanism. There is a lot of rootkits and malware that infect at the boot level. The iOS secure boot chain ensures that no low-level software is compromised and that iOS is running on a valid iDevice.
The block diagram for an iOS secure boot chain is shown below:
Let’s now go over the iOS secure boot chain step by step:
Boot ROM
- This is implicitly accepted.
- It is referred to as a hardware root of trust.
- This code is embedded in the processor and cannot be changed or updated.
- This also includes the Apple root certificate with an authentic public key, which is used to ensure that the low-level boot loader is properly signed.
Low-level Bootloader(LLB)
- This is the lowest level of code that can be updated.
- It also validates the iBoot firmware signatures before loading it.
iBoot
- It verifies the signature of the iOS kernel before starting the kernel.
- This secure boot chain also prevents any malware that can affect the boot level.
iOS Application Signing
Signing your app allows iOS to identify who signed it and confirm that it hasn’t been modified since you signed it.
If we look at the signing process:
- The developer signs the apps and applies them to Apple.
- Apple verifies it (performs some rudimentary checks, not vulnerability assessment of the app).
- If the app meets Apple’s requirements, Apple signs the application.
- Finally, the app is made available for download on the Apple App Store.
Apple’s process of checking iOS apps before signing the application is not transparent. According to case studies, Apple does not perform a thorough vulnerability assessment of any app. This leaves the door open for several dangerous security threats.
iOS Application Sandbox
The iOS Application Sandbox is a security feature that isolates applications from the rest of the system, limiting their access to sensitive data and resources. Each application runs in its own sandbox, ensuring that it can only access its own resources and data. This helps to prevent applications from interfering with each other or with the system as a whole.
Sandboxing improves the security and integrity of the operating system by restricting what an application can do. On iOS, for example, an application cannot access another application’s sandbox.
Why is that important?
Even though Apple reviews every application before allowing it into the App Store, the review process is far from perfect. Malicious applications could easily make their way into the App Store with no one noticing.
If every third-party application could access the file system and the sandboxes of other applications, the platform would quickly fall apart.
However, an application does not have to be malicious to cause havoc. A harmless bug could also cause havoc. This is far less likely if the applications are sandboxed.
The iOS Filesystem
The iOS file system is designed for standalone apps. Users of iOS devices do not have direct access to the file system to keep the system simple, and apps are expected to follow this convention.
For security reasons, an iOS app’s file system interactions are limited to the directories contained within the app’s sandbox directory. The installer creates several container directories for the app inside the sandbox directory while installing a new app. Each container directory serves its own distinct purpose.
- The Bundle Container hosts the application bundle.
- The Data Container directory holds both application and user data.
- The application can request access to additional container directories during runtime. “iCloud Container”.
Let’s examine the file structure in these containers:
MyApp.app contains the application and all resource files.
- The package directory is signed during installation to prevent tampering.
- Writing to this directory changes the signature and prevents your application from starting.
- However, there is read-only access to all resources stored in the application package.
If your application uses an SQLite database to store the user’s data, database files can be stored in the Documents directory.
Library subdirectories can be used for files that are not intended to be shown to the user.
iOS apps typically use the Application support and cache directories however they can also be built-in custom subdirectories. User data is not found within this directory.
The Temp directory is where temporary files are stored during application startup. Your application automatically removes files from this directory when no longer needed. However, the system can also clean this directory while it is not running.
What is an IPA File?
A .ipa (iOS App Store Package) file is an iOS application archive file that stores an iOS application. Each .ipa file contains a binary and can only be installed on an iOS or ARM-based macOS device.
Files with the .ipa extension can be opened by changing the extension to .zip. It can only be installed on macOS with an iOS or ARM architecture. Most .ipa files cannot be uploaded to the iPhone Simulator as they don’t contain a binary for the x86 architecture, instead, they only contain a file for the ARM architecture of mobile phones.
Additionally, to run applications in the simulator, original project files are required, which can be opened using the Xcode SDK.
Let’s examine what files are in an IPA file:
Payload: contains all application data.
iTunes Artwork file: A 512×512 pixel PNG image containing the app’s icon for display in the iTunes & App Store app.
iTunesMetadata.plist: developer name and ID, bundle identifier, copyright information, genre, app name, release date, purchase date, etc. It contains various pieces of information such as:
/WatchKitSupport/WK: Contains controllers that handle interface management in the Apple watch.
/META-INF: Contains information relating to which program the IPA was created.
What is Jailbreak?
On Apple devices running iOS and iOS-based operating systems, jailbreaking is a privilege escalation exploit used to remove manufacturer-imposed software restrictions. Typically, this is accomplished through a series of kernel patches.
A jailbroken device grants root access to the operating system and the ability to install software that is not available through the App Store. A variety of tools are used to exploit various devices and versions.
Apple views jailbreaking as a violation of the end-user license agreement, and strongly caution device owners not to try to achieve root access through the exploitation of vulnerabilities.
Jailbreaking an iOS device is similar to rooting an Android device. However, it involves:
- Modifying the operating system (enforced by a “locked bootloader”),
- Installing non-officially approved (not available on the App Store) applications via sideloading,
- And granting the user elevated administration-level privileges (rooting).
Thus, iOS jailbreaking differs from Android device rooting.
Also, jailbreaking has its disadvantages.
- No more automatic updates.
- Shorter battery life.
- Restricted access to some services; message, iCloud, facetime…
- Malfunctions such as freezing may occur in the device.
- Security Risk (KeyRaider): Jailbreak enables software piracy so apps and games can be distributed for free. This means that you trust the developers of all the apps you install, rather than Apple.
Data from banking apps, stored passwords, and social media accounts could be at risk if this information becomes accessible on a jailbroken iPhone.
This is when an iOS jailbreak malware called KeyRaider steals 225,000 Apple IDs and thousands of certificates, private keys, and purchase receipts.
As a result, victims reported that their stolen accounts showed abnormal app purchase history, and in other cases, phones were locked and held for ransom. In addition, the ssh port of the device you have jailbroken opens to the outside and the device can be accessed remotely with default credentials.
Types of Jailbreak
There are several popular tools developed by third parties used for jailbreaking. Although the method may vary depending on the tool, most Jailbreak tools require the support of a computer. Unc0ver, and checkra1n, the most well-known jailbreak tool today, can be given as an example.
- Tethered
- Semi-Tethered
- Fully Untethered
- Semi-Untethered
Tethered
Dependent Jailbreak method and tools remove device restrictions with just one launch. In case the device is turned off, crashed, or out of charge, the method must be reapplied to be able to start the device and remove the restrictions.
The fact that the device requires a computer to even turn on makes this method difficult and inconvenient for some.
Semi-tethered
The semi-dependent Jailbreak method and its tools can also remove device restrictions with just one launch, similar to the dependent Jailbreak method. The difference from the dependent jailbreak method is that only the device is restricted in the case of a restart.
The device can be unlocked without the need for a computer, but a re-Jailbreak with the computer is required for the restrictions to be lifted again. The Checkra1n tool is an example of this method.
Untethered
Although a computer is required for the first application of the method, it does not need to be applied again every time the device restarts. Some methods can handle the entire process on the device, without the need for a computer.
Semi-untethered
Removes one-initiation restrictions only. The device can be unlocked without the need for a computer and the re-removal of restrictions can be done through the device. The Unc0ver tool is an example of this method.
Overview of Mobile Forensics Processes
Mobile forensics is a branch of digital forensics that focuses on mobile devices, which are rapidly becoming more popular. The importance of mobile forensics has grown in tandem with this exponential growth of the mobile market. Because a mobile phone usually belongs to a single person, its analysis could reveal a wealth of personal information and secrets.
This rapid growth created new challenges. The high ratio of new models designed and launched makes it difficult to follow similar procedures. Each case or investigation of the new model must be approached differently, with steps that may be different and unique to the specific case.
With these challenges in mobile forensics, software-based syncing of mobile phones to computers becomes much simpler. Data such as SMS, contacts, installed applications, GPS data, emails, and deleted data can be easily extracted. Let’s examine the process of mobile forensics:
Step #1: Collection
The below steps are recommended during the collection of mobile devices:
- The location history of the mobile device has been collected. It is good practice to take a picture using the camera of the location and mobile phone before starting any progress.
- Noting the status of the device: Whether it’s powered on or off. If it is powered on, what the battery status or network status is, as well as whether the screen is locked.
- Searching for the SIM package and if any cables are located around.
Step #2: Preservation
It is very important to protect the evidence of an investigation. Potential attackers have data and can invalidate any newly available data. The following methods are recommended for protecting evidence from an attack:
- Isolating the mobile device from the network.
- Establishing a Chain of Custody which includes details such as serial no, case no, cabinet no, investigator’s name, time and date of each step, and details of evidence transfer.
Step #3: Acquisition
There are three methods used for data extraction from iOS devices. Below an overview has been given of each.
- Physical: A bit-to-bit copy of the device allows for the recovery of deleted data.
- File System: Extracts files visible at the file system level.
- Logical: This allows the extraction of certain files from the file system, such as a backup created using iTunes.
General iOS Forensic Artifacts
Clipboard
/private/var/mobile/Library/caches/com.apple.UIKit.pboard
Data such as text and passwords copied, cut, or pasted on the device are stored within this file.
Keyboard
/private/var/mobile/Library/Keyboard
A file for each language and keyboard files configured on the device are kept.
Location
/private/var/root/Library/Caches/locations/consolidated.db
In Newer device:
/private/var/root/Library/Caches/locations/cache_encryptedA.db
Contains location information about the wifi point and base station. On new devices, encrypted.db only stays on the device for 8 days before the data is automatically deleted. Other apps that track geolocations may also store GPS and time information.
Snapshots
/private/var/mobile/Library/Caches/Snapshots/
/private/var/mobile/Applications/<app_UUID>/Library/Caches/Snapshots
Saves snapshots taken by iOS. Snapshots of pre-installed applications are retained. With this feature, important forensic information can be easily obtained.
Spotlight
/private/var/mobile/Library/Spotlight
This feature assists the user in searching such as apps, SMS, contacts, and more. It stores the focus of attention indexes and searches.
Wallpaper
/private/var/mobile/Library/Springboard/
The file where the wallpapers on the device are stored.
iOS Forensics Tools
- Elcomsoft
- OXYGEN Forensics
- iExplorer
- Db Browser for SQLite
- See more here
Elcomsoft
- Bit-precise device images are obtained.
- Decrypt device keys Fast file system acquisition; Zero footprint operation; It does not leave any traces or changes within the contents of the devices.
- Every step of the investigation is logged and recorded Supports iOS up to version 9.0.2
- Mac and Windows versions are available.
Oxygen Forensics
- Unlock the device.
- Imaging of IoT devices and smartwatches.
- Getting flight history from drones and extracting saved pictures.
iExplorer
We can connect with the device and download the application files. We can do this with the demo version.
DB Browser for SQLite
It is the tool that allows us to examine the database files in the application.
Conclusion
IOS devices are very popular these days, so examiners are likely to encounter more iOS devices during forensic investigations. IOS devices get upgraded with new features all the time, and vulnerable/weak features are being removed in favor of these new advanced features.
As we discover new features with each upgraded IOS, we need to stay up to date on technology and versions.
This blog post provides insights into the complex world of iOS forensics. By learning the essential knowledge and techniques needed for conducting digital forensic investigations on iOS devices, you gain a unique perspective on the topic.
Stay safe & make the internet safer. Check out our Penetration Testing services to get started!