iOS Forensics101: The Essential Guide

July 06, 2022



Introduction 

iOS is now widely used in several different technologies. We see a few different types of iOS devices around us, including the apple watch, apple tv,  iPhone, AirPods, and MacBook.

iOS Device Using Rate

So why is iOS not the preferred operating system?

Amazon and Android devices can typically be found starting at $40, however iOS devices start from at least $150, which is a very natural situation if we consider that in some countries people have a monthly income. The population of the Asian continent is very large and the underdeveloped countries are scattered on this side. This is part of what allows for this interesting ratio.

Things are much different in the United States, as the ratio of Android usage is 40% compared to 59% of iOS usage. This is likely due to, the difference in the level of welfare, advertising, and popular culture.. Additionally,  costs are often paid by dividing them over the long term, which is another contributing factor.

iOS Forensics

Let's briefly discuss a famous case where an Olympic runner named Oscar Pistorius was convicted of killing his girlfriend. Mobile forensics experts reviewed his iPad, including browser history records, and deleted data on the device. At the same time, the data here was presented as evidence in court. As we can see in this example, iPhones or iPads can provide important information in such scenarios, as they are devices that can both store data and connect to the Internet.

Before making a forensic, it’s necessary to understand the features of the device, such as the security model, file structure, and internal working structure.

iOS Security Model

Apple Icon

  • iOS Secure Boot Chain
  • iOS Application Signing
  • iOS Application Sandbox

The iOS secure boot chain system uses a secure boot chain mechanism to provide security in the booting process. Additionally, signing your app allows iOS to identify who signed your app and to verify that your app hasn’t been modified since you signed it. Application sandboxing features have been built by iOS that prevent the applications from accessing the data or files of other applications.

iOS Secure Boot Chain

To provide security during the booting process, the iOS secure boot chain system employs the secure boot chain mechanism. We've seen a lot of rootkits and malware that infect at the boot level. The iOS secure boot chain ensures that no low-level software is compromised and that iOS is running on a valid iDevice.

The block diagram for an iOS secure boot chain is shown below:

iOS Secure Boot Chain

Let's now go over the iOS secure boot chain step by step:

Boot ROM

  • This is implicitly accepted.
  • It is referred to as a hardware root of trust.
  • This code is embedded in the processor and cannot be changed or updated.
  • This also includes the Apple root certificate with an authentic public key, which is used to ensure that the low-level boot loader is properly signed.

Low-level Bootloader(LLB)

  • This is the lowest level of code that can be updated.
  • It also validates the iBoot firmware signatures before loading it.

iBoot

  • It verifies the signature of the iOS kernel before starting the kernel.
  • This secure boot chain also prevents any malware that can affect the boot level.

iOS Application Signing

Signing your app allows iOS to identify who signed it and confirm that it hasn't been modified since you signed it.

If we look at the signing process:

  • The developer signs the apps and applies to Apple.
  • Apple verifies it (performs some rudimentary checks, not vulnerability assessment of app).
  • If the app meets Apple requirements, Apple signs the application.
  • Finally, the app is made available for download on the Apple App Store.

iOS Application Signing

Apple's process of checking iOS apps before signing the application is not transparent. According to case studies, Apple does not perform a thorough vulnerability assessment of any app. This leaves the door open for several dangerous security threats.

iOS Application Sandbox

iOS Application Sandbox

Sandboxing improves the security and integrity of the operating system by restricting what an application can do. On iOS, for example, an application cannot access another application's sandbox. Why is that important? Even though Apple reviews every application before allowing it into the App Store, the review process is far from perfect. Malicious applications could easily make their way into the App Store with no one noticing. If every third-party application could access the file system and the sandboxes of other applications, the platform would quickly fall apart.

However, an application does not have to be malicious to cause havoc. A harmless bug could also cause havoc. This is far less likely if the applications are sandboxed.

The iOS Filesystem

The iOS file system is designed for standalone apps. Users of iOS devices do not have direct access to the file system to keep the system simple, and apps are expected to follow this convention. For security reasons, an iOS app's file system interactions are limited to the directories contained within the app's sandbox directory. The installer creates several container directories for the app inside the sandbox directory during the installation of a new app. Each container directory serves its own distinct purpose.

The iOS File System

  • The Bundle Container hosts the application bundle.
  • The Data Container directory holds both application and user data.
  • The application can request access to additional container directories during runtime. “iCloud Container”.

Let’s examine file structure in these containers:

MyApp.app contains the application and all resource files.

  • The package directory is signed during installation to prevent tampering.
  • Writing to this directory changes the signature and prevents your application from starting.
  • However, there is read-only access to all resources stored in the application package.

If your application uses an SQLite database to store the user's data, database files can be stored in the Documents directory.

Library subdirectories can be used for files that are not intended to be shown to the user.

iOS apps typically use the Application support and cache directories however they can also be built-in custom subdirectories. User data is not found within this directory.

The Temp directory is where temporary files are stored during application startup. Your application automatically removes files from this directory when they are no longer needed; however, the system can also clean this directory while the application is not running.

What is an IPA File?

A .ipa (iOS App Store Package) file is an iOS application archive file that stores an iOS application. Each .ipa file contains a binary and can only be installed on an iOS or ARM-based macOS device. Files with the .ipa extension can be opened by changing the extension to .zip. It can only be installed on macOS with an iOS or ARM architecture. Most .ipa files cannot be uploaded to the iPhone Simulator as they do not contain a binary for the x86 architecture, instead, they only contain a file for the ARM architecture of mobile phones. Additionally, to run applications in the simulator, original project files are required, which can be opened using the Xcode SDK.

Let's examine what files are in an IPA file:

IPA File

Payload: contains all application data.

iTunes Artwork file: A 512×512 pixel PNG image containing the app's icon for display in the iTunes & App Store app.

iTunesMetadata.plist: developer name and ID, bundle identifier, copyright information, genre, app name, release date, purchase date, etc. It contains various pieces of information such as:

/WatchKitSupport/WK: Contains controllers that handle interface management in the Apple watch.

/META-INF: Contains information relating to which program the IPA was created.

What is Jailbreak?

On Apple devices running iOS and iOS-based operating systems, jailbreaking is a privilege escalation exploit used to remove manufacturer-imposed software restrictions. Typically, this is accomplished through a series of kernel patches. A jailbroken device grants root access to the operating system and the ability to install software that is not available through the App Store. A variety of tools are used to exploit various devices and versions.

Apple views jailbreaking as a violation of the end-user license agreement, and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities. While it is sometimes compared to rooting an Android device, jailbreaking is the end-ability user's to circumvent various types of Apple restrictions. Because it entails modifying the operating system (enforced by a "locked bootloader"), installing non-officially approved (not available on the App Store) applications via sideloading, and granting the user elevated administration-level privileges (rooting), iOS jailbreaking differs from Android device rooting.

Also, jailbreaking has its disadvantages.

  • No more automatic updates.
  • Shorter battery life.
  • Restricted access to some services; message, iCloud, facetime…
  • Malfunctions such as freezing may occur in the device.
  • Security Risk (KeyRaider); Jailbreak enables software piracy so apps and games can be distributed for free. This means that you trust the developers of all the apps you install, rather than Apple. Data from banking apps, stored passwords, and social media accounts could be at risk if this information becomes accessible on a jailbroken iPhone. This is when an iOS jailbreak malware called KeyRaider steals 225,000 Apple IDs and thousands of certificates, private keys, and purchase receipts. risk has arisen. As a result, victims reported that their stolen accounts showed abnormal app purchase history, and in other cases, phones were locked and held for ransom. In addition, the ssh port of the device you have jailbroken opens to the outside and the device can be accessed remotely with default credentials.

Types of Jailbreak

There are several popular tools developed by third parties used for jailbreaking. Although the method may vary depending on the tool, most Jailbreak tools require the support of a computer. Unc0ver, and checkra1n, the most well-known jailbreak tool today, can be given as an example.

  • Tethered
  • Semi-Tethered
  • Fully Untethered
  • Semi-Untethered

Unc0ver Jailbreak

Tethered

Dependent Jailbreak method and tools remove device restrictions with just one launch. In case the device is turned off, crashed, or out of charge, the method must be reapplied to be able to start the device and remove the restrictions. The fact that the device requires a computer to even turn on makes this method difficult and inconvenient for some.

Semi-tethered

The semi-dependent Jailbreak method and its tools can also remove device restrictions with just one launch, similar to the dependent Jailbreak method. The difference from the dependent jailbreak method is that only the device is restricted in the case of a restart. The device can be unlocked without the need for a computer, but a re-Jailbreak with the computer is required for the restrictions to be lifted again. Checkra1n tool is an example of this method.

Untethered 

Although a computer is required for the first application of the method, it does not need to be applied again every time the device restarts. Some methods can handle the entire process on the device, without the need for a computer.

Semi-untethered

Removes one-initiation restrictions only. The device can be unlocked without the need for a computer and the re-removal of restrictions can be done through the device. Unc0ver tool is an example of this method.

Overview of Mobile Forensics Processes

Mobile forensics is a branch of digital forensics that focuses on mobile devices, which are rapidly becoming more popular. The importance of mobile forensics has grown in tandem with this exponential growth of the mobile market. Because a mobile phone usually belongs to a single person, its analysis could reveal a wealth of personal information and secrets.

This rapid growth created new challenges. The high ratio of new models designed and launched makes it difficult to follow similar procedures. Each case or investigation of the new model must be approached differently, with steps that may be different and unique to the specific case.

With these challenges in mobile forensics, software-based syncing of mobile phones to computers becomes much simpler. Data such as SMS, contacts, installed applications, GPS data, emails, and deleted data can be easily extracted. Let’s examine the process of mobile forensics:

Collection

The below steps are recommended during the collection of mobile devices:

  • The location history of the mobile device has been collected. It is good practice to take a picture using the camera of the location and mobile phone before starting any progress.
  • Noting the status of the device. Whether it’s powered on or off. If it is powered on, what the battery status or network status is, as well as whether the screen is locked.
  • Searching for the SIM package and if any cables are located around.

Preservation

It is very important to protect the evidence of an investigation. Potential attackers have data and can invalidate any newly available data. The following methods are recommended for protecting evidence from an attack:":

  • Isolating the mobile device from the network.
  • Establishing a Chain of Custody which includes details such as serial no, case no, cabinet no, investigator's name, time and date of each step, and details of evidence transfer.

Acquisition

There are three methods used for data extraction from iOS devices. Below an overview has been given about each.

  • Physical: A bit-to-bit copy of the device and allows for the recovery of deleted data.
  • File System: Extracts files visible at the file system level.
  • Logical: This allows the extraction of certain files from the file system, such as a backup created using iTunes.

General iOS Forensic Artifacts

General iOS Forensic Artifacts

Clipboard

/private/var/mobile/Library/caches/com.apple.UIKit.pboard

Data such as text and passwords copied, cut, or pasted on the device are stored within this file.

Keyboard

/private/var/mobile/Library/Keyboard

A file for each language and keyboard files configured on the device are kept.

Location

/private/var/root/Library/Caches/locations/consolidated.db

In Newer device:

/private/var/root/Library/Caches/locations/cache_encryptedA.db

Contains location information about the wifi point and base station. On new devices, encrypted.db only stays on the device for 8 days before the data is automatically deleted. Other apps that track geolocations may also store GPS and time information.

Snapshots

/private/var/mobile/Library/Caches/Snapshots/

/private/var/mobile/Applications/<app_UUID>/Library/Caches/Snapshots

Saves snapshots taken by iOS. Snapshots of pre-installed applications are retained. With this feature, important forensics information can be easily obtained.

Spotlight

/private/var/mobile/Library/Spotlight

This feature assists the user in searching such as apps, SMS, contacts, and more. It stores the focus of attention indexes and searches.

Wallpaper

/private/var/mobile/Library/Springboard/

The file where the wallpapers on the device are stored.

iOS Forensics Tools 

  • Elcomsoft
  • OXYGEN Forensics
  • iExplorer
  • Db Browser for SQLite

Elcomsoft

  • Bit-precise device images are obtained.
  • Decrypt device keys Fast file system acquisition; Zero footprint operation; It does not leave any traces or changes within the contents of the devices.
  • Every step of the investigation is logged and recorded Supports iOS up to version 9.0.2
  • Mac and Windows versions are available.

Oxygen Forensics

  • Unlock device.
  • Imaging of IoT devices and smartwatches.
  • Getting flight history from drones and extracting saved pictures.

iExplorer

We can connect with the device and download the application files. We can do this with the demo version.

DB Browser for SQLite

It is the tool that allows us to examine the database files in the application.

Conclusion 

IOS devices are very popular these days, so examiners are likely to encounter more iOS devices during forensic investigations. IOS devices get upgraded with new features all the time, and the vulnerable/weak features are being removed in favor of these new advanced features. As we discover new features with each upgraded IOS, we need to stay up to date on technology and versions.

In this blog post, we discussed topics such as iOS file structure and the security model that should be known when using iOS forensics. We also covered iOS physical and logical inference methods. In the last part, we talked about the tools used in iOS mobile forensic processes.

Stay Safe & Make the Internet Safer. Check out our Penetration Testing services to get started!