Introduction
Apple's iOS is known for its robust security architecture, making forensic extraction more challenging than Android. However, with proper techniques and tools, investigators can still extract valuable evidence from iOS devices. This part covers iOS structure, iTunes/Finder backups, iCloud data extraction, jailbroken device analysis, and keychain forensics.
By the end of this part, you will understand iOS file system structure, analyze iTunes/Finder backups, extract iCloud data, examine jailbroken devices, and perform keychain analysis.
iOS File System Structure
iOS uses a Unix-based file system with strict permissions and hardware-backed encryption. Understanding the structure helps locate evidence even without direct device access.
iOS Partitions
- System Partition: Contains iOS operating system (read-only)
- Data Partition: Contains user data, apps, and settings
- Preboot Volume: Boot files and recovery information
- xART/Hardware: Secure Enclave data (not directly accessible)
Key Directory Structure (Data Partition)
| Path | Description | Forensic Value |
|---|---|---|
| /private/var/mobile/ | User data root | Primary evidence location |
| /private/var/mobile/Containers/ | App containers | App data, documents, caches |
| /private/var/mobile/Library/ | System libraries | SMS, call history, Safari data |
| /private/var/mobile/Media/ | Media files | Photos, videos, voice memos |
| /private/var/wireless/Library/ | Network data | WiFi, Bluetooth, cellular info |
| /private/var/root/Library/ | Root user data | System-level preferences |
iOS Security Features
Secure Enclave
Dedicated security coprocessor storing encryption keys, Touch ID/Face ID data. Data never leaves Secure Enclave.
Data Protection
Each file encrypted with unique key. Four protection classes control when data is accessible.
Hardware Encryption
AES-256 encryption with device-specific UID key fused into hardware during manufacturing.
Code Signing
Only Apple-signed code can run on device. Prevents unauthorized software installation.
iOS devices use hardware-based encryption tied to the device UID. Without the passcode, physical extraction yields encrypted data. The Secure Enclave implements rate limiting on passcode attempts, making brute force impractical on newer devices.
iTunes/Finder Backup Analysis
iTunes (Windows/older macOS) and Finder (macOS 10.15+) backups provide a forensically valuable data source when direct device access is limited.
Backup Types
- Unencrypted Backup: Basic data, excludes keychain, Health, HomeKit data
- Encrypted Backup: Complete backup including passwords, Health data, WiFi settings
Backup Locations
# Windows
%APPDATA%\Apple Computer\MobileSync\Backup\
C:\Users\[username]\AppData\Roaming\Apple Computer\MobileSync\Backup\
# macOS
~/Library/Application Support/MobileSync/Backup/
# Backup folder named with device UDID
# Example: 00008030-001234567890801E
Key Backup Files
| File | Description | Content |
|---|---|---|
| Manifest.plist | Backup metadata | Device info, backup date, iOS version |
| Manifest.db | File database | List of all files in backup with domains |
| Info.plist | Device information | Device name, IMEI, phone number, serial |
| Status.plist | Backup status | Backup completion status, version |
Important Databases in Backup
# SMS/iMessage
HomeDomain-Library/SMS/sms.db
# Call History
HomeDomain-Library/CallHistoryDB/CallHistory.storedata
# Contacts
HomeDomain-Library/AddressBook/AddressBook.sqlitedb
HomeDomain-Library/AddressBook/AddressBookImages.sqlitedb
# Safari History & Bookmarks
HomeDomain-Library/Safari/History.db
HomeDomain-Library/Safari/Bookmarks.db
# Notes
HomeDomain-Library/Notes/notes.sqlite
# Calendar
HomeDomain-Library/Calendar/Calendar.sqlitedb
# Photos Database
CameraRollDomain-Media/PhotoData/Photos.sqlite
Backup Analysis Tools
- iBackup Viewer: Free tool for viewing iTunes backup contents
- iPhone Backup Extractor: Commercial tool with advanced features
- iLEAPP: iOS Logs Events And Plists Parser (open source)
- Autopsy: iOS backup parser module
- Oxygen/Cellebrite: Commercial forensic suites
If the backup is encrypted, you need the backup password (not the device passcode). If unknown, tools like Elcomsoft Phone Breaker or Hashcat can attempt password recovery. The password is set by the user in iTunes/Finder, not by Apple.
iCloud Data Extraction
iCloud stores a wealth of data that may not be present on the device. With proper legal authorization and credentials, investigators can access significant evidence.
iCloud Data Types
iCloud Backup
Device backup similar to iTunes, includes app data, settings, messages (if enabled).
iCloud Photos
Photos and videos synced across devices. May include deleted items in "Recently Deleted".
iCloud Drive
Documents and files stored in cloud. App-specific document storage.
Messages in iCloud
End-to-end encrypted messages (if enabled). Requires additional keys.
Legal Process for iCloud Data
- User Credentials: With Apple ID and password (+ 2FA), use tools like Elcomsoft Phone Breaker
- Legal Request to Apple: Law enforcement can submit requests through Apple's Legal Process Guidelines
- Data Available from Apple: Account info, email logs, iCloud backups (if not using Advanced Data Protection)
- End-to-End Encrypted: Some data (with ADP enabled) not available even to Apple
iCloud Extraction Methods
| Method | Requirements | Data Access |
|---|---|---|
| Credential-based | Apple ID + Password + 2FA | Full iCloud access |
| Token-based | Auth token from trusted device | Full iCloud access |
| Apple Legal Request | Court order / warrant | Non-E2E encrypted data |
| Synced Device | Access to synced Mac/iPad | Locally synced data only |
Apple's Advanced Data Protection (ADP), introduced in 2022, enables end-to-end encryption for most iCloud data including backups, photos, and notes. With ADP enabled, Apple cannot decrypt this data even with a legal request. Check if ADP is enabled during investigation.
Jailbroken Device Examination
Jailbreaking removes Apple's security restrictions, allowing root access. While rare, jailbroken devices offer significantly better forensic access.
What is Jailbreaking?
- Definition: Exploiting iOS vulnerabilities to gain root access and bypass code signing
- Purpose: Install unofficial apps, customize iOS, remove restrictions
- Tools: Checkra1n, unc0ver, Taurine (varies by iOS version)
- Types: Tethered (requires computer on reboot), Semi-tethered, Untethered
Detecting Jailbreak
# Common jailbreak indicators (in backup or on device)
# Check for Cydia (jailbreak app store)
/Applications/Cydia.app
# SSH daemon
/usr/sbin/sshd
/usr/bin/sshd
# Jailbreak files
/private/var/lib/cydia
/private/var/stash
/Library/MobileSubstrate
# APT (package manager)
/usr/bin/apt
/etc/apt
# Checkra1n specific
/private/var/checkra1n.dmg
Forensic Advantages of Jailbroken Devices
Full File System Access
Access all directories including protected system files and app containers.
Keychain Extraction
Extract keychain database with stored passwords and credentials.
SSH Access
Remote access via SSH for file transfer and command execution.
Physical Imaging
Create bit-by-bit images of the data partition for comprehensive analysis.
Extraction via SSH (Jailbroken Device)
# Default SSH credentials on jailbroken iOS
# Username: root, Password: alpine
# Connect via SSH
ssh root@[device-ip]
# Create tar archive of user data
tar -cvf /var/root/userdata.tar /private/var/mobile/
# Transfer via SCP
scp root@[device-ip]:/var/root/userdata.tar ./evidence/
# Or use rsync for selective transfer
rsync -avz root@[device-ip]:/private/var/mobile/Library/ ./evidence/Library/
Checkra1n exploits a hardware vulnerability (checkm8) in A5-A11 chips and cannot be patched by Apple. Some forensic tools use checkra1n to gain full file system access on compatible devices without modifying user data, making it a valuable forensic technique.
Keychain Analysis
The iOS Keychain stores sensitive data including passwords, certificates, tokens, and encryption keys. It's a critical artifact for forensic investigation.
Keychain Contents
- WiFi Passwords: Saved network credentials
- Website Passwords: Safari saved passwords
- App Passwords: Credentials stored by third-party apps
- Certificates: Email certificates, VPN certificates
- Tokens: Authentication tokens, OAuth tokens
- Credit Cards: Safari AutoFill payment cards
Keychain Protection Classes
| Class | Accessibility | Use Case |
|---|---|---|
| kSecAttrAccessibleWhenUnlocked | Only when device unlocked | Most app passwords |
| kSecAttrAccessibleAfterFirstUnlock | After first unlock until reboot | Background app access |
| kSecAttrAccessibleAlways | Always (deprecated) | Legacy apps |
| kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly | Only with passcode, non-migratable | High-security items |
Keychain Extraction
- Encrypted iTunes Backup: Keychain is included in encrypted backups
- Jailbroken Device: Direct access to keychain database
- Forensic Tools: Cellebrite, Oxygen can extract and decrypt keychain
# Keychain location (jailbroken device)
/private/var/Keychains/keychain-2.db
# Keychain analysis tools
# - Keychain Dumper (jailbroken)
# - Elcomsoft Phone Breaker (backup)
# - Commercial forensic suites
In a fraud investigation, the keychain may reveal: banking app credentials, email passwords (for additional evidence sources), VPN configurations (indicating anonymization attempts), and saved social media tokens that provide access to accounts without passwords.
iOS Forensic Tools
Various tools are available for iOS forensic examination, each with different capabilities and requirements.
Open Source Tools
| Tool | Purpose | Features |
|---|---|---|
| iLEAPP | Artifact Parser | iOS Logs Events And Plists Parser - comprehensive artifact extraction |
| libimobiledevice | Device Communication | Cross-platform library for iOS device interaction |
| ideviceinstaller | App Management | Install, list, and manage iOS apps |
| Autopsy | Analysis Platform | iOS backup analyzer module |
Commercial Tools
| Tool | Key Features |
|---|---|
| Cellebrite UFED/PA | Advanced extraction methods, checkm8 support, full file system |
| GrayKey | Passcode bypass for locked devices (law enforcement only) |
| Elcomsoft iOS Forensic Toolkit | File system extraction, checkm8 support, keychain |
| Oxygen Forensic Detective | iCloud extraction, backup analysis, comprehensive reporting |
| Magnet AXIOM | iOS + cloud forensics, AI analysis, timeline |
- iOS uses hardware-backed encryption with Secure Enclave making brute force impractical
- iTunes/Finder backups are valuable - encrypted backups contain keychain and more data
- Key backup locations: Manifest.db, sms.db, CallHistory.storedata, AddressBook.sqlitedb
- iCloud data requires credentials, tokens, or legal process to Apple
- Advanced Data Protection (ADP) enables end-to-end encryption for most iCloud data
- Jailbroken devices provide full file system and keychain access via SSH
- Keychain contains passwords, tokens, certificates - extracted from encrypted backups or jailbroken devices
- Checkm8/checkra1n exploits (A5-A11 chips) enable forensic extraction without user data modification