iOS Forensics: Overcoming iPhone Data Protection presented at 44Con 2011

by Andrey Belenko,

Summary : Data protection is a feature available for iOS 4 devices with hardware encryption: iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated forensic analysis of iOS devices because all user files were now encrypted.
Internal workings of iOS 4 Data Protection were recently studied and published by several independent groups. However, impact of these findings on iPhone forensics was not thoroughly examined. Therefore we would like to fill this gap.
The talk will start by providing in-depth information about iOS 4 Data protection internals and will then continue to exploring new techniques in iPhone forensics. More specifically, it will cover the following:
Hierarchy of device and content protection keys
Filesystem and keychain encryption
Passcode and its recovery
Escrow keys