Overcoming iOS Data Protection to Re-enable iPhone Forensic presented at BlackhatUSA 2011

by Andrey Belenko,

URL : https://media.blackhat.com/bh-us-11/Belenko/BH_US_11_Belenko_iOS_Forensics_Slides.pdf

Summary : Data protection is a feature available for iOS 4 devices with hardware encryption: iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.
This talk will provide in-depth information about iOS 4 Data protection. More specifically, it will cover the following:
System keys and their hierarchy
Device passcode and its recovery
Escrow keys
Filesystem encryption
Keychain encryption