Digital Forensics & Apple iOS devices - Acquisition of data stored on a closed system data presented at SSTIC 2014

by Mathieu Renard,

Summary : Suitable English term "computer forensics", the term "digital investigation" is the use of specialized techniques in the collection, analysis, interpretation and explanation of digital information. These techniques are implemented when a case involves issues relating to the use of a computer, and any other supporting information.
Nowadays digital forensics analysis generalizes to any computer equipment, including smart phones (smartphones) of all brands. In contrast to open systems like Android, there is currently no public tool to acquire the contents of filesystem to a recent Apple device. However, this step is essential when searching computer evidence to confirm or deny a compromise. To address this problem, this paper briefly describes the architecture and security mechanisms of the Apple iOS system before returning to the methods of acquisition of existing data and present limitations. Finally, this paper presents two techniques of logical acquisitions: non-intrusive and intrusive acquisition logic logical acquisition. The latter results from the analysis and implementation of methods originally used by software unlock, better known under the name of "Jailbreak".