BF 304: Data Acquisitions from iOS Backups
IOS Internals
● iOS devices are limited to Apple hardware and most run the newest iOS version due to
high upgrade adoption rates by users. Security is at the core of design and encryption is
on by default
● To perform a forensics exam on an iOS device, you must understand the internal
components and inner workings of the device.
● Knowledge surrounding the internals of the device will provide you with a way to
determine
○ What data can be acquired
○ Where the data is stored
○ What methods can be used to access the data
● Different models and iOS versions require different methods for extraction and analysis
iPhone Models and Hardware
● In order to proceed with an examination, the first step is to identify the type of phone.
This can be done by examining the back of the device for the model number. This is
preceded by the letter “A”
○ Model “A1687” = Model 1687
● In the newer models the “A” is no longer printed on the back of the device but can be
found inside of the SIM card slot. This is often very difficult to see.
● If you have a device that is unlocked, the model of the device can device
○ Settings
○ General
○ About
○ Model Number
○ **The device firmware can also be located in the settings.
● The IMEI can also be used to identify a device model. Inputting the IMEI into imei.info
will provide you with the model and other specs about a device. IMEI is often on the SIM
card tray.
● The chipset of an iOS device can be determined based on the device release date.
Apple File System Structures
● Originally, the file system used in iOS devices was HFSX, which is a variation of HFS
Plus.
● APFS was introduced in June 2016 and replaced HFS to become the default filesystem
for iOS.
○ Began with the release of iOS 10.3
Disk Layout
● System Partition: contains the operating system and the preloaded applications.
○ This partition is read only with the exception of jailbroken devices and during an
OS upgrade.
○ When the partition is updated it does not affect the userdata partition.
○ Requires a small amount of space. The mount point for this partition is / (root)
IOS Internals
● iOS devices are limited to Apple hardware and most run the newest iOS version due to
high upgrade adoption rates by users. Security is at the core of design and encryption is
on by default
● To perform a forensics exam on an iOS device, you must understand the internal
components and inner workings of the device.
● Knowledge surrounding the internals of the device will provide you with a way to
determine
○ What data can be acquired
○ Where the data is stored
○ What methods can be used to access the data
● Different models and iOS versions require different methods for extraction and analysis
iPhone Models and Hardware
● In order to proceed with an examination, the first step is to identify the type of phone.
This can be done by examining the back of the device for the model number. This is
preceded by the letter “A”
○ Model “A1687” = Model 1687
● In the newer models the “A” is no longer printed on the back of the device but can be
found inside of the SIM card slot. This is often very difficult to see.
● If you have a device that is unlocked, the model of the device can device
○ Settings
○ General
○ About
○ Model Number
○ **The device firmware can also be located in the settings.
● The IMEI can also be used to identify a device model. Inputting the IMEI into imei.info
will provide you with the model and other specs about a device. IMEI is often on the SIM
card tray.
● The chipset of an iOS device can be determined based on the device release date.
Apple File System Structures
● Originally, the file system used in iOS devices was HFSX, which is a variation of HFS
Plus.
● APFS was introduced in June 2016 and replaced HFS to become the default filesystem
for iOS.
○ Began with the release of iOS 10.3
Disk Layout
● System Partition: contains the operating system and the preloaded applications.
○ This partition is read only with the exception of jailbroken devices and during an
OS upgrade.
○ When the partition is updated it does not affect the userdata partition.
○ Requires a small amount of space. The mount point for this partition is / (root)
