IOS Forensics: from logical acquisition to cloud extraction

05 Mar 2019
In this talk, we present an overview of the entire iOS forensic workflow. We'll give recommendations for properly seizing, transporting and storing iOS devices, and discuss approaches, methods and tools to access information and extract evidence. We’ll talk about iOS 12 and how USB restricted mode affects the ability to extract data. We’ll talk about using existing pairing records to extract evidence from locked devices, and discuss physical acquisition via jailbreaking. We’ll look at the types of data Apple devices store and sync via iCloud, and learn how to extract that data. Finally, we will talk about extracting stored passwords from local and iCloud keychain. Logical, physical and cloud acquisition methods will be covered.
Oleg Afonin, IT Security Researcher - ELCOMSOFT