Tryhackme: iOS Analysis Writeup

Discover the forensic artefacts present within iOS.

Room Link

Task 2: iOS Pairing

2.1. What is the name of a type of certificate that is used when an iPhone and a device pair together?

Trust Certificate

2.2. What is the expiry timer on these certificates?

30 Days

Task 3: Preserving Evidence

3.1. What is the name of the Apple feature that allows a device to be remotely wiped?

Find My

3.2. What “type” of backup would we perform if we wanted to backup the entire device

Encrypted

3.3. What is the name of an important piece of equipment that can block all signals, preventing the device from being remotely wiped?

Faraday Bag

Task 4: The iOS Filesystem

4.1. After March 2017, what filesystem do all iPhones use?

APFS

4.2. What is the name of the “domain” that stores all files relating to the operating system?

System

Task 5: Artefacts

5.1. In what directory of a backup is the Address Book (contacts) stored?

HomeDomain/Library/AddressBook

5.2. In what directory of the iPhone are passwords and certificates stored? This is known as the Keychain.

/var/keychains

Task 6: Analysis

6.1. What is the name of the cross-platform toolkit that can interact with iOS devices? This is a CLI tool.

libimobiledevice

6.2. If we wanted to do a full iPhone backup using the aforementioned tool, with the directory being “backup”, what would our command look like?

• backup: instructs the module to backup.
• --full: create a full backup.

idevicebackup2 backup –full ./backup

Task 7: Practical: Operation Timely Manner

7.2. What is the name (SSID) of the Wi-Fi network the iPhone connected to?

OneMinuteStaff

7.3. What are the saved contact details for the competitor?

Answer format: Firstname,Lastname

Open the AddressBook.sqlitedb file in SQLite in the directory C:\Users\Administrator\Desktop\iPhoneExtracted.

Wayne,Garcey

7.4. On what day was the exchange of information to take place?

Answer format: DD/MM/YYYY

30/03/2024