Discover the forensic artefacts present within iOS.
Room Link
Task 2: iOS Pairing
2.1. What is the name of a type of certificate that is used when an iPhone and a device pair together?
Trust Certificate
2.2. What is the expiry timer on these certificates?
30 Days
Task 3: Preserving Evidence
3.1. What is the name of the Apple feature that allows a device to be remotely wiped?
Find My
3.2. What “type” of backup would we perform if we wanted to backup the entire device
Encrypted
3.3. What is the name of an important piece of equipment that can block all signals, preventing the device from being remotely wiped?
Faraday Bag
Task 4: The iOS Filesystem
4.1. After March 2017, what filesystem do all iPhones use?
APFS
4.2. What is the name of the “domain” that stores all files relating to the operating system?
System
Task 5: Artefacts
5.1. In what directory of a backup is the Address Book (contacts) stored?
HomeDomain/Library/AddressBook
5.2. In what directory of the iPhone are passwords and certificates stored? This is known as the Keychain.
/var/keychains
Task 6: Analysis
6.1. What is the name of the cross-platform toolkit that can interact with iOS devices? This is a CLI tool.
libimobiledevice
6.2. If we wanted to do a full iPhone backup using the aforementioned tool, with the directory being “backup”, what would our command look like?
backup: instructs the module to backup.--full: create a full backup.
idevicebackup2 backup –full ./backup
Task 7: Practical: Operation Timely Manner
7.2. What is the name (SSID) of the Wi-Fi network the iPhone connected to?
OneMinuteStaff
7.3. What are the saved contact details for the competitor?
Answer format: Firstname,Lastname
Open the AddressBook.sqlitedb file in SQLite in the directory C:\Users\Administrator\Desktop\iPhoneExtracted.
Wayne,Garcey
7.4. On what day was the exchange of information to take place?
Answer format: DD/MM/YYYY
30/03/2024