What You Will Learn
SMARTPHONES HAVE MINDS OF THEIR OWN. DON'T MAKE THE MISTAKE OF REPORTING SYSTEM EVIDENCE, SUGGESTIONS, OR APPLICATION ASSOCIATIONS AS USER ACTIVITY. IT'S TIME TO GET SMARTER!
FOR585A: iOS Forensic Analysis teaches the proper handling and parsing skills needed to bypass locked iOS devices and correctly interpret the data. The course delves into the iOS file system and discusses common areas containing files of evidentiary value. It will prepare you to deal with the iOS device that will likely be a major component in a forensic investigation.
In this course you'll learn:
- Where key evidence is located on iOS devices
- How to recover deleted mobile device data that forensic tools miss
- How to manually decode evidence stored in third-party applications
- Advanced acquisition terminology and free techniques to gain access to data on iOS devices
- How to properly examine databases containing application and iOS artifacts
- How to handle locked devices, and the differences between BFU and AFU
- How to create SQL queries to handle unparsed artifacts and application data
Syllabus (12 CPEs)
Apple iOS devices contain substantial amounts of data (including deleted records) that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed to bypass locked iOS devices and correctly interpret the data. This course section will cover extraction techniques using jailbreaks and exploits. Without iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component in a forensic investigation.
- SIFT Workstation: Laboratory Setup
- Familiarization with Physical Analyzer with a Physical iOS Extraction
- Familiarization with AXIOM with a Physical iOS Extraction
- Introduction to SQLite Database Forensics and Drafting of Simple SQL Queries
- Manually Decoding and Extracting Information from iOS File System Acquisition
The SIFT Workstation
iOS Forensic Overview and Acquisition
- iOS Architecture and Components
- NAND Flash Memory in iOS Devices
- iOS File Systems
- iOS Versions
- iOS Encryption
- iOS Exploits and Jailbreaks
Smartphone Forensic Tool Overview - Physical Analyzer
- Physical and Logical Keyword Searching
- Key Features
- Tips and Tricks
Smartphone Forensic Tool Overview - AXIOM
- Physical and Logical Keyword Searching
- Key Features
- Tips and Tricks
Introduction to SQLite
- How SQLite Databases Function
- How Data is Stored in These Files
- How to Examine SQLite Databases
- How to Create Simple Queries to Parse Information of Interest
iOS File System Structures
- Defining Data Structure Layout
- Full File System
- File System
- Data Storage Formats
- Parsing and Carving Data
iOS Evidentiary Locations
- Primary Evidentiary Locations
- Unique File Recovery
- Parsing SQLite Database Files
- Manual Decoding of iOS Data
This section dives right into iOS analysis. Digital forensic examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. We'll cover key artifacts to examine the who, what, where, when, and how behind an iOS device.
- Extracting Information from a Full File System checkm8 Extraction
- Advanced Backup File Forensic Exercise Involving an iOS 13 Backup File that Requires Manual Decoding and Carving to Recover Data Missed by Smartphone Forensic Tools
- Manually Decoding iOS14 Databases Pulled from Backup File Extractions
- Manually Parsing Third-party Applications and Conducting Deep-dive Decoding and Recovery of User Activities on iOS Devices
- Advanced Third-party Application Exercise Requiring Students to Use Skills Learned during the Course to Manually Decode Communications Stored in Third-party Application Files across Multiple Smartphones
- Browser Analysis Exercise Requiring Students to Manually Examine Third-party Browser Activity that the Commercial Tools May Not Parse
Traces of User Activity on iOS Devices
- How iOS Applications Store Data
- Apple Watch Forensics
- Deep Dive into Data Structures on iOS Devices
- Calls, Contacts, and Calendar
- E-mail and Web Browsing
- Location Information
- Third-Party Applications
- Application Usage Logs
- System Files of Interest
- Salvaging Deleted SQLite Records
- Salvaging Deleted Data from Raw Images
iOS Backup File Forensics
- Creating and Parsing Backup Files
- iCloud vs iTunes Data
- Verifying Backup File Data
Locked iOS Backup Files
- Decrypting Locked iOS Backup Files
- How to Successfully Parse
Third-Party Application Overview
- Common Applications Across Smartphones
- Third-Party Browser Overview
- How to Locate
- Data Format
- Manual Recovery
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway: Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS cannot be responsible for your system or data.
MANDATORY FOR585 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory).
- It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VT."
- Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
- 16 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 16 gigabytes of RAM or higher of RAM is mandatory and minimum.)
- USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
- 200 gigabytes of free space on your system hard drive is required. This space is critical to host the VMs we distribute.
- Local administrator access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- Wireless 802.11 capability
MANDATORY FOR585 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
- Host Operating System: Latest version of Windows 10 or macOS 10.15.x
- Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS
- Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
- Download and install 7Zip (for Windows Hosts) or Keka (macOS).
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.