Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

iOS Forensics

No description
by

Souhaiel Ben Tekaya

on 4 June 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of iOS Forensics

Introduction
Méthodologie générale
Résultats et discussion
Conclusion
Perspectives

Effets
Introduction
EFFET DE LA MUSIQUE ET DU CYCLE MENSTRUEL SUR LES PERFORMANCES LORS DES EXERCICES INTENSES DE COURTES DUREES
Nourhene GHAZEL
Cost


Response Time


Data Sensitivity
What Factors to consider?
Softwarre, hardware, physical security measures (anti-tamper)

Staff training, labor cost

Frequent action--> internally

Rare actions--> external party

Secure Boot chain:
signedBoot-up process(bootloader, kernel extensions)
Apple Root CA
If any fails the boot-up is aborted
Code Signing:
Developers are identifiable with Apple Root CA
Chain of trust from iOS kernel to application
Runtime process Security:
Sandboxing
HFS components are shielded
Non degratation of performance guaranteed through API that are thirf party between iOS kernel and applications
Activity validation
Personel involved
Sensitive data
Independent Third party is preferable
Data Sensitivity
On-site personel
off-site outsourcers (international corporates)
Response Time
Forensic tools: Commercial tools
Examine iOS Architecture and
evaluate tools to analyze Data in investigation process.

Objective
identify source of data
acquire data
process data
preserve integrity
legal methods
derive useful data
present evidence
Summary
iOS Architecture
Hierarchical File System Plus(HFS+)
Formatted with 512 byte block

Logical block:
static and numbered from the 1st to the last block available
Allocation block:
can be grouped together for efficiency matter

File System Structure
Extents overflow file:
holds additional extents for large file (file size, start block , block count)

Startup file:
facilitate booting of non-Mac OS from HFS+

Attributes file:
metadata of files with extended attributes

Allocation file:
specifies allocation block free or used

Catalog file:

B-tree, describe folder and file hierarchy on volume (ID, permission, creation date..)
Encryption and Data Protection
Hardware security

Dedicated AES 256-bit cryptographic engine between flash storage and main system memory

Accelerate encryption/decryption

Protection of user data that remains always encrypted in flash memory

UID as a key(fused in processor) to derive encryption keys (class D key) that are stored in PLOG block or Keybag in memory(critical area).
File data Protection

Encrypted HFS volume,
every file is assigned to a class depending on its security level(A,B,C,D).

Class D: Lowest level
Not derived from passcode but wrapped with value(Key0x835).
All application created associated with it except e-mail msgs and attachements.

New file -> Per-file-key generation -> file encrypted using AES CBC mode.

iPhone Trends
Forensic Methods and technique
Logical:
This approach acquires data directly from the iPhone and is preferred over recovering files from the computer the iPhone was synced with
However, the forensic analyst must understand how the acquisition occurs, if the iPhone is modified in any way and what the procedure is unable to acquire

Backup analysis:

Analyze a backup or logical copy of the iPhone file system using Apple’s protocol.
This procedure will read files from the iPhone using Apple’s synchronization protocol but is only able to acquire files explicitly synchronized by the protocol.

Physical bit-by-bit copy:

This process creates a physical bit-by-bit copy of the file system, similar to the approach taken in most computer forensic investigations.

While this approach has the potential for the greatest amount of data recovered (including deleted files), the process is more complicated and requires sophisticated analysis tools and techniques.

Technical processes for iPhone analysis

1-
Physical handling

2-Establishing communication

3-Forensic recovery

4-Electronic discovery

Oxygen Forensic Suite 2014


developed by Oxygen Software, is a mobile forensic software for logical analysis of cell phones, smartphones and PDAs.

Open source tools
IPhone analyzer:

IPhone analyzer is an open source software that explores the internal file structure of your iPhone using either the IPhone’s own backup files or ssh (for jail broken IPhones).

Recommendations

Establishment of a professional well trained team

Investment in training the team and getting the necessary tools and equipment.

Choose Either commercial : we recommend to buy Oxygen Forensic Suite
Or Open source: Invest in training a team on iOS programming and security in order to develop our own tools.

Santoku linux:

Linux distribution dedicated to mobile forensics, analysis, and security.
A commercial version “viaLab” is also available for sale from the ViaForensics (a lab specialized in mobile security, threat analysis and mobile forensics).

"The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable"
McKemmish(1999)
"Minimal handling of the original, account for any change, comply with the rules of evidence, and do not exceed your knowledge."
Performance
La Litterature
De Bourdeaudhuij et al. 2002 ;
Simpson & Karageorphis, 2006 ; Dalton & Behm, 2007 ; Eliott et al. 2004,2005 ; Crust, 2004 ; Birnbaum et al. 2009

Les effets bénéfiques
Impossible lors des compétitions:



Eliakim et al. 2007, 2012
Full transcript