Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
Transcript of iOS Forensics
Résultats et discussion
EFFET DE LA MUSIQUE ET DU CYCLE MENSTRUEL SUR LES PERFORMANCES LORS DES EXERCICES INTENSES DE COURTES DUREES
What Factors to consider?
Softwarre, hardware, physical security measures (anti-tamper)
Staff training, labor cost
Frequent action--> internally
Rare actions--> external party
Secure Boot chain:
signedBoot-up process(bootloader, kernel extensions)
Apple Root CA
If any fails the boot-up is aborted
Developers are identifiable with Apple Root CA
Chain of trust from iOS kernel to application
Runtime process Security:
HFS components are shielded
Non degratation of performance guaranteed through API that are thirf party between iOS kernel and applications
Independent Third party is preferable
off-site outsourcers (international corporates)
Forensic tools: Commercial tools
Examine iOS Architecture and
evaluate tools to analyze Data in investigation process.
identify source of data
derive useful data
Hierarchical File System Plus(HFS+)
Formatted with 512 byte block
static and numbered from the 1st to the last block available
can be grouped together for efficiency matter
File System Structure
Extents overflow file:
holds additional extents for large file (file size, start block , block count)
facilitate booting of non-Mac OS from HFS+
metadata of files with extended attributes
specifies allocation block free or used
B-tree, describe folder and file hierarchy on volume (ID, permission, creation date..)
Encryption and Data Protection
Dedicated AES 256-bit cryptographic engine between flash storage and main system memory
Protection of user data that remains always encrypted in flash memory
UID as a key(fused in processor) to derive encryption keys (class D key) that are stored in PLOG block or Keybag in memory(critical area).
File data Protection
Encrypted HFS volume,
every file is assigned to a class depending on its security level(A,B,C,D).
Class D: Lowest level
Not derived from passcode but wrapped with value(Key0x835).
All application created associated with it except e-mail msgs and attachements.
New file -> Per-file-key generation -> file encrypted using AES CBC mode.
Forensic Methods and technique
This approach acquires data directly from the iPhone and is preferred over recovering files from the computer the iPhone was synced with
However, the forensic analyst must understand how the acquisition occurs, if the iPhone is modified in any way and what the procedure is unable to acquire
Analyze a backup or logical copy of the iPhone file system using Apple’s protocol.
This procedure will read files from the iPhone using Apple’s synchronization protocol but is only able to acquire files explicitly synchronized by the protocol.
Physical bit-by-bit copy:
This process creates a physical bit-by-bit copy of the file system, similar to the approach taken in most computer forensic investigations.
While this approach has the potential for the greatest amount of data recovered (including deleted files), the process is more complicated and requires sophisticated analysis tools and techniques.
Technical processes for iPhone analysis
Oxygen Forensic Suite 2014
developed by Oxygen Software, is a mobile forensic software for logical analysis of cell phones, smartphones and PDAs.
Open source tools
IPhone analyzer is an open source software that explores the internal file structure of your iPhone using either the IPhone’s own backup files or ssh (for jail broken IPhones).
Establishment of a professional well trained team
Investment in training the team and getting the necessary tools and equipment.
Choose Either commercial : we recommend to buy Oxygen Forensic Suite
Or Open source: Invest in training a team on iOS programming and security in order to develop our own tools.
Linux distribution dedicated to mobile forensics, analysis, and security.
A commercial version “viaLab” is also available for sale from the ViaForensics (a lab specialized in mobile security, threat analysis and mobile forensics).
"The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable"
"Minimal handling of the original, account for any change, comply with the rules of evidence, and do not exceed your knowledge."
De Bourdeaudhuij et al. 2002 ;
Simpson & Karageorphis, 2006 ; Dalton & Behm, 2007 ; Eliott et al. 2004,2005 ; Crust, 2004 ; Birnbaum et al. 2009
Les effets bénéfiques
Impossible lors des compétitions:
Eliakim et al. 2007, 2012