iPhone forensics involves bypassing an iPhone's passcode restrictions, reading its encrypted file system, and recovering deleted files. This is done by creating a forensic toolkit on the device without damaging evidence, establishing communication between the device and computer, and patching the iPhone's chain of trust from the BootRom to kernel. References provide more information on the iPhone's data protection and tools for forensic investigation.

1. iPhone Forensics
Satish B
Email: satishb3@securitylearn.net

2. Chain Of Trust – Normal Mode
BootRom
Low Level
Bootloader
iBoot
Kernel User Applications
2

3. Chain Of Trust – DFU Mode
BootRom
iBSS
iBEC
Kernel RAM DISK
3

4. Breaking the Chain Of Trust
limera1n BootRom
Patch iBSS
Patch iBEC
Patch Kernel
Custom RAM
DiSK
4

5. Forensics
 Creating & Loading forensic toolkit on to the device without damaging the
evidence
 Establishing a communication between the device and the computer
 Bypassing the iPhone passcode restrictions
 Reading the encrypted file system
 Recovering the deleted files
5

6. References
 iPhone data protection in depth by Jean-Baptiste Bédrune, Jean Sigwald
http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-
iphonedataprotection.pdf
 iPhone data protection tools
 http://code.google.com/p/iphone-dataprotection/
 ‘Handling iOS encryption in forensic investigation’ by Jochem van Kerkwijk
 iPhone Forensics by Jonathan Zdziarski
 iPhone forensics white paper – viaforensics
 Keychain dumper
 25C3: Hacking the iPhone
 The iPhone wiki
6

7. Thank You
Satishb3@securitylearn.net
http://www.securitylearn.net
7