Part 1
Before You Touch the Device: First Response Procedures
The first few minutes matter because power state, network state, and unlock state can decide what data remains accessible.
Scene documentation
- Photograph the device in its found position before handling it.
- Note whether the screen is on or off, and record the visible battery level if available.
- Record physical condition, connected accessories, SIM presence, and whether it is charging.
- Document the environment, including Faraday bags, signal blockers, laptops, chargers, or nearby paired devices.
- Record the exact seizure time and date in UTC, plus local time zone context.
Network isolation is critical
A remote wipe through Find My iPhone or device management can destroy evidence quickly. Isolate the device as early as possible while preserving its current power and unlock state.
- If the screen is accessible, enable Airplane Mode, then manually disable Wi-Fi and Bluetooth because newer iOS versions may leave them active.
- If available, place the device in a tested Faraday bag that blocks cellular, Wi-Fi, Bluetooth, and GPS signals.
- Keep the device powered and charging when possible, especially if it may already be in After First Unlock state.
- Do not use signal jamming unless it is lawful in your jurisdiction and approved by your organisation.
BFU vs AFU
Before First Unlock and After First Unlock are central concepts in iOS forensics. If an iPhone has rebooted and the passcode has not been entered, many encryption keys are unavailable.
| State | Full name | Meaning | Data accessible |
|---|---|---|---|
| BFU | Before First Unlock | Device rebooted and passcode not entered since boot | Very limited data |
| AFU | After First Unlock | Passcode entered at least once since last boot | Much more data with suitable tools |
Power warning
Avoid powering off an iPhone with an unknown passcode unless absolutely necessary. After reboot, iOS requires the passcode before Face ID or Touch ID works, and the device returns to BFU state.
Part 2
iOS Security Architecture
iOS forensic decisions depend on hardware-backed encryption, the Secure Enclave, file protection classes, and the passcode state.
Secure Enclave Processor
The Secure Enclave is a dedicated coprocessor present in modern iPhones. It manages cryptographic operations, protects biometric matching, enforces passcode attempt controls, and keeps critical device keys isolated from normal software.
UID and GID keys
- The UID key is unique to each device and is burned into silicon. It never leaves the hardware and is part of the user data encryption chain.
- The GID key is shared by devices with the same chip family and is used for firmware-related operations, not ordinary user data access.
iOS data protection classes
| Class | Name | When accessible | Common use |
|---|---|---|---|
| A | Complete Protection | Only when unlocked | Most sensitive app data |
| B | Protected Unless Open | Unlocked or already open | Mail attachments and downloads |
| C | Protected Until First Auth | After first unlock since boot | Much of the user data set |
| D | No Protection | Always | Internal operating system files |
Secure boot chain and passcode limits
- Every stage of the iOS boot process is cryptographically signed by Apple.
- Unsigned boot code and arbitrary downgrade workflows are blocked on modern devices.
- Without the passcode, Class A and Class C data may be unavailable on modern devices.
- With the passcode and a trusted acquisition path, full file system extraction may be possible on supported devices.
Part 3
iOS Device and Chip Compatibility Matrix
The chip generation tells you whether Checkm8-style workflows are possible and how realistic full file system extraction may be.
Compatibility overview
| Device family | Chip | Checkm8 | Full FS with passcode | BFU extraction |
|---|---|---|---|---|
| iPhone 5s | A7 | Yes | Yes | Partial |
| iPhone 6 / 6 Plus | A8 | Yes | Yes | Partial |
| iPhone 6s / SE 1st gen | A9 | Yes | Yes | Partial |
| iPhone 7 / 7 Plus | A10 | Yes | Yes | Partial |
| iPhone 8 / X | A11 | Yes | Yes | Partial |
| iPhone XS / XR / 11 series | A12 / A13 | No | Yes, passcode needed | Very limited |
| iPhone 12 series | A14 | No | Yes, passcode needed | Very limited |
| iPhone 13 series | A15 | No | Yes, passcode needed | Very limited |
| iPhone 14 series | A15 / A16 | No | Limited | Almost none |
| iPhone 15 / 16 series | A17 / A18 | No | Limited | Almost none |
Part 4
Acquisition Methods: Least to Most Invasive
Choose the least destructive method that satisfies the evidence need, legal authority, and device state.
Manual acquisition
Manual acquisition means photographing, recording, or screen-capturing visible content. It is useful when the device is unlocked and time is critical, but it is incomplete, slow, and weak for metadata preservation.
iCloud acquisition
If Apple ID credentials or lawful process are available, iCloud can provide messages, photos, contacts, calendars, notes, backups, Safari data, and app data depending on account settings.
- Useful tools include Cellebrite UFED Cloud Analyzer, Oxygen Forensic Detective, Magnet AXIOM Cloud, and iMazing for limited consumer review.
- Apple legal process may return iCloud backup contents, iCloud Drive, Photos, Mail, Contacts, Calendars, Bookmarks, and Maps history.
- Advanced Data Protection greatly reduces what Apple can decrypt because many iCloud categories become end-to-end encrypted.
iTunes and Finder local backups
A local backup can be easier to access than the device and is often the safest teaching workflow. Encrypted backups preserve more data classes than unencrypted backups, but require the backup password.
# Windows local backup location
C:\Users\[username]\AppData\Roaming\Apple Computer\MobileSync\Backup\
# macOS local backup location
~/Library/Application Support/MobileSync/Backup/
# libimobiledevice backup workflow
ideviceinfo
ideviceid -l
idevicebackup2 backup --full /path/to/evidence/backup/
idevicebackup2 listBackup file structure
iOS backups are stored as a flat directory of hashed filenames. Manifest.db maps those hashed file IDs back to domains and original relative paths.
sqlite3 Manifest.db "SELECT fileID, relativePath FROM Files WHERE relativePath LIKE '%sms%';"Logical acquisition through AFC
Apple File Conduit exposes media-oriented areas on a trusted paired connection. It is useful for photos and media, but not a full app sandbox or system extraction.
# Mount a trusted device with ifuse
ifuse /mnt/ios_device/
# Review and copy media
ls /mnt/ios_device/
cp -r /mnt/ios_device/DCIM/ /evidence/photos/Full file system extraction
Full file system extraction is the most valuable acquisition class because it can include app sandboxes, system databases, keychain material, location artifacts, and SQLite databases.
- Checkm8 applies to A5 through A11 devices because the vulnerability is in bootrom hardware and cannot be patched by iOS updates.
- Forensic tools that use this class of workflow include Cellebrite UFED, Elcomsoft iOS Forensic Toolkit, Magnet AXIOM, and checkra1n-based approaches.
- Modern A12+ devices usually require the passcode and a supported agent-based extraction path.
- GrayKey is a restricted law-enforcement-only platform and should be discussed as context, not as a general student workflow.
Physical acquisition limitations
JTAG and chip-off approaches are rarely useful for modern iPhones. Since iPhone 5s-era hardware, raw NAND contents are protected by hardware-tied encryption keys, so removing the storage chip usually does not produce readable user data.
Part 5
Software Tools
Students should understand both commercial forensic suites and free research tools, because each category teaches different parts of the workflow.
Commercial tools
| Tool | Strengths | Typical use |
|---|---|---|
| Cellebrite UFED | Large device support, logical, file system, physical, and cloud workflows | Law enforcement and enterprise mobile forensics |
| Magnet AXIOM | Timeline, cloud, app parsing, media categorisation, and broad artifact review | Investigations that need strong analysis and reporting |
| Oxygen Forensic Detective | Cloud extraction, social app parsing, SQLite and timeline tools | Cases involving app-heavy or international artifacts |
| Elcomsoft iOS Forensic Toolkit | Granular iOS extraction control, Checkm8 support, keychain-focused workflows | Technical iOS examinations |
| Elcomsoft Phone Breaker | iCloud access and encrypted backup decryption workflows | Backup and cloud-focused examinations |
Open source and free tools
| Tool | Purpose |
|---|---|
| libimobiledevice | Communicate with iOS devices, gather device info, create backups, capture screenshots, and stream syslog |
| checkra1n | Checkm8-based jailbreak workflow for supported A5-A11 devices |
| iLEAPP | Parse iOS logs, events, plists, app usage, Wi-Fi, notifications, health data, and location artifacts |
| APOLLO | Analyse Apple pattern-of-life databases and build activity timelines |
| Autopsy | Free digital forensics platform with backup support and search/timeline features |
| DB Browser for SQLite | Manually inspect SQLite databases and export query results |
| Bulk Extractor | Carve emails, URLs, phone numbers, and other patterns from images or files |
Useful commands
# Install libimobiledevice on Ubuntu
sudo apt install libimobiledevice-utils
# Install on macOS
brew install libimobiledevice
# Common utilities
ideviceinfo
ideviceid -l
idevicebackup2 backup --full /path/to/backup/
idevicescreenshot screenshot.png
idevicesyslog
# iLEAPP
pip install ileapp
python ileapp.py -t fs -i /path/to/extracted_fs/ -o /path/to/output/
# APOLLO
git clone https://github.com/mac4n6/APOLLO
python apollo.py -o /output/ -m modules/ /path/to/extracted_db_files/Part 6
Key iOS Databases and Artifact Locations
Once you have a backup or file system extraction, these paths are common starting points for communication, location, activity, account, and app review.
Communications
# SMS and iMessage
/private/var/mobile/Library/SMS/sms.db
# Tables: message, chat, handle, attachment
# Call history
/private/var/mobile/Library/CallHistoryDB/CallHistory.storedata
# Table: ZCALLRECORD
# Voicemail
/private/var/mobile/Library/Voicemail/voicemail.dbSMS query example
SELECT
datetime(message.date/1000000000 + strftime('%s','2001-01-01'), 'unixepoch') AS date,
handle.id AS contact,
message.text,
message.is_from_me
FROM message
JOIN handle ON message.handle_id = handle.rowid
ORDER BY message.date;Location data
# Significant locations and routined data
/private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite
/private/var/mobile/Library/Caches/com.apple.routined/Local.sqlite
# Maps search history
/private/var/mobile/Library/Maps/GeoHistory.mapsdata
# Location services usage by app
/private/var/mobile/Library/LocationD/clients.plistDevice activity and media
# App usage and screen time
/private/var/mobile/Library/Application Support/com.apple.remotemanagementd/RMAdminStore-Local.sqlite
# Spotlight searches
/private/var/mobile/Library/Spotlight/com.apple.Spotlight.index/
# Notifications
/private/var/mobile/Library/UserNotifications/[UUID]/store.sqlite3
# Photos metadata
/private/var/mobile/Media/PhotoData/Photos.sqliteAccounts, credentials, and Wi-Fi
# Keychain, requires supported extraction and key access
/private/var/Keychains/keychain-2.db
# Apple ID accounts
/private/var/mobile/Library/Accounts/Accounts3.sqlite
# Known Wi-Fi networks
/private/var/preferences/com.apple.wifi.known-networks.plistThird-party app examples
# WhatsApp
/private/var/mobile/Containers/Shared/AppGroup/[UUID]/ChatStorage.sqlite
# Telegram
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/
# Signal, SQLCipher encrypted and requires key extraction
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/database/signal.sqlite
# Snapchat
/private/var/mobile/Containers/Data/Application/[UUID]/Library/Caches/
# Chrome
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/ChromeProfile/HistoryPart 7
Recovering Deleted Data
Deleted data recovery depends on SQLite free pages, WAL files, APFS copy-on-write behaviour, snapshots, and whether data blocks have been overwritten.
How deletion often behaves on iOS
- SQLite rows may remain in free pages until overwritten.
- SQLite WAL files can preserve recent changes and deleted records.
- APFS copy-on-write behaviour may leave older data versions in unallocated areas or snapshots.
- Recovery depth depends heavily on acquisition type and encryption state.
WAL and file carving commands
# Check for SQLite companion files
ls -la /path/to/sms.db*
# sms.db
# sms.db-wal
# sms.db-shm
# Carve common media from an image
foremost -i ios_filesystem.dmg -o /output/ -t jpg,png,mov,mp4,pdf
# APFS local snapshots on a mounted volume
tmutil listlocalsnapshotdatesPart 8
Building a Timeline
Timeline work correlates file system times, SQLite timestamps, photos, notifications, location artifacts, app logs, and iCloud sync events.
Common iOS timestamp sources
- File system MAC times: modified, accessed, and changed timestamps.
- SQLite timestamps, often stored as Cocoa time: seconds since 2001-01-01.
- EXIF timestamps and GPS metadata from photos and videos.
- Plist timestamps, notification timestamps, and app-specific time formats.
- Cloud sync timestamps and location history records.
Convert Cocoa timestamps
import datetime
def cocoa_to_datetime(cocoa_timestamp):
cocoa_epoch = datetime.datetime(2001, 1, 1)
return cocoa_epoch + datetime.timedelta(seconds=cocoa_timestamp)
print(cocoa_to_datetime(715000000))Timeline tools
# Plaso / log2timeline for iOS backup artifacts
log2timeline.py --parsers ios_backup ios_timeline.plaso /path/to/backup/
# Export to CSV
psort.py -o l2tcsv -w timeline.csv ios_timeline.plasoPart 9
Reporting and Chain of Custody
A forensic report should be reproducible. Hash evidence, document tools and versions, and separate findings from speculation.
Hashing for integrity
# Hash the extracted image
md5sum ios_filesystem.dmg > ios_filesystem.md5
sha256sum ios_filesystem.dmg > ios_filesystem.sha256
# Verify later
sha256sum -c ios_filesystem.sha256Chain of custody records
- Who seized the device, when, and where.
- Device state at seizure: powered on/off, locked/unlocked, battery percentage, and network state.
- Every tool used, including version number and validation notes.
- Every command run, with timestamp and operator.
- Who had custody at each point and how the device was stored.
- Hash values of acquired images, backups, exports, and key evidence files.
Professional report structure
- Executive summary with a non-technical overview of findings.
- Examiner qualifications and role.
- Evidence received, including device description, serial, IMEI where lawful, and condition.
- Tools used, methodology, and limitations.
- Findings with screenshots, artifact paths, timestamps, and interpretation.
- Timeline reconstruction and factual conclusions.
- Appendices containing raw data, hashes, exported tables, and tool logs.
Part 10
Quick Reference Summary
Decision tree
Device found -> Is it on?
NO -> Do not power on if passcode is unknown
-> Use Checkm8 only if A11 or older and legally authorised
-> Chip-off will usually remain encrypted
YES -> Is it unlocked or in AFU state?
YES -> Preserve power and network isolation
-> Use trusted forensic acquisition workflow
NO -> Is it A11 or older?
YES -> Consider Checkm8-supported forensic extraction
NO -> Passcode, iCloud, existing backups, legal process, or restricted LE tools may be neededCertification paths
| Certification | Body | Focus |
|---|---|---|
| CCME | Cellebrite | Cellebrite tool proficiency |
| CFCE | IACIS | General digital forensics |
| CCE | ISFCE | Certified Computer Examiner |
| GCFE | GIAC | Enterprise forensics |
| EnCE | OpenText | EnCase platform |
| MCFE | MSAB | Mobile forensics |
Staying current
iOS forensics changes constantly as Apple ships new hardware, iOS versions, and security patches. Serious practitioners should keep tools updated, validate methods with test devices, follow forensic research communities, and study work from researchers such as Sarah Edwards, Alexis Brignoni, and Lesley Carhart.