Alexander Talipov is Project Manager at ElcomSoft Co. Ltd., the company developing digital forensics tools. Alexander has done a number of talks and workshops on mobile and desktop forensics for Elcomsoft clients in Russia, Europe and Asia. He speaks regularly at forensic events and conferences all over the world.
Abstract
Accessing evidence stored in iOS devices (iPhones and iPads) is a challenge. Full-disk encryption stands in the way of low-level acquisition, while the many hardware and system level restrictions make physical extraction extremely difficult. At the same time, the iPhone must remain usable and accessible to the owner, which means a forensic specialist may still be able to get around iOS security measures.
iOS devices feature several layers of protection, which makes seizing, storing and transporting iOS devices a challenge requiring expertise. Latest version of Apple’s mobile operating system actively resist forensic efforts by disabling the less secure biometric identification (Touch ID or Face ID) and blocking USB connectivity after a short period of time. Many of these restrictions can be effectively bypassed with proper timing and the right technique.
In this talk, we'll cover the entire iOS forensic workflow. We'll start from seizing, transporting and storing the device, and discuss approaches, methods and tools to access information and extract evidence. We’ll address USB restricted mode, talk about using existing pairing records to extract locked devices, and discuss physical acquisition via jailbreaking. We’ll look at the types of data Apple devices store and sync via iCloud, and learn how to extract that data. Finally, we will talk about extracting stored passwords from local and iCloud keychain. Logical, physical and cloud acquisition methods will be covered.
Forensic Science: Latest Research, Technology and Innovation