Over its last few releases, Apple’s iOS—the operating system running on iPhones, iPads, and other mobile devices—has steadily enhanced its offerings designed for both security and user convenience. Each sub-version of both iOS 10 and 11 added or changed small features that have drastically changed the forensic workflow.
In this paper, we’ll describe how to:
- Access more evidentiary data with new acquisition methods and tools, including GrayKey, biometric authentication, and even encrypted backups that you can create yourself.
- Look for data stored in new or different .plist and SQLite database locations, as well as entirely new datasets including .plists associated with the Do Not Disturb While Driving feature.
- Understand artifact changes, such as the new nanosecond timestamp format, Safari browser history, and new high efficiency photo and video file formats, that might affect how your forensic tool parses data.