iPhone (iOS) forensics is somewhat complicated by difficult data structures in the device. However, it is possible to do a quick iPhone investigation with basic Linux command-line tools. We show how to use some basic Linux commands to search for files and file contents in an iPhone for a quick investigation.
Thank you to all of our Patrons for sponsoring DFIR Science.
Especially The Ranting Geek. Thank you so much!
If you are doing a forensic investigation of any Apple device, you will probably find binary plists (bplists). In that case, you will need a parser to help make sense of the data. Luckily, a command-line tool 'bplister' exists that can parse out bplists from an iPhone. Combine that with standard Linux tools and you have all you need to do a quick basic investigation of an iPhone dump. No need to be intimidated by iPhone forensics. Just treat it like a standard device investigation.
00:00 Working with an iPhone dump
00:08 Target data and basic commands
00:14 find
00:22 grep
00:50 grep special search
01:13 file
01:47 grep file contents
02:55 the problem with find and grep
03:30 iPhone specific artifacts
04:00 bplist analysis
04:22 bplister tool
05:00 run plist_parse.rb
05:38 data structures
bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos
❤️ Get early access and bonus content - / dfirscience
Links:
* bplister: github.com/threeplanetssoftwa...
Marsha's iPhone Image:
* d17k3c8pvtyk2s.cloudfront.net...
* d17k3c8pvtyk2s.cloudfront.net...
* d17k3c8pvtyk2s.cloudfront.net...
Password: 02DB2ECE91DB67E8FA939FC3DC15D16B
#DFIR #iPhone #Linux
010001000100011001010011011000110110100101100101011011100110001101100101
Help make DFIR tutorials
👍 Subscribe → bit.ly/2Ij9Ojc
🛒 Shop → swag.dfir.science
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Tools to help manage your KZread Channel: www.tubebuddy.com/DFIRScience
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing and will probably allow its use.