In the chain of trust boot sequence, if we compromise one link, we can fully control all the links that follow. To load our custom Ramdisk, we have to bypass all these signature checks. Signature checks implemented at various stages in the boot sequence do not allow us to load our custom Ramdisk. Boot loader signature checks the kernel, and the kernel signature checks the Ramdisk. In DFU mode, iPhone follows the boot sequence with a series of signature checks as shown below. LLB signature checks and loads the stage 2 boot loader iBoot. BootRom contains all the root certificates to signature check the next stage. When an iPhone boots up, it walks through a chain of trust, which is a series of RSA signature checks among the software components in a specific order as shown below. In order to create and load the forensic toolkit, first we need to understand iPhone functions at the operating system level. The problem here is: the iPhone only loads firmware designed by Apple.
As the iPhone has only one serial port, we are going to load custom OS over the USB to access the hard disk of the device. To perform iPhone forensics, we use the Live CD approach.
So it is not easy to take out the chips hard disk and dump data into it. When we compare computers to the iPhone, it is an embedded device.
Imagine a computer which is protected with an OS level password - we can still access the hard disk data by booting a live CD, or by removing the hard disk and connecting it to another machine. The details shown below outline their research and give an overview on the usage of iPhone forensic tools. Researchers at Sogeti Labs have released open source forensic tools with the support of iOS 5 to recover low level data from the iPhone. This article explains the technical procedure and the challenges involved in extracting data from the live iPhone. Check out our 3 day iPhone and iOS forensics course now available.