This article is a comprehensive walkthrough of TryHackMe’s “iOS Forensics” room, designed to help learners practice digital forensic techniques on iPhone devices. The scenario involves analyzing a file system dump from a suspect’s iPhone to gather evidence relevant to criminal investigations.
Trust Certificates and Acquisition Methods
A significant portion of this article explains the importance of trust certificates in iOS device acquisition. Trust certificates are created when an iPhone is connected to a trusted computer, allowing authorized backups. Investigators can extract these certificates from a suspect’s computer to bypass iPhone trust prompts, facilitating logical file system acquisition using iTunes.
File System Navigation & Data Repositories
Key directories such as /var/mobile/Library/SMS are explored for SMS databases, while /Library/Safari houses browsing history and bookmarks. Knowing these locations is essential for efficient forensic analysis.
Detailed SMS & Contact Analysis
By accessing SQLite databases, the investigator retrieves SMS messages, pinpointing communications with a recipient named Lewis Randall. Similarly, contacts are examined to identify individuals stored in the address book, showcasing practical steps to extract personal data.
Bookmarks and Browsing History Examination
The forensic process extends to browser data. By navigating Safari’s directories, bookmarks and browsing history are reviewed. A noteworthy bookmark to “block.symantec.com.uk” is identified, illustrating how browser artifacts can reveal suspect interests and online behavior.
Email Artifacts and Remote ID Tracing
Email databases are scrutinized to extract remote IDs of senders, crucial for tracking communication sources. This segment highlights how forensic experts trace digital correspondence back to potential perpetrators.
Forensic Image Analysis
Investigating images stored in the iPhone’s DCIM folder, the instructor demonstrates how to extract metadata, including company names present in images. This process is vital for uncovering hidden links between suspects and organizations.
Analyzing Cookies and Application Data
Cookies, often stored in plist files, are explored to reveal persistent data left by web interactions. The video explains how property list files, formatted in XML, are parsed to extract cookie values, providing evidence of user activity on platforms like TryHackMe.
Extended Investigations – Voicemail, Usage Metrics & Wi-Fi Logs
The bonus section introduces advanced forensic tasks such as analyzing application usage metrics (e.g., Skype activity), Wi-Fi networks the device connected to, and examining calendar entries. While much of this data is redacted, the methodologies remain instructive for real-world applications.
Tools of the Trade
Throughout the session, the importance of tools like SQLite viewers and text editors (e.g., Sublime Text) is highlighted. These tools are indispensable for navigating and interpreting structured data within iOS devices.
Forensic Process Reflection
This article concludes with a reflection on the forensic workflow, emphasizing the systematic approach: acquisition, directory navigation, database analysis, and evidence extraction. This methodical process is fundamental to successful mobile forensics investigations.
TryHackMe IOS Forensics Room Answers
What would look more suspicious? an empty hard drive or a full hard drive?
an empty hard drive
What is the definition for an abstract view of a hard drive?
Image
What is the name of a forensics tool that couldn’t be used in a court of law, because data could be written to the device being analysed?
iFunbox
You’ve found an iPhone with no passcode lock, what acquisition method would you use?
Direct Acquisition
What is the name of the certificate that gets stored on a computer when it becomes trusted?
Trust Certificate
Who was the recepient of the SMS message sent on 23rd of August 2020?
Lewis Randall
What did the SMS message say?
Did you get the goods?
Looking at the address book, what is the first name of the other person in the contacts?
Jenny
Following on from Question #3, what is their listed “Organization”
Transportation
Investigate their browsing history, what is the address of the website that they have bookmarked?
https://blog.cmnatic.co.uk
The suspected received an email, what is the remote_id of the sender?
51.32.56.12
What is the name of the company on one of the images stored on the suspects phone?
TryHackMe
What is the value of the cookie that was left behind?
THM{COOKIES!!!}
