Time
8 hours 33 minutes
Difficulty
Beginner
CEU/CPE
9

Video Transcription

00:05
IOS is the operating system using Apple's mobile devices before discussing what data can be extracted from an IOS device before you need to understand how Dad is written on its flash storage.
00:14
IOS devices used H F s X file system,
00:18
which is a very innovative EST plus file system developed by Apple.
00:21
It serves as the primary file system for Mac OS devices.
00:24
The main difference between H F S X and H F s Plus is that H F S X is case sensitive.
00:30
Where is H? F S Plus is not
00:32
h. F s plus is an improved version of a Professor Apples Legacy file system, also known as hierarchal file system.
00:39
The new version of H. F s has many improvements from the older version, especially in terms of space utilization.
00:46
H. F s farms are divided into logical blocks that are 512 bytes in size.
00:50
Logical blocks a group together its allocation blocks.
00:53
The allocation blocks contain one or more logical blocks, depending on the total size of the disc.
00:58
H F s used a 16 feet value for addressing allocation blocks, which became a limitation with the growing size of the disc
01:04
to overcome the addressing limitations of H. F S. Apple created H. F S plus
01:10
in this upgraded file system, Logical Blocks renamed two sectors but remained 500 bytes in size.
01:15
Allocation Block's still contained one of more sectors, depending upon the size of the disc.
01:21
However,
01:22
with H F s plus a 32 bit value is used for addressing allocation blocks. Therefore, H F s plus is capable of addressing significantly more blocks.
01:32
H F s plus supports longer found names up to 255 characters, compared to 31 character's name. Profess larger file sizes and unicode for found name and coding in place of the Mac Roman and coating used in the H of X file system,
01:45
H F s plus also implemented journaling, which is a way of keeping track of every transaction made to the disk.
01:51
Journaling helps makes recovery faster in the event of a system crash or power failure.
01:56
A typical H F s plus volumes shown here consists of nine important segments.
02:00
Let's have a look at the H f s plus volume structure.
02:05
The 1st 2 sectors of the volume Serum one reserved his boot books
02:08
Sector two volume matter contains information about the volume itself,
02:14
such as the size of allocation blocks and size and location of other special files.
02:17
Next is the allocation file.
02:20
This important, Paul keeps track of the usage of allocation blocks, noting which ones are free and which ones are e news.
02:25
It also maintains a bit map with each bit represents an allocation block.
02:30
The biggest set a zero. The block is free if it set the one it's in use.
02:36
Another special filing nature fest, plus volume is a catalog file.
02:39
This file defines a folder and follow hierarchy of the volume and can be used to easily identify the location of a specific foul or folder within the file system.
02:50
The extents overflow foul stores Information about additional extents assigned to a foul
02:54
an extent is a contiguous allocation block that belongs to a file
02:59
and extended, represented with a pair of numbers starting allocation block and the number of allocation blocks it in the extent
03:05
the first aid extensive of foul recorded in the catalog foul or the remaining extents are stored in the extents overflow foe.
03:12
The Attributes file contains attribute information about files and folders on the file system.
03:16
The start of foul contains information that helps booting computers lack building support for H F S plus file systems.
03:23
Ultimate volume header is stored in the second to last sector of the volume.
03:28
It stores a backup copy of the volume header.
03:30
Finally, the last sector of the vote is reserved for use by Apple and is used during the computer manufacturing process.
03:38
Apart from these nine structures, the remainder of the volume is either occupied with foul data or it's free space.
03:45
Apple is always evolving its equipment and supporting software. The Apple file system was designed to replace the H. F S plus file system in all apples devices, including iPhones, IPADS, Apple watches, Apple TVs and Mac Books.
03:57
It was first released with Mac OS Sierra and I OS 10.3.
04:00
According to Apple, some of the features of this new phone system includes stronger encryption, space sharing, fast directory sizing and improved file system fundamentals.
04:10
Now let's look at foul system partitions.
04:12
There are two main partitions in an IOS device system partition, which is also called the route or firm, or partition and the data partition.
04:19
The system partition contains IOS operating system and the applications that come packaged with it.
04:25
This partition can be found a slash dev slash disc zero s one or slash dev slash disc zeros one s one and is mounted at the root of the foul system. Slash
04:35
It is mounted as read only unless enough great is in progress. Where the device is Joe broken.
04:41
The size of the partition is 1 to 4 gigabytes, depending on the size of the total storage.
04:46
Because it's partitions read only and contains OS and pre installed applications only. Hardly any evidence can be found in this partition.
04:54
But if the device is joe broken, this partition may hold user data.
04:58
Remainder of the file system is occupied by the data partition it good things user and sold applications and dad associate ID with the applications, which can be extremely crucial for investigations.
05:09
This partition is the gold mine for forensic analyst and has found a slash dev slash disc zero s too
05:15
slash dev slash disc zero es tu es tu In his mount of that slash private slash v a r,
05:21
they're too foul for mass commonly found in IOS devices.
05:25
There are the property list files used for storing configurations and the sq a light databases used for storing data.
05:32
Property list files, also called the Peerless Files, are an easy way to store simple structure data.
05:38
They're commonly used for storing application settings and operating system configurations.
05:43
These Air XML for mental files that can be analyzed using a simple text editor.
05:46
A number of free, simple text editors are available is what was property list editor for the Mac Environment and P List editor for the winners Environment.
05:54
All of these application can be used for analyzing Felix files.
05:58
An example. Peerless follows. Shown here,
06:00
it's been open using P List editor.
06:02
The file shows that a couple of key value pairs of the fine
06:05
some key value pairs are also bundled up in dictionary type class.
06:10
This *** symbol for matter of pillows folk can also be viewed in the text editor, as shown in the bottom section of the P list editor.
06:16
Ask your light database. Another important structure used in IOS devices stores large amounts of data such as user data created within a nap,
06:25
de bras of rescue, a light rest your light database browser or free throw is available for both Windows and Mac environments. It can't be used for analyzing its cure like that. A basis
06:33
as shown here, The Net Usage Daughter s Q. A light foul is open from an IOS device using database browser for rescue A light.
06:42
This example shows all the S S I d s the IOS devices connected to

Up Next