Apple IOS devices are designed with security as a priority.
Security features built into the hardware firmer and software layers of IOS devices protect devices against unauthorized access and malicious attacks.
However, the security features can hinder forensic acquisition, an examination,
a basic understanding of the security architecture and Apple's IOS can help anyone trying to recover digital evidence from an iPhone or iPad,
starting with System Security Secure Boot chain. The boot process of an IOS device includes a number of components.
Every component is cryptographic Lee, signed by Apple
when an IOS devices turned on, the application processor executes the boot code from the boot wrong, which is the read only memory.
This blue code is added to the chip during fabrication and therefore is trusted.
The boot room also contains the Apple route. See a public key,
the Apple route. See a public key verifies that the low level boot loader or L. L. B is signed by Apple and then executes it.
The L O. B verifies that the next stage boot loader I boot is signed by Apple and then executed.
Finally, I blew verifies the IOA is colonel and executed
during the boot process if one step was unable to verify or load the next step. The boot process stops.
Devices plays the connect to iTunes symbol on the screen.
This secure boot process ensures even the lowest levels of software can't be tampered with and that the IOS runs on validated Apple devices only
system software authorization.
The system software processes used to distribute updates to authorize IOS devices and to prevent devices from being downgraded to order. IOS version, which lacked the latest security features
updates, are released regularly to distribute new features and to address emerging security threats.
Apple makes use of the device is unique. I d to sign the updates.
This ensures that an older version of IOS from one device can't be copied onto another
encryption and data protection hardware security features.
Every eye west of ice comes with a crypto engine dedicated to encryption and decryption past.
These devices are scum with unique I d. Called the U I. D. And a device group. I decode the g i. D.
Both of these i d s. R a E s 256 big keys fused into the application process or during manufacturer.
See these keys are built into the silicon. It can't be tampered with or read by any software or firmware directly.
The idea is unique to a device and is not recorded by the device manufacturer any of its suppliers.
The G I T. Is common to all processors in a particular class of devices.
All devices using an A a processor, for example, have the same g i d
the device. You i d ensures that the data on the device script a graphically tied to that particular device,
the file system key computed using the U. I. D. And stored in the official storage, is used to encrypt the file system on the device.
This means that follows on a device are not accessible. If the flash storage from that device was physically removed or moved to another device
file data protection.
IOS devices used a technology called data protection to protect that is stored in the device is flash storage.
This technology works by creating and managing a hierarchy of keys.
Some of the keys air computed using the keys infused into the hardware layers.
File system keys computed using the hardware key. The device you I D
class keys created using the hardware key and the device passcode.
Every fall created in the data partition is assigned to a class.
There are predefined classes on IOS devices. Each class uses different policies to determine when the dad in the file becomes accessible.
When the file was created in the data partition, data protection creates a per file key to encrypt data in that foul as it is written to the flash storage.
This Per Falke is wrapped with one of the class keys,
the class to which the file belongs,
the raft Halkia stored with the file metadata
when the fire was open. The file system key decrypt the file metadata prevailing the rapture, Valke and information about the files class
the class keys then used to determine the per file key.
This Foulke's then used to decrypt file contents because the file system key is stored in the official storage.
When the remote white were a cell content and settings, commands are issued, this official storage is securely erased, the file system keys dilated and all files were made cryptographic. Lee inaccessible.
most users walked the IOS devices with a passcode.
Passcode prevent unauthorized access to the data on the device
today. Devices support six digit for digit and arbitrary length alpha numeric passcodes by the phone. Once the passcode to set on device,
the data protection technology is enabled
passcodes air using generating keys, an encrypted data on the device. Therefore, the stronger the passcode, the stronger the encryption key.
Touch I d. Fingerprint recognition was introduced with the iPhone five s.
Fingerprints will offer easy and quick access to the device because the touch I d is back with the passcode. Use can keep complex passcodes to have stronger encryption keys, but retained quick access to the device with a touch i d fingerprint
to prevent brute force attacks on passcodes. Time delays are in force between the failed attempts.
Mr Lay keeps increasing with every subsequent failed at that. If the touch I D and passcodes setting erase data has turned on, the device will automatically wipe after 10 consecutive failed attempts.
AP code signing. Another important Iowa security element is at code signing.
Apple allows only Apple sign code to be executed on IOS devices.
All third party app developed for IOS devices are first validated by Apple. Then sign using an apple issued certificate before making it available through the APP store.
This prevents any malicious run signed coat were being executed on the IOS devices
Apstar Sandbox. To protect user data on an IOS device, ST Boxing isolates a nap, restricting access to other APS files and arrest of the system.
Because each APP is permitted to run in its own restricted area, only any security issues related to a nap are confined.
users or administrators can remote wipe and IOS device in the event the device is lost or stolen.
When a remote wipe is issued, encryption keys in the official storage are securely deleted,
making all the data on the device unrecoverable.
A user can also wipe the device in their possession by going to settings General
reset and selecting erase all contents and settings.
Loss Motors Security feature introduced in IOS 9.3
When the device is lost or stolen, a mobile device management administrator can enable the loss mode on supervised IOS devices.
When Los murders enabled where was in possession of the devices logged out and the device cannot be unlocked,
the device may display administrator customized message on the home screen, such as a phone number to call for returning. The device
Administrator can also request the device to send its current location.
A mobile device management administrator is the only one who can disable loss mode.
activation lock in security feature introduced in IOS seven.
When the device is lost or stolen, Activation law prevents another user from using the device.
This feature is automatically turned on when find my phone is enabled.
When activation lock is enabled. These is Apple I. D. Credentials are required to reactivate or erase the device.
A basic understanding of the security architecture Annapolis IOS is a must for forensic analysis. Data recovery on an Apple device.
A great place to begin is with apples. Iowa Security White Paper,
which is available on www apple dot com and covers each feature in greater detail