Location data is one of the most sensitive pieces of personal information. In today’s world, aggregated location data is as sensitive and as valuable as the user’s passwords. Once this data is transmitted to the OS manufacturer’s cloud service or any of the third-party vendors, the user has the right to know exactly what information is collected; who, when, and how has access to it. In today’s article, we will talk about one of the iOS lesser known features called “Significant locations”.

Is jailbreaking an Apple TV worth it? If you are working in the forensics, it definitely is. When connected to the user’s Apple account with full iCloud access, the Apple TV synchronizes a lot of data. That data may contain important evidence, and sometimes may even help access other iCloud data. I have some great news for the forensic crowd: the Apple TV does not have a passcode. And some bad news: jailbreaking is not as easy and straightforward as we’d like it to be. Let’s have a look at what can be done.

iPhone users have access to literally hundreds of instant messaging apps. These apps range all the way from the built-in iMessage app to the highly secure Signal messengers, with all stops in between. Many of the messaging apps are marketed as ‘secure’ or ‘protected’ messengers, touting end-to-end encryption and zero retention policies. We routinely verify such claims by analyzing the security of various instant messaging apps. It turned out that the degree of protection can vary greatly, having little to do with the developers’ claims. Today we’ll check out Confide, a tool advertising unprecedented level of security.

Extracting the fullest amount of information from the iPhone, which includes a file system image and decrypted keychain records, often requires installing a jailbreak. Even though forensically sound acquisition methods that work without jailbreaking do exist, they may not be available depending on the tools you use. A particular combination of iOS hardware and software may also render those tools ineffective, requiring a fallback to jailbreak. Today, the two most popular and most reliable jailbreaks are checkra1n and unc0ver. How do they fare against each other, and when would you want to use each?

The unc0ver v5 jailbreak has been available for a while now. It supports the newest versions of iOS up to and including iOS 13.5, and this is fantastic news for DFIR community, as it allows extracting the full file system and the keychain when acquiring the newest latest iPhone models such as the iPhone 11 and 11 Pro, and SE 2020. In this article, I’ll talk about the unc0ver jailbreak, the installation and usage for the purpose of file system extraction, and discuss the differences between jailbreak-based and jailbreak-free extraction.

Elcomsoft iOS Forensic Toolkit 6.0 is out, adding direct, forensically sound extraction for Apple devices running some of the latest versions of iOS including iOS 13.3.1, 13.4 and 13.4.1. Supported devices include the entire iPhone 6s, 7, 8, X, Xr/Xs, 11, and 11 Pro (including Plus and Max versions) range, the iPhone SE, and corresponding iPad models. Let’s review the changes and talk about the new acquisition method in general.

The USB restricted mode was introduced in iOS 11.4.1, improved in iOS 12 and further strengthened in iOS 13. The USB restrictions are a real headache for iPhone investigators. We’ve discovered a simple yet effective trick to fool it in some cases, but currently it securely protects the iPhones from passcode cracking and BFU (Before First Unlock) extractions. However, there is a trick allowing you to obtain some information from devices with disabled USB interface. Learn how to use this trick with the recently updated iOS Forensic Toolkit.

The new build of iOS Forensic Toolkit is out. This time around, most of the changes are “internal” and do not add much functionality, but there is a lot going on behind the scenes. In this article, we will describe in details what is new and important, and how it’s going to affect you. We’ll share some tips on how to use the software in the most effective way, making sure that you extract all the data from iOS devices in the most forensically sound possible.

With nearly half a billion users, Telegram is an incredibly popular cross-platform instant messaging app. While Telegram is not considered the most secure instant messaging app (this title belongs to Signal), its conversation histories do not appear in either iTunes or iCloud backups. Moreover, Telegram secure chats are not stored on Telegram servers. As a result, Telegram secret chats can be only extracted from the device of origin. Learn how to extract and analyse Telegram secret chats from the iPhone file system image.

Instant messaging apps have become the de-facto standard of real-time, text-based communications. The acquisition of instant messaging chats and communication histories can be extremely important for an investigation. In this article, we compare the five top instant messaging apps for iOS in the context of their forensic analysis.