ABSTRACT
This course focuses on the challenge of examining Apple’s proprietary iOS ecosystem, a common target for sophisticated, high-stakes cyberattacks. You’ll learn foundational iOS security principles, the practical constraints forensic investigators face, and the step-by-step methods and tools for extracting data in fully authorized forensic engagements.
INTENDED AUDIENCE
Forensic investigators and incident response specialists who wish to upskill themselves for real life iOS forensic investigations.
KEY LEARNING OBJECTIVES
- Understanding of iOS internals and security
- Practical data acquisition & analysis skills
- Capturing and exporting device backups
- Generating and interpreting sysdiagnose logs, reboot artefacts
- Retrieving App Privacy reports and crash logs
- Conducting live process inspections
- Capturing network packets
- Decrypting intercepted traffic
- Exploring iOS malware attack vectors
- Employing signature scanners and commercial forensic tools
- Awareness of malware threats & forensic limitations
- Familiarity with open-source and commercial tools
- References and further reading for independent study
COURSE DETAILS
Module 1: iOS Fundamentals
- Secure Boot Chain, Hardware Security (SEP, UID/GID keys), App Security & Privacy, Network Security
- Explain iOS secure boot chain and hardware security features
- Describe app containerization and iOS privacy controls
- Understand network security protections in iOS
Module 2: Data Acquisition
- Core tools: libimobiledevice, MVT, pymobiledevice3
- Exercises: Device info, sysdiagnose logs, backups (encrypted/unencrypted), Docker container setup, process & traffic capture (PKTAP), traffic decryption, filesystem collection, jailbreak artifact detection
- Use libimobiledevice, MVT, and pymobiledevice3 to collect data
- Generate and analyze sysdiagnose logs
- Create and decrypt iTunes backups
- Capture and parse network traffic
Module 3: Discovering a Compromise
- Methodology: Avoid rebooting, capture logs, run MVT, use YARA rules
- Tools: EC-DIGIT-CSIRC’s Sysdiagnose analysis framework
- Indicators: crash logs, panic logs, infected shutdown.log, unusual processes, FS metadata artifacts
- Follow a sound methodology for forensic investigation
- Identify indicators of compromise in logs and backups
- Apply our private YARA rules to detect malware artifacts
Module 4: Jailbreaking
- Overview of checkm8 exploit & tools (checkra1n, palera1n)
- Risks of jailbreaking (irreversible, potential false positives)
- Describe jailbreak types and their forensic impact
- Perform a controlled jailbreak (if required) for data acquisition
Module 5: iOS Malware
- Key threats: Pegasus, LightSpy, Reign, Predator, FinSpy, RCS, XAgent
- Persistent vs non-persistent malware detection challenges
- Recognize major iOS malware families and their behavior
- Differentiate between persistent and non-persistent threats
Module 6: Commercial Tools
- Forensics: Elcomsoft, Cellebrite, Magnet AXIOM, Oxygen, XRY
- Security: iVerify, iMazing
- Compare commercial forensic suites and their capabilities
- Use security tools (iVerify, iMazing) to check for compromises
System Requirements
- Linux laptop (preferably Ubuntu), iPhone + cable, network connectivity
- Non-Linux users can use VirtualBox + VM we provide with Ubuntu
- Tools: libimobiledevice, pymobiledevice3, MVT, mitmproxy, rvi_capture, Palen1x ISO, iscout_tools, YARA, Wireshark, tcpdump, WireGuard, Docker
YOUR INSTRUCTOR: Costin Raiu
Costin Raiu is a cyber paleontologist and researcher specializing in analyzing advanced persistent threats and high-level malware attacks. He is a founder at "Art of Noh", a visionary think-tank dedicated to the advancement of cybersecurity and founder at "TLPBLACK", a boutique cybersecurity consulting and intelligence company. Before this, he led GReAT, the team that researched the inner workings of Stuxnet, Flame, Duqu, Turla, Lazarus or Moonlight Maze.
Costin has over 30 years of experience in ITSec, having written his first antivirus when was 16. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers’ Organization (CARO) and a founding member of the MUTE Group.
Costin enjoys playing chess, taking photos and reading science fiction literature. He holds a black belt in Taekwondo.
https://www.linkedin.com/in/craiu/
https://x.com/craiu
COUNTERMEASURE25: 60+ days before the event 75% of fees refunded; 45-60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.
Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.
