When the device is powered on in a typical fashion, this is known as normal mode. Most activities performed on an iPhone will be run in normal mode, unless otherwise specified.

For Recovery mode, the user or examiner will boot the device into iBoot, bypassing the loading of the operating system. iBoot is Apple's stage 2 bootloader, and is where Recovery mode resides. This operating mode is required to perform certain functions such as activating a device, upgrading or downgrading the iPhone, or sometimes to perform a forensic physical acquisition.

To enter Recovery mode, power off the device (by holding down the button on the top of the phone until you see “slide to power off” appear on the device). Next, hold down the “Home” button, and then connect the device to a computer via a USB connector while continuing to press the “Home” button. Continue to hold until “Connect to iTunes” appears (as shown in Figure 2.1), and then release.

By connecting the cable, you are giving power to the device. An alternative option would be to first connect the device to a computer, power off the device, and then hold the “Home” button down while at the same time pressing the power button.

DFU mode is also required to initiate various actions on the iPhone, most commonly to perform a physical acquisition. It is referred to by some as “Device Firmware Upgrade.”

To enter DFU mode, make sure the iPhone is connected to the computer. iTunes should not be running at this time. If iTunes starts when the device is connected, be sure to exit by selecting “iTunes > Quit iTunes” at the top left corner of the Mac (or on Windows, simply “X” out of the program). With the device either powered on or off, hold down the “Home” button and the “Power” button together for 10 seconds, then release the power button (while continuing to press “Home”) for 10 more seconds. It is important to hold for exactly 10 seconds. When successfully in DFU mode, the screen will be black. If you see the Apple logo or other signs that the device is booting, the process was done incorrectly.

To verify whether the device is in DFU mode on a Mac, System Profiler can be run. Once launched, select the “USB” option, and you should see a device similar to what is shown in Figure 2.2. A “USB DFU Device” will be displayed if done correctly, otherwise just an Apple iPhone device will appear.

System Profiler can also be searched using a Terminal window. First, enter the following command to launch System Profiler:

From there, enter the following command to search for a device in DFU mode (the results for this command are shown in Figure 2.3):

Some of the newer tools used to get a physical image on an iPhone require Linux. To verify the device is in DFU mode on a Linux workstation, a similar process can be used. Connect the device to the Linux box, and enter the “lsusb” command in a Terminal window to display information about all USB devices connected to that particular machine. When an iPhone running in normal mode is connected to a workstation and the “lsusb” command is run, the output will show an Apple device, including the model number, serial number, and other details about that particular device:

When an iPhone running in DFU mode is connected to a workstation and the “lsusb” command is run, the output will be similar, but will also show that the iPhone is a “DFU” device.

Notice that both the Product ID and the serial number are different depending on the operating mode. When a firmware upgrade is performed, it is necessary to modify the “idProduct” field to ensure that only the DFU driver is loaded (Microcontroller Division Applications, 2003). It can also help an examiner determine whether a device is in DFU mode (i.e., if the serial number is displayed, it is most likely in “Normal” mode).

Whether in Recovery or DFU mode, the same process can be used to return back to Normal mode. Press the power and home buttons at the same time until the Apple logo appears, and the device will reboot. More often than not, this key sequence will successfully load the phone back into normal operating mode.

There is the possibility of the device entering what is referred to as a “Recovery Mode Loop,” where the iPhone will constantly reboot into recovery mode. This can occur during the jailbreaking or unlocking process. If this occurs, there are several open source tools available to assist the user in exiting out of a Recovery Mode Loop, such as RecBoot or iRecovery. Both tools are free and available for download on Windows and Mac environments, with iRecovery also available on Linux. These tools communicate with the stage 2 bootloader (iBoot/iBSS) over a USB connection in order to exit Recovery Mode Loop.

Installing iRecovery on Linux and Mac involves one easy step of downloading the source files. Windows users must also install libusb to allow access to USB devices. To use iRecovery, the user runs the program by entering the following in a Terminal window:

Next, the following commands are executed:

Finally, the user can initiate a reboot, and the device should start up in normal mode. The process is a bit more complex using iRecovery since this tool offers other functions as well, such as uploading files (iRecovery, 2009). Jonathan Zdziarski's physical acquisition tool utilizes iRecovery to automatically reboot the iPhone when necessary. This tool will also be discussed later as it can play an important role in the acquisition process.

RecBoot is much more straightforward for the purposes of exiting a Recovery Mode Loop. It has two purposes: enter recovery mode or exit recovery mode (refer to Figure 2.4 for RecBoot user interface). For this reason, the interface is much more user friendly. The user simply clicks the button and the device is automatically rebooted into normal operating mode.

The various operating modes are most often used during the forensic imaging process and are discussed further in Chapter 5.

An iPhone user has the option to set a PIN on their device in order to prevent unauthorized access. By default, the PIN is a four-digit, numeric code, but by modifying the “Simple Passcode,” setting can be set to a variable length. Upon entering the passcode incorrectly 10 times, the user also has the option to set the device to automatically erase all content. Another unique option that is offered involves Apple's MobileMe membership. Among other elements, MobileMe allows the user to remotely set a passcode in the event that a device is stolen.

On certain devices running iOS version 4.0 or higher, hardware encryption is also possible through a feature referred to as “Data Protection.” When a passcode is set, the device settings will show “Data Protection is Enabled” (see Figure 2.5). Enabling this feature creates an encryption key, activating an added layer of security for e-mail messages and attachments. This encryption makes forensic recovery of these devices much more complex. The iOS devices that contain hardware encryption, and therefore offer Data Protection, include the iPhone 4, iPhone 3G(s), iPod Touch, and iPads (Apple Inc., December 2010).

Another optional configuration is to set the device to automatically lock after a set amount of time. A user might consider this option as an effort to increase battery life or prevent unauthorized access to the device if it is left unattended. Upon seizing an iOS device, if it is not already “locked,” a best practice might be to immediately go into the device settings and set the auto-lock to “Never.” This will prevent the device from locking out and require the examiner to enter a passcode to access the device. If the device model and operating system supports a physical acquisition, then the passcode will not be an issue; however, in the event that only a logical acquisition can be performed, this step of removing the auto-lock is crucial. Of course, this also drains the battery much more quickly, so be sure to get that device to a charger as soon as possible.

Finally, restrictions on various applications can be enabled, which allows the user to control access to particular apps. A passcode can be set to prevent unauthorized access to Safari, YouTube, iTunes, and other applications on the phone. This feature is ideal for parents who may want to restrict their child's access to certain functions on the iPhone.

There are several ways in which an iPhone can be wiped. Within the device itself is the option to either “Reset All Settings” or “Erase All Content and Settings.” The latter is a full secure erase and, depending on the amount of data on the phone, can take anywhere from a few minutes to over an hour to complete. Internal testing has proven that this method truly does wipe the device, leaving no valuable data to be recovered (refer to Chapter 4– “iPhone and iPad Data Security” for details on the methods used for testing).

Another option is to perform a remote wipe. This method can be completed through an e-mail account synced with the device, a MobileMe account, or through a downloaded application. A remote wipe would come in handy in the event that the device was lost or stolen and the owner wanted to prevent access to their data. Chapter 4 covers some of the research and testing performed on these devices to determine whether a remote wipe does a thorough job. In some cases, data can still be recovered through forensic techniques.

While both the previous methods have been forensically tested to ensure they are effective, the “erase data after ten failed passcode attempts” technique has not.

iPhone users have a high expectation that their personal information is secure. But mobile phones are drastically different from traditional computers and represent a new and unique threat to customer data. It is assumed that customized mobile applications are secure and avoid exposure of confidential user data and credentials, but that is not always the case.

Various internal testing procedures have been performed to evaluate the data exposure and security of multiple mobile applications by using forensic techniques. To test the app, it is installed and used the way a typical user would. The data is then examined to determine whether sensitive information is left on the device or transmitted over the network unencrypted. The findings resulted in many of these apps storing user names, passwords, or other related application data on the device or even confidential data in transit across a wireless network.

It is important for consumers to understand the risks involved in using these applications, especially when sensitive data is involved, such as with financial applications. The overview, methodology, and results of these findings can be found at http://viaforensics.com/appwatchdog/. Many of the forensic techniques used to perform app analysis on these devices are discussed in later chapters, and application security is specifically covered in Chapter 4.

Once an iPhone is connected to iTunes, the user can initiate synchronization between the software and the device. This process will load all the applications, music, videos, pictures, etc. that are stored in iTunes onto the device, based on user-defined settings. When a sync is performed, the data within iTunes takes precedence and any differences will be removed from the device. iTunes can be configured to perform an automatic sync each time the device is connected, or a manual sync which must be initiated by the user. Custom apps, such as those developed by corporations, can be installed onto the device using this synchronization method; however, they must first be approved by Apple. MobileMe can also be used in conjunction with iTunes to sync calendar, contacts, mail accounts, and more.

The user also has the option to create a backup of the iPhone once connected to the computer. An automated backup is initiated during the sync process or when an update or restore is performed. The backup files are stored in a certain location, depending on the type of operating system running on the user's machine.

Each backup folder contains several files. Status.plist provides the status of the last sync/backup. Info.plist contains information about the device in general, including device name, build version, IMEI (International Mobile Equipment Identity), phone number, etc. Manifest.plist includes a list of all the backed up files, their modification time, and hash value. The remainder of the files will include several *.mddata and *.mdinfo files (for iTunes versions prior to 8.x, these will appear as *.mdbackup files). For all of these backup files, the file name is SHA1 hash value of that particular file. These are the actual backup files of the iPhone's applications and settings. Opening these files as is will not be legible, as they are what Apple refers to as Binary plists. In order to view the content of the backups, these files need to be either viewed using specialized software or converted in another manner.

iTunes also allows the user to initiate an encrypted backup by entering in a password prior to syncing the backup files. Encrypted backups add a significant level of difficulty to the data recovery process – even to the point of impossibility with a complex enough password. However, it is important to note that this option is not required, prompted, or set as the default, and as a result it is reasonable to assume that few users would choose this option.

The analysis of both encrypted and unencrypted backups will be covered in later chapters.

With the release of iOS version 4, if a backup is not passcode protected, the keychain file (containing user name and password data) is encrypted using hardware keys stored on the iPhone. If the keychain database file is opened, certain information can be viewed, but passwords are encrypted.

If a backup is password-protected, the keychain file is now encrypted using software keys generated from the backup password. What this means is that, as long as the backup passcode is known, it is possible to get to the keychain file's encrypted data.

There are two different restore options: to restore the iPhone from a pre-existing backup file or to restore a device back to factory settings. Restoring from a backup will pull all settings and application data from that backup and sync that data to the device. Performing a full software restore removes the active file system from the device and restores it back to the default factory settings. Both restore methods can be performed in iTunes, and it is important to understand the difference between the two in order to prevent loss of data.

Once a factory restore is performed, the user will have to re-activate the device by connecting it to iTunes (as prompted on the display). Once the iPhone is activated, data can then be restored from a backup file or setup as a brand new device.

Apple will occasionally release iPhone iOS version updates which may introduce new features, fix bugs from previous versions, or increase security. The user has the option to remain on the current operating system or upgrade to the most recent. Upgrades are done through iTunes and are fairly simple to do.

Once the phone is connected to a computer running iTunes, the user simply clicks the “Update” button (see Figure 2.6) and the latest software is updated onto the device.

The iPhone contains two disk partitions, which will later be discussed in more detail. The partition containing the user data is separate from that containing the firmware. When a firmware upgrade is initiated, the latest operating system software is installed within that firmware partition. This process is forensically sound since the user data is in a separate container and, therefore, not modified by the update.

For one reason or another, a user may wish to go back to a previous iOS version. Perhaps after upgrading, it was determined that additional security holes were revealed. Also, some 3G users found that updating their device to iOS v4.x caused their devices to decrease in speed and efficiency. From a forensic examiner's standpoint, downgrading a device could be crucial in recovering data from a device. The available forensic tools will run only on certain supported versions. If the model and/or firmware version are not supported, the device may need to be downgraded in order to be acquired. Regardless of the reason, there is the option to downgrade to a previous iOS version. This process varies per device, and is also not supported for certain devices and operating systems.

To downgrade, a similar process is used. The first step, however, is to download a copy of the old .ipsw (iPhone software) file that the user wishes to downgrade. These .ipsw files can be found on various websites, such as www.iclarified.com. Apple does not provide these files, as their goal is to ensure all users are running the latest firmware updates. Once the iPhone software file is downloaded and saved onto the user's workstation, the phone should then be connected to the workstation running iTunes. To update to a firmware version other than the latest available, the user would right-click on update and navigate to that particular .ipsw file. This process is typically successful for the earlier models, prior to 3G(s). The downgrade only effects the firmware partition, so the user data slice should not be affected. This has been the case with the phones that have been internally tested by the authors; however, downgrading or modifying the phone in any way is still a risky process to perform on a piece of evidence.

For later models, this downgrade process is not possible without performing advanced technical steps. Some of these models, including iPhone 4 and certain 3GS models depending on when they were shipped, contain the new bootrom. Apple decided to start signing the firmware versions, requiring iTunes to “get permission” before upgrading/downgrading to a different firmware version. Presumably, the reason for this is that Apple wants to keep its customers running the latest software versions. In any case, if an attempt is made to downgrade on one of these devices, iTunes will display an error and prevent the update.

In order for Apple to sign-off on a restore file, it first checks the SHSH blobs against its servers. SHSH blobs, also known as ECID SHSHs, are unique signatures on a device. This signature is checked against Apple's servers, and if that particular signature does not correspond with the most recent iOS firmware, Apple will not verify that file, preventing iTunes from performing a restore (Asad, April 2010). The hacking community has come up with workarounds for each version to get past this obstacle, but it can be a complex process if you are not accustomed to it.

The basis behind this downgrade process is to trick iTunes into thinking that the SHSH signature has been verified. Depending on the iOS version and model, the exact steps may vary slightly; however, the overall process remains the same. The following steps provide a high-level overview of this process:

These steps will now be covered in greater detail; however, we will be using a specific model and version for this example. To view a complete step-by-step guide on this and other versions, refer to www.redmondpie.com (Asad, July 2010).

By default, the iPhone arrives with certain applications. These include the most common apps, such as Messages, Calendar, Photos, Weather, and more. A user can customize the applications on their phone by downloading new apps through the iTunes App Store (which arrives on the iPhone by default).

The App Store contains iPhone applications including categories such as Games, Music, Productivity, and Travel. In order to login to the App Store, the user has to first create a login or use their existing iTunes user ID and password. Apps are easily installed on the device, and notifications are even sent to the user when new versions of those apps are available.

MobileMe is a service provided by Apple which offers its members various functions. Mentioned above was the ability to sync e-mail, contacts, and calendar with Apple devices. MobileMe stores all of the user's data, and automatically pushes it out to sync with multiple devices. Users can also store photos, videos, and other files using both the “Gallery” and “iDisk” features. iDisk provides up to 20 GB of remote data storage, allowing access from any computer, iPhone, iPad, or iPod Touch.

Another tool available through MobileMe is the ability for a user to locate a lost or stolen iPhone. Using the “Find My iPhone” feature, a user can sign-in to their MobileMe account and display the approximate global positioning system (GPS) location of the missing device. This option works as long as “Find My iPhone” has been enabled in the device settings. In addition to GPS location, a message can also be sent to the device to let someone know how to get in contact with the owner. Additionally, a user can remotely set a passcode or initiate a remote wipe in the event the device has been stolen.

All of these features can be accessed in one location at me.com.