iOS Forensics: tool validation based on a known dataset - Preamble
Hello world, it’s been a while since my last series of blog posts! But now I am ready to share with you the results of my recent research. I face many different challenges in my daily work as a digital forensics analyst, who deals mainly with mobile devices. All modern smartphones are encrypted (usually with file-based encryption (FBE)), so obtaining or cracking the passcode is required to gain access to all the data stored on the device. And even if we know the passcode (or the user has not set the passcode, which is increasingly rare these days), we still need an exploit to gain “root” access to the device to read and copy all the data and get our “best acquisition”, usually a full file system (FFS). And then what? Then you have an enormous number of bytes stored in hundreds of thousands of files in which to search for relevant information for the case. In simple terms, you have a box and you need to find a small piece of information in that box. In the box there is some info