Secure Enclave has brought new challenges to iOS forensic examiners. Now, we can't extract encryption keys required to decrypt the device image, so physical acquisition is useless. But here comes the filesystem acquisition. Unfortunately, it requires the iOS device to be jailbroken. The next section will show you how to jailbreak our iPad running iOS 9.3.5 with Phoenix.
To perform filesystem and physical acquisitions, we need our iOS device to be jailbroken. Here are the steps to jailbreak a 32-bit iOS device running 9.3.5:
- Download
Phoenix4.ipa
using the following link—https://phoenixpwn.com/. - Download Cydia Impactor using the following link—http://www.cydiaimpactor.com/.
- Connect the iOS device, iPad in our case, to your forensic workstation.
- Start Cydia Impactor. Drag and drop the IPA file you downloaded.
- Enter the owner's Apple ID credentials. Make sure you are using a previously-created app-specific password. You can create one using the following...