Book Image

iOS Forensics Cookbook

By : Bhanu Birani, Mayank Birani
Book Image

iOS Forensics Cookbook

By: Bhanu Birani, Mayank Birani

Overview of this book

Mobile device forensics is a branch of digital forensics that involves the recovery of evidence or data in a digital format from a device without affecting its integrity. With the growing popularity of iOS-based Apple devices, iOS forensics has developed immense importance. To cater to the need, this book deals with tasks such as the encryption and decryption of files, various ways to integrate techniques withsocial media, and ways to grab the user events and actions on the iOS app. Using practical examples, we’ll start with the analysis keychain and raw disk decryption, social media integration, and getting accustomed to analytics tools. You’ll also learn how to distribute the iOS apps without releasing them to Apple’s App Store. Moving on, the book covers test flights and hockey app integration, the crash reporting system, recovery tools, and their features. By the end of the book, using the aforementioned techniques, you will be able to successfully analyze iOS-based devices forensically.
Table of Contents (13 chapters)


This book focuses on the various techniques for acquisition, identification, and forensic analysis of iOS devices. This is a step-by-step practical guide that will help you to follow the procedure and extract data from iOS devices. This book helps professionals to investigate and understand forensic scenarios easily. This is a practical guide written after the rising popularity of iOS devices and the growing investigation requirements. This book deals with the various ways to investigate devices with different iOS versions and the presence and absence of other security systems such as lock code, backup passwords, and so on.

Conceptually, this book can be divided into three sections. The first section deals with the understanding of how data is generated by applications and how and where it is stored on the device. The second section focuses mainly on various analytic techniques, which include the analytics of apps by reading their logs and reports provided by Apple and other third-party vendors. This also includes the analysis and other related data mining studies provided by Google and Crashlytics. The third section, that is, the last section of the book, deals with a study, in detail, of various core forensics, which include the data structure and organization of files. This also includes the study of various open source tools that allow the detail decrypting techniques performed on any iOS device.

What this book covers

Chapter 1, Saving and Extracting Data, focuses on the ways to save the data in the document directory of the device along with ways to fetch the data back. In this chapter, we will also discuss the encryption and decryption of the files that are saved in the document directories. We will also discuss keychain and raw disk decryption in the chapter.

Chapter 2, Social Media Integration, teaches you the various ways to integrate social media with your application. The primary focus will be on the various configurations that have to be taken care of while integrating social media with the application.

Chapter 3, Integrating Data Analytics, discusses the various application analytics tools. The primary focus will be on the various ways to grab the user events and actions on the app. Then, moving forward, we will learn the powerful ways to crunch the useful information from the data gathered on the cloud.

Chapter 4, App Distribution and Crash Reporting, teaches you about the power of distributing your apps without releasing them to Apple's App Store. In this chapter, you will learn about over the air application distribution. You will also learn the various ways to track errors in our app.

Chapter 5, Demystifying Crash Reports, demystifies the overall crash reporting system. This also includes ways to read the crash reports accumulated on iTunes Connect. You will learn to decode binary crash reports to generate and gather useful information.

Chapter 6, Forensics Recovery, holds all the recovery and backup related operations on the device. You will learn about recovery modes in detail along with data extraction from the device. This chapter will also allow the user to extract data from iTunes backup files by decrypting them. Then, finally, we will see some case studies to demonstrate how data was recovered from the device in very vital cases.

Chapter 7, Forensics Tools, explores all the aforementioned tools and their capacity to retrieve data. You will learn about the various features provided by each of them. We will also compare a few tools with each other, considering both open source and paid tools.

What you need for this book

This book is designed to allow you to use different operating platforms (Windows, Mac, and Linux) through freeware, open source software, and commercial software. For a few sections, you will need Xcode 6.0 or above with a Mac OS X. Many of the other examples shown can be replicated using either the software tested by the authors or equivalent solutions and tools for iOS Forensics. Some specific cases require the use of commercial platforms, and among those, we preferred the platforms that we use in our daily work as forensic analysts. In any case, we were inspired by the principles of ease of use, completeness of information extracted, and the correctness of the presentation of the results by the software. This book is not meant to be a form of advertising for the aforementioned software in any way, and we encourage you to repeat the tests carried out on one operating platform on other platforms and software applications as well.

Who this book is for

This book is intended mainly for a technical audience, and, more specifically, for forensic analysts (or digital investigators) who need to acquire and analyze information from mobile devices running iOS.

This book is also useful for computer security experts and penetration testers because it addresses some issues that definitely must be taken into consideration before the deployment of this type of mobile device in business environments or situations where data security is a necessary condition. Finally, this book could also be of interest to developers of mobile applications, and they can learn what data is stored on these devices, and where the application is used. Thus, they will be able to improve security.


In this book, you will find several headings that appear frequently (Getting ready, How to do it, How it works, There's more, and See also).

To give clear instructions on how to complete a recipe, we use these sections as follows:

Getting ready

This section tells you what to expect in the recipe, and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There's more…

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.


In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "In the popup, provide the product name as DocumentDirectoriesSample."

A block of code is set as follows:

NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString *documentsDirectory = [paths objectAtIndex:0];
NSLog(@"%@", documentsDirectory);

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString *documentsDirectory = [paths objectAtIndex:0];
NSLog(@"%@", documentsDirectory);

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Open Xcode and go to File | New | File, then navigate to iOS | Application | Single View Application."


Warnings or important notes appear in a box like this.


Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail , and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files from your account at for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit and register to have the files e-mailed directly to you.


Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to and enter the name of the book in the search field. The required information will appear under the Errata section.


Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.


If you have a problem with any aspect of this book, you can contact us at , and we will do our best to address the problem.