ios-modes
  • The HFS+ file system in points

    • The disk is formatted in a manner of 512-byte Blocks at the physical level.
    • Two types of blocks exist inside HFS+ file system format.
    • Logical blocks are the first type and Allocation blocks are the second.
    • The numbering of logical blocks is from the first to the last inside a volume.
    • Such blocks come in size of 512 bytes as well.
    • Tracking data could be performed using Allocation blocks.
    • Groups of allocation blocks are named clumps.
    • Clumps help to minimizefragmentations occurring inside a volume.
    • Local Time which is absolute time and Unix time are both used together in HFS+ format.
    • Using this timing scheme, a location of a HFS+ system could be identified successfully.
    • Data gets organized using a system of catalog file.
    • Such catalog files depend on B* tree format which is referred to as balanced tree structure.
    • There are several nodes inside such a tree.
    • Whenever new data gets added or deleted, the algorithm is utilized for the sake of maintain a balanced tree.
    • The structure of an HFS+ file system is as follows in details:

      ios

      • There are reserved blocks which use 1024 bytes.
      • The Volume Header inside which the structure of HFS volume has its data contained there. There is also a numbering of Catalog ID which gets incremented by one whenever a new file is added inside the HFS+ file system. The signature of “H+” is contained inside an HFS+ Volume Header.
      • Allocation File: inside this file, all the allocation blocks are kept track of them. If a file system uses an allocation block, its representing bit gets altered. In other words, a bitmap is used such that if the allocation block is utilized, then its bit which represents it actually changes into a 1. On the other hand, if the bit is set to a zero, this means that such block is free and it is not in use
      • Extent Overflow File: there is a pointer to the extent of the files. Any files using more than eight allocation blocks that are contiguous use extents.
      • Catalog File: the purpose of this file is to essentially organize the data. A balance tree is used for this purpose in the first place. Such a catalog file could be referred to when the location of a file or a folder is needed to be known within a volume. Data such as the date of creation of files, permissions granted to such files, and their dates of modifications are all maintained in such a catalog file. Such data is what we simply call metadata. J
      • Attribute File: any attributes of a file which up for customization are all contained inside this file.
      • Startup File: this file helps with the booting system wherever ROM built in support is not available.
      • Actual data: the location of this data is definitely inside the file system where tracking of all of such data can happen perfectly.
      • Alternate Volume Header: it is another 1024 bytes which comes at the end of the volume. It is meant basically to have a backup for the volume header with its length of 512 bytes.
      • The very last bytes are reserved for the system and they occupy 512 bytes of the size.
    • There is a good thing about the naming rules inside a variation of the HFS+ file system. There is what is referred to as HFSX file system, allowing for any two different files to be of the same name as long as the case of at least one letter is different. In other words, HFSX file system is a case sensitive file system, meaning that the same name with different case becomes automatically two different names according to the system.

 

  • How to change Operating Modes of an iOS device? ios-modes

  • What about the Normal Mode?

There are actually three steps that happen one after another when switching an iOS device in its normal mode. First, it loads the: Low-Level Bootloader. Then, it gets the iBook. Last, the iOS kernel gets running and operating the device. These boot steps are signed to keep the integrity of the process. This is good for the sake of obtaining a great security inside iOS devices.

  • What about the Recovery Mode?

The iOS device will get automatically into the recovery mode if a failure happens. Such mode is actually intended to perform upgrades or restore iPhone device. How can the examiner switch an iOS device into this mode then? The following steps would be very beneficial to achieve such target for an examiner:

  1. Get the device turned off by holding power button on the top of the device
  2. Keep holding on button of phone of the iPhone and use a USB cable to get the iPhone connected into a computer.
  3. Keep holding home button till the screen showing Connect to the iPhone doesn’t appear anymore. Now then home button is free to get released.
  4. If you need to exit now from the recovery mode, then you will need to get the device rebooted.
  • What about the DFU Mode?

Most acquisition techniques actually require having the phone put into DFU mode. In order for an examiner to turn the device into such mode, below steps would be the solution for this:

  1. Get the Forensics workstation and install the software of iTunes on it. Make use of a USB cable to get the phone connected to the forensic workstation.
  2. Get the phone switched off.
  3. Hold power button for 3 seconds.
  4. Keep holding the power button and hold the home button with it for 10 seconds.
  5. Release your hold of the power button and hold home button until the iTunes software tells you clearly that iPhone in recovery mode has been detected by iTunes.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

[ihc-select-level]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.