Information Technology Reference
In-Depth Information
Physical acquisition
iOS devices have two types of memory: volatile (RAM) and non-volatile (NAND Flash).
RAM is used to load and execute the key parts of the operating system or the application.
The data stored on the RAM is lost after a device reboots. RAM usually contains very im-
portant application information such as active applications, usernames, passwords, and en-
cryption keys. Though the information stored in the RAM can be crucial in an investiga-
tion, currently there is no method or tool available to acquire the RAM memory from a live
iPhone.
Unlike RAM, NAND is non-volatile memory and retains the data stored in it even after a
device reboots. NAND flash is the main storage area and contains the system files and user
forensics.pdf
). The goal of physical acquisition is to perform a bit-by-bit copy of the
NAND memory, similar to the way in which a computer hard drive would be forensically
acquired. While data storage seems similar, NAND differs from the magnetic media found
in modern hard drives. NAND memory is cheaper, faster, and holds a great amount of data.
Thus, NAND is the ideal storage for mobile devices as mentioned in
iPhone and iOS
Forensics
,
Andrew Hoog And Katie Strzempka, Elsevier BV
.
Physical acquisition has the greatest potential for recovering data from iOS devices;
however, evolving security features (secure boot chain, storage encryption, and passcode)
on these devices may hinder the accessibility of the data during forensic acquisition. Re-
searchers and commercial forensic tool vendors are continually attempting new techniques
to bypass the security features and perform physical acquisition on iOS devices. Currently,
there are two methods that can be used to gain access to the iOS device and grab a physical
image of the NAND. The two methods are explained in detail in the following sections.
