THM — iOS Forensics

My Notes on THM Room.

Data Acquisition & Trust Certificates

iPhones will only backup to trusted computers. When plugging into a new device, the iPhone will ask the user whether or not they wish to trust the computer . “Trusting” a computer involves generating a pair certificate on both the iPhone and computer. If the certificate matches up on both devices, the iPhone can be backed up. This process is a fantastic security measure by Apple, namely to prevent attacks such as “Juice Jacking”.

A lockdown certificate stored within /private/var/db/lockdown on later iOS devices or /private/var/Lockdown on older iOS devices

Analyzing iOS Files



Although the suspect’s phone is locked with a passcode, you have been able to use a recent “Lockdown Certificate” from the suspect’s computer, allowing you to create a logical file system dump from an iPhone backup he made recently.

Who was the recepient of the SMS message sent on 23rd of August 2020?

What did the SMS message say?

Looking at the address book, what is the first name of the other person in the contacts?


Following on from Question #3, what is their listed “Organization”

Investigate their browsing history, what is the address of the website that they have bookmarked?

The suspected received an email, what is the remote_id of the sender?

What is the name of the company on one of the images stored on the suspects phone?

What is the value of the cookie that was left behind?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store