Leveraging Memory Forensics To Decrypt iOS Backups
Primary Investigator:
Marcus Thompson
Colin Cowie
Abstract
The amount of iOS devices globally has been increasing. Mobile forensics has limitations in obtaining evidence due to the rapid changes in technology and the quick advancement of mobile software and operating systems. Analyzing memory is a technique that digital forensics incident responders use to find critical data. This work focuses on the analysis of memory from a personal computer to discover digital evidence from an iOS device. This study aimed to locate information including AppleID credentials, encrypted backup passwords, sensitive device information and more. For some iOS artifacts, it was possible to locate them in memory as well create techniques to discover them without knowing their value beforehand. Therefore, this is a step towards using memory forensics to discover mobile evidence.