How to make a dump of my iPhone so as to make forensics

security ios malware iphone encryption

Solution 1:

You can read about how the encryption is performed and how the AES keys are built in Apple's iOS Security Guide:

https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf

In particular this describes that the key is not available to the application processor. It is only available within the Secure Enclave. This means that even though you know your password, you cannot rebuild the AES-key from it on a different computer.

This means that it is not possible to do what you want (i.e. dumping the raw disk contents and decrypting it on another computer using AES keys that you build from your own password on that computer).

In regards to dumping raw disk content, you can use the dd command if you want - but you cannot really use it for anything.

Solution 2:

You will need to get your hands dirty. Presuming its an iPhone that you won't necessarily be using again...

You'll need to disassemble the phone, removing the flash parts (the disk as most people call it). You must do this carefully since you will need to replace the flash parts and Secure Enclave such that they do not become unpaired with each other.

Copying the raw contents of the flash parts will allow you to review whether anything is stored in plain text, but I can save you the trouble...everything on the business side of the Secure Enclave is encrypted.

If you've been very careful, you can boot the phone and try to access known data. You'll want to have a logic analyzer on both sides of the Secure Enclave so that you can see what it got from which part of the flash. Pinouts for the flash parts are well known, but the BGA layout for Apple's custom ASIC are somewhat nebulous.

With considerable effort, you can for different data patterns to be read, but if your fake responses are too wrong, a bus error is generated and the entire thing stops working until you remove power and have another go.

Honestly, it's just not worth it unless somebody will pay you millions for the data you retrieve. Playing around with a broken phone just to feed your curiosity is one thing, but you will need serious EE skills and equipment to do forensics on an iPhone.

Related

How to find ipsw file on macOS Catalina
Photos on multiple computers
Catalina Keyboard shortcuts preferences missing 'full keyboard access'
Why is screencapture taking the screenshot of the desktop image and not the windows on top in Catalina?
Homebrew services - how to stream its log?
xhost on MacOS Catalina
Mac Partition won't boot after Bootcamp Partition Resize
Slicing video file into several segments
How to use PuTTY for forwarding keys
Delete iTerm saved window arrangement
Unpin FTP folder from Windows 10 Quick Access
How to create a strike through in an equation in MS Word