hckrnws

iOS, https://docs.mvt.re/en/latest/ios/methodology/

> You will need to decide whether to attempt to jailbreak the device and obtain a full filesystem dump, or not.

Since Apple won't allow iDevice owners to access an unredacted raw disk image for forensics, iOS malware detection tools are hamstrung. The inability to fully backup devices means that post-intrusion device restore is literally impossible. Only a new OS version can be installed, then a subset of the original data can be restored, then every app/service needs to re-establish trust with this newly "untrusted" (but more trustworthy than the previously trusted-but-compromised) device.

In theory, Apple could provide their own malware analysis toolset, or provide optional remote attestation to verify OS and baseband integrity.

In the absence of persistent disk artifacts, the next best option is behavioral analysis, e.g. usage anomalies ("dog that did not bark") in CPU, battery, storage or network. Outbound network traffic can be inspected by a router and compared against expected application and system traffic. This requires an outbound firewall where rules can specify traffic by wildcard domain names, which are widely used by CDNs. Apple helpfully provides a list of domains and port numbers for all Apple services.

Unless I remember incorrectly doesn’t iOS do an integrity verification at system boot.

Has anyone seen an iOS device fail to boot due to an integrity violation?

Whatever it's verifying is insufficient to stop persistent iOS malware, hence the existence of the MVT toolkit, which itself can only identify a small subset of real-world attacks. For evidence, look no further than the endless stream of zero-day CVEs in Apple Security Updates for iOS. Recovery from iOS malware often requires DFU (Device Firmware Update) mode reinstallation from a separate device running macOS.

Non-persistent iOS malware can be flushed by a device hot-key reboot which prevents malware from simulating the appearance of a reboot.

Persistent iOS malware is quite rare these days.

Integrity verification of what? The OS definitely has its signature/hash checked.

  # if [ 'beefcafebeef' != $(dd if=/dev/mtdblock3 | sha256sum) ]; then

Most modern malware is not disk resident, as it has a higher probability of persisting by re-infection with an undocumented zero-day.

For example, people that play games that bind the GPS location services will find interruptions magically stop for awhile after a cold power-off, and power-on restart. Or the battery performance suddenly stops quickly losing power in standby, as recording/image capture was burning power and data budgets.

Ultimately, a smartphone is impossible to fully secure, as the complexity has a million holes in it regardless of the brand. And Gemini is a whole can of worms I'd rather not discuss without my lawyer present. =3

> Since Apple won't allow iDevice owners to access an unredacted raw disk image for forensics, iOS malware detection tools are hamstrung.

And it's not just Apple.

Android is just as bad, and even worse for the user because while iOS backups are consistent in backing up everything sans stuff in the Secure Enclave (i.e. credit card and eSIM keys), in Android support for backup is optional for apps and there are many games who just outright don't do any kind of backup.

[dead]

Does the iPhone / iOS track the profiles of the machines it is physically connected with and when “Allow Access” is selected? I ask because I did not have face authentication or a password on my phone and my ex-landlords illegally obtained my exempt property and I would like to know if they plugged it in to their computer and potentially obtained personal files from it. Yes I know the lack of security was an oversight and failure on my part. I accept that. However, they also tried to steal my car and sell it and refuse to return my property they are not legally entitled to possess (“tools of trade” under Texas law). The legal process takes time so I’m just curious if such a forensics investigation is possible.

I recently had the "pleasure" of reading over a criminal forensic investigation report. It was harrowing. The report was basically like "we ran virus check and it reported clean so nobody could have accessed the system remotely" and then it moved right along to the next thing. The logic felt more dubious than some of the court scenes from Idiocracy. And it had been produced for defense counsel and paid for by the defendant.

Did the defendant argue that the system was compromised and that they therefore did not commit the crime?

iVerify uses diagnostic logs for hunting. Give it a go