iPhone (iOS) forensics is somewhat complicated by difficult data structures in the device. However, it is possible to do a quick iPhone investigation with basic Linux command-line tools. We show how to use some basic Linux commands to search for files and file contents in an iPhone for a quick investigation.
If you are doing a forensic investigation of any Apple device, you will probably find binary plists (bplists). In that case, you will need a parser to help make sense of the data. Luckily, a command-line tool ‘bplister’ exists that can parse out bplists from an iPhone. Combine that with standard Linux tools and you have all you need to do a quick basic investigation of an iPhone dump. No need to be intimidated by iPhone forensics. Just treat it like a standard device investigation.
Marsha’s iPhone Image: