It’s an exciting time to be doing iOS forensics! I was reading Mattia Epifani’s blog this morning and I’m looking forward to playing with his updated ios_bfu_triage script.
ios_bfu_triage, in summary, is a script that you can run on MacOS to extract data from a “chekcra1ned” iOS device. The possibilities include collecting device information, executing live commands, and acquiring a full image! Read more here:
Once the acquisition is complete, you can bring the acquired TAR to your mobile forensics tools for parsing, examination, and reporting!
If you are not familiar with Mattia’s work, I would recommend reading all of his posts on the topic. Especially this one:
Mainstream tools are also adding support for the recent iOS exploits. If you have been acquiring “chekcra1ned” iOS devices, I would be interested to hear your experiences (afu.1.dar anyone?) 