HackMD
Understanding The iOS Internals
To summarize what we are going to talk about :
1. HFS file system
2. APFS file system
3. iOS architecture
4. iOS security
To better understand the forensic process of an iOS device, it is useful to know about the filesystem that is used. When it comes to macOS, the available options are restricted by the closed nature of the Apple ecosystem. All modern Macs running macOS 10.14 and later employ APFS by default, which is also shared with the rest of the Apple’s product line – the devices based on iOS, iPadOS, tvOS, and watchOS. At the same time, HFS+, the previous de facto standard, is still supported to preserve compatibility with older machines.
1. HFS file system
In 1996, Apple developed a new filesystem, HFS (Hierarchical File System Plus).The storage medium is represented as volumes. HFS volumes are divided into logical blocks of 512 bytes.These logical blocks are grouped together into allocation blocks, which are used by the HFS filesystem to track data in a more efficient way.
HFS uses a 16-bit value to address allocation blocks, which limits the number of allocation blocks per volume to 65,535.
To overcome the inefficient allocation of disk space and some of the limitations of HFS, Apple introduced the HFS Plus filesystem which uses block addresses of 32 bits to
address allocation blocks, so the maximum number of allocation blocks is (4,294,967,296).Also HFS+ uses Journaling by default to prevent corruption of its structures . Plus the ability to boot on OSes other than macOS.
Journaling in file system works by writing the metadata of a file system operation, such as creating, deleting, or modifying a file, to a special area on the disk called the journal. The metadata contains information about the file name, size, location, permissions, and so on.
a. HFS Plus volume
The HFS Plus volume contains a number of internal structures to manage the organization
of data.
1. Reserved (1024 bytes):
This is reserved for bootloader information.
2. Volume Header:
This stores volume information, such as the size of allocation blocks, a timestamp of when the volume was created, and metadata about each of the five special files.
3. Allocation File:
This file is used to track which allocation blocks are in use by the system. The file format consists of 1 bit for every allocation block. If the bit is set, the block is in use. If it is not set, the block is free.
4. Extents Overflow File:
This file records the allocation blocks that are allocated when the file size exceeds eight blocks, which helps in locating the actual data when referred. Bad blocks are also recorded in the file.
5. Catalog File:
This file contains information about the hierarchy of files and folders, which is used to locate any file and folder within the volume.
6. Attributes File:
This file contains inline data attribute records, fork data attribute records, and extension attribute records.
7. Startup File:
This file contains the information needed to assist in booting a system that does not have HFS Plus support.
8. Alternate Volume Header:
This is a backup of the volume header, and it's mainly used for disk repairing.
9. Reserved (512 bytes):
This is reserved for use by Apple, and it is used during the manufacturing process.
b. Deletion & Recovery
- File deletion: The file system wipes data from B-Tree metadata records about the file and updates the map of free space.
- File recovery: A file name, size and on-disk position are wiped; however, the file system journal may still contain this information allowing to recover good files. Using IntelliRAW
(means search for predefined templates or the so-called file signatures (also "magic numbers"))increases chances to recover lost information, however, the information about the file name can be lost.
2. APFS filesystem
APFS (Apple File System) was introduced in 2017 alongside the launch of macOS High Sierra 10.13 and designed exclusively for usage with Apple products, including Macs, iPhones, iPads, Apple Watches and Apple TV.
a. main features:
- Clones: These are instantaneous copies of files or directories.
- Snapshots: Point-in-Time (PIT) read-only instances of the filesystem.
- Space sharing: This allows multiple filesystems to share the same underlying free space on a physical volume.
- Encryption: Depending on the hardware, the Advanced Encryption Standard-XEX-based tweaked codebook mode with ciphertext stealing (AES-XTS) or the Advanced Encryption Standard-Cipher Blocker Chaining (AES-CBC) encryption mode is used.
- Crash protection: The filesystem makes use of the Copy-on-Write (CoW) technique, which minimizes the risk for its corruption. Prior to APFS, the changes were written straight to the storage blocks occupied by the existing objects. By contrast, APFS never overwrites them in place – it creates their copies and performs the necessary changes onto a new location on the storage, ensuring that all modifications are protected from possible crashes.
- Sparse files: These allow the logical size of files to be greater than the physical space they occupy on the disk.
- Fast directory sizing: This quickly computes the total space used by a directory hierarchy, allowing it to be updated as the hierarchy evolves.
b. APFS structure
1. Container Superblock:
contains information on the block size, the number of blocks and pointers to the space manager for this task, the block IDs of all volumes, and a pointer to a block map B-Tree (which contains entries for each volume, along with its ID and offset).
2. Nodes:
are used for storing different kinds of entries. They can be part of a B-Tree or exist on their own and can contain either flexible or fixed-sized entries.
3. Space Man(ager):
manages the allocated blocks in the APFS container, and stores the number of free blocks and a pointer to the Allocation Info File.
4. Allocation Info :
stores the allocation file's length, version, and the offset.
5. B-Trees:
manage multiple nodes and contain the offset of the root node.
6. Volume Superblock:
contains the name of the volume, its ID, and a timestamp.
c. Deletion & Recovery
- File deletion: The file system is optimized for Solid State Drive storage and applies the TRIM command to immediately wipe the blocks that hold the file deleted by the user, which helps it to accelerate subsequent writing.
- File recovery: As has already been mentioned, the recovery of overwritten (wiped) data is impossible, therefore, the implementation of TRIM has a highly negative impact on the possibility of restoring files deleted from APFS. In general, the chances to get all of the files back are extremely low.
3. iOS architecture
iOS is an intermediary between the device hardware components and the applications on the screen. The applications don't interact with the underlying hardware directly. Instead,
they do it through a well-defined system interface that protects them from hardware changes.
a. The iOS architecture consists of four layers:
1. Cocoa Touch:
This layer contains the key frameworks required to develop the visual interface for iOS applications. Frameworks in this layer provide the basic application infrastructure and support key technologies, such as touch-based input, multitasking, and many high-level system services.
2. Media:
This layer provides the graphics, audio, and video frameworks to create the best multimedia experience available on amobile device. The technologies in this layer help developers to build applications that look and sound great.
3.Core Services:
This layer provides the fundamental system services that are required for the applications. Not all of these services are used by developers,though many parts of the system are built on top of them. This layer containstechnologies that enable support for location services, iCloud, and social media.
4. Core OS:
This layer is the base layer and sits directly on top of the device hardware. This layer deals with low-level functionalities and provides services such as networking (Berkeley Software Distribution (BSD) sockets), memory management, threading (Portable Operating System Interface (POSIX) threads), filesystem handling, external accessories access, and Inter Process Communication (IPC)
4. iOS security
Apple iOS devices such as iPhone, iPad, and iPod Touch are designed with layers of security. Low-level hardware features safeguard from malware attacks, and the high-level
OS features prevent unauthorized use.
1. Passcodes, Touch ID, and Face ID :
Passcodes restrict unauthorized access to the device. Once a passcode is set, each time you turn on or wake up the device, it will ask for the passcode to access the device. iOS devices support simple as well as complex passcodes (Touch ID fingerprints, biometric), so the chance that a stranger will unlock your iPhone with Touch ID is 1 in 50,000,but with Face ID it is 1 in 1,000,000.
2. Code signing :
It is the process by which your compiled iOS application is sealed and identified as yours. Also, iOS devices won't run an application or load a library unless it is signed by a trusted party. To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed using an Apple-issued certificate.
3. Sandboxing :
Sandboxing mitigates post-code-execution exploitation by placing the application into a tightly restricted area. Applications installed on the iOS device are sandboxed, and one application cannot access the data stored by another. Essentially, a sandbox is a mechanism that enforces fine-grained controls that limit an application's access to files, network resources, hardware, and more
4. Encryption :
On iOS devices (starting with the iPhone 4), the entire filesystem is encrypted with a filesystem key, which is computed from the device's unique hardware key. This key is stored in effaceable storage, which exists between the OS and hardware levels of the device. This is the reason that Joint Test Action Group (JTAG) and chip-off methods are not useful acquisition methods, as the entire data dump will be encrypted.
5. Data protection :
It allows applications to leverage the user's device passcode, in concert with the device hardware encryption, to generate a strong encryption key. Later, the strong encryption key is used to encrypt the data stored on the disk. This key protects data from unauthorized access when the device is locked, so critical information is secured even if the device is compromised.
6. Address Space Layout Randomization (ASLR) :
ASLR is an exploit mitigation technique introduced with iOS 4.3. ASLR randomizes the application object's location in the memory, making it difficult to exploit the memory corruption vulnerabilities.
7. Privilege separation :
iOS runs with the principle of least privilege (PoLP). It contains two user roles: root and mobile. The most important processes in the system run with root user privileges. All other applications to which the user has direct access, such as the browser and third-party applications, run with mobile user privileges.
8. Stack-smashing protection :
It is an exploit mitigation mechanism. It protects the device against buffer overflow attacks by placing a random and known value (called a stack canary) between a buffer and the control data on the stack.
9. Data Execution Prevention (DEP) :
DEP is an exploit mitigation technique mechanism through which a processor can distinguish the portions of memory that are executable code from data. For example, in a code injection attack, an attacker tries to inject a vector and execute it. But DEP prevents this because it recognizes the injected part as data and not code.
10. Data wiping :
iOS provides the Erase All Content and Settings option to wipe the data on an iPhone. This type of data wipe erases user settings and information by removing the encryption
keys that protect the data. As the encryption keys are erased from the device, it is not possible to recover the deleted data, not even during forensic investigations.
11. Activation Lock :
Activation Lock, introduced with iOS 7, is a theft deterrent that works by leveraging Find My iPhone. When Find My iPhone is enabled, it enables Activation Lock, and a user's Apple ID and password will be required to turn off Find My iPhone, to erase the device, and to reactivate it.
12. The App Store :
The App Store is an application distribution platform for iOS, developed and maintained by Apple.If Apple approves the
app, it is published to the App Store, where users can download or buy it. The strict review process makes the App Store less prone to malware, but not 100% secure (yea, not tottaly secure as we saw in 2015 XcodeGhost malware which was built into Xcode framework and affected more than 500 million users worldwide).
That's all what we have needed to talk about. Until then, "Stay Well, forensicators."
