iOS Forensics Tryhackme Walkthrough
By Shamsher khan This is a Writeup of Tryhackme room “iOS Forensics”
Room link: https://tryhackme.com/room/malstrings
Note: This room is for Premium Members Only. who purchased THM premium membership.
Task 2. What is Digital Forensics and how is it Used Today?
Question 1. What would look more suspicious? an empty hard drive or a full hard drive?
Answer: an empty hard drive
Question 2. What is the definition for an abstract view of a hard drive?
Answer: image
Task 6. Data Acquisition & Trust Certificates
Question 1. What is the name of a forensics tool that couldn’t be used in a court of law, because data could be written to the device being analysed?
Answer: iFunbox
Question 2. You’ve found an iPhone with no passcode lock, what acquisition method would you use?
Answer: direct Acquisition
Question 3. What is the name of the certificate that gets stored on a computer when it becomes trusted?
Answer: trust certificate
Task 9. Scenario: Operation JustEncase (Deploy)
Access in Browser
Open DB Browser (SQLite)
and click on open database option and select sms db file
Now click on Browse data option
And select message
You will see two messages
Question 1. Who was the recepient of the SMS message sent on 23rd of August 2020?
Answer: Lewis Randall
Question 2. What did the SMS message say?
Answer: Did you get the goods?
Question 3. Looking at the address book, what is the first name of the other person in the contacts?
Now drag and drop first file, Right click on ABPerson select Browse Table
Answer: Jenny
Question 4. Following on from Question #3, what is their listed “Organization”
Answer: Transportation
Question 5. Investigate their browsing history, what is the address of the website that they have bookmarked?
drag and drop Bookmarks file into Browse data option
Right click on Bookmarks and select Browse Table
Answer: https://blog.cmnatic.co.uk
Question 6. The suspected received an email, what is the remote_id of the sender?
drag and drop Envelope Index file into Browse Data tab
Answer: 51.32.56.12
Question 7. What is the name of the company on one of the images stored on the suspects phone?
Answer: Tryhackme
Question 8. What is the value of the cookie that was left behind?
Open the Second file with Notepad++
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
