iOS Forensics Tryhackme Walkthrough

Shamsher khan
4 min readMay 13, 2021

By Shamsher khan This is a Writeup of Tryhackme room “iOS Forensics”

https://miro.medium.com/max/2400/1*ZdjQYIOvoHZo9PsTZgTn-Q.png

Room link: https://tryhackme.com/room/malstrings
Note: This room is for Premium Members Only. who purchased THM premium membership.

Task 2. What is Digital Forensics and how is it Used Today?

Question 1. What would look more suspicious? an empty hard drive or a full hard drive?

Answer: an empty hard drive

Question 2. What is the definition for an abstract view of a hard drive?

Answer: image

Task 6. Data Acquisition & Trust Certificates

Question 1. What is the name of a forensics tool that couldn’t be used in a court of law, because data could be written to the device being analysed?

Answer: iFunbox

Question 2. You’ve found an iPhone with no passcode lock, what acquisition method would you use?

Answer: direct Acquisition

Question 3. What is the name of the certificate that gets stored on a computer when it becomes trusted?

Answer: trust certificate

Task 9. Scenario: Operation JustEncase (Deploy)

Access in Browser

Open DB Browser (SQLite)

and click on open database option and select sms db file

Now click on Browse data option

And select message

You will see two messages

Question 1. Who was the recepient of the SMS message sent on 23rd of August 2020?

Answer: Lewis Randall

Question 2. What did the SMS message say?

Answer: Did you get the goods?

Question 3. Looking at the address book, what is the first name of the other person in the contacts?

Now drag and drop first file, Right click on ABPerson select Browse Table

Answer: Jenny

Question 4. Following on from Question #3, what is their listed “Organization”

Answer: Transportation

Question 5. Investigate their browsing history, what is the address of the website that they have bookmarked?

drag and drop Bookmarks file into Browse data option

Right click on Bookmarks and select Browse Table

Answer: https://blog.cmnatic.co.uk

Question 6. The suspected received an email, what is the remote_id of the sender?

drag and drop Envelope Index file into Browse Data tab

Answer: 51.32.56.12

Question 7. What is the name of the company on one of the images stored on the suspects phone?

Answer: Tryhackme

Question 8. What is the value of the cookie that was left behind?

Open the Second file with Notepad++

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

--

--

Shamsher khan

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer