from Hacker News

Conducting forensics of mobile devices to find signs of a potential compromise

by 34679 on 3/17/25, 3:25 AM with 73 comments

  • by transpute on 3/17/25, 4:43 AM

    iOS, https://docs.mvt.re/en/latest/ios/methodology/

    > You will need to decide whether to attempt to jailbreak the device and obtain a full filesystem dump, or not.

    Since Apple won't allow iDevice owners to access an unredacted raw disk image for forensics, iOS malware detection tools are hamstrung. The inability to fully backup devices means that post-intrusion device restore is literally impossible. Only a new OS version can be installed, then a subset of the original data can be restored, then every app/service needs to re-establish trust with this newly "untrusted" (but more trustworthy than the previously trusted-but-compromised) device.

    In theory, Apple could provide their own malware analysis toolset, or provide optional remote attestation to verify OS and baseband integrity.

    In the absence of persistent disk artifacts, the next best option is behavioral analysis, e.g. usage anomalies ("dog that did not bark") in CPU, battery, storage or network. Outbound network traffic can be inspected by a router and compared against expected application and system traffic. This requires an outbound firewall where rules can specify traffic by wildcard domain names, which are widely used by CDNs. Apple helpfully provides a list of domains and port numbers for all Apple services.

  • by mindslight on 3/17/25, 7:08 AM

    I recently had the "pleasure" of reading over a criminal forensic investigation report. It was harrowing. The report was basically like "we ran virus check and it reported clean so nobody could have accessed the system remotely" and then it moved right along to the next thing. The logic felt more dubious than some of the court scenes from Idiocracy. And it had been produced for defense counsel and paid for by the defendant.

  • by pogue on 3/17/25, 4:19 PM

    I'd be curious if anyone has tried this for Android and what kind of stuff it's checking for. Sideloaded APKs can often contain malicious stuff, but it's nearly impossible to know if it's doing anything suspicious unless you open it up with a tool like Apktool [1] or run it on Triage [2] as it supports Android and watch what it's doing. Most antivirus for Android is pretty much a joke, as far as I'm concerned.

    [1] https://github.com/iBotPeaches/Apktool?tab=readme-ov-file

    [2] https://tria.ge/

  • by 6stringmerc on 3/17/25, 11:30 AM

    Does the iPhone / iOS track the profiles of the machines it is physically connected with and when “Allow Access” is selected? I ask because I did not have face authentication or a password on my phone and my ex-landlords illegally obtained my exempt property and I would like to know if they plugged it in to their computer and potentially obtained personal files from it. Yes I know the lack of security was an oversight and failure on my part. I accept that. However, they also tried to steal my car and sell it and refuse to return my property they are not legally entitled to possess (“tools of trade” under Texas law). The legal process takes time so I’m just curious if such a forensics investigation is possible.

  • by truekonrads on 3/17/25, 6:30 AM

    iVerify uses diagnostic logs for hunting. Give it a go