Mobile devices present interesting challenges when it comes to:

  • Incident Response
  • Malware Analysis
  • Digital Forensics

Why is this?

If you look at the architecture of mobile platforms (such as IOS) you have quite a difference from a general-purpose computer. You have a restrictive environment with sandboxes etc. You don’t “have root” (unless you have a jailbroken device) and there are other variables at play.

When it comes to incidents most people do not have their devices in an incident triage and analysis state. When it comes to threat types, we have a range from simple websites that respond differently to mobile user agents through to 1 or zero click malware that leverages features such as iMessage.

Then we have the fact there are a range of variables in software/hardware/firmware between devices and specific user configurations.

The idea that there is a one size fits all solution to mobile device incident response, malware analysis and forensic investigations just isn’t realistic. People need to leverage a range of tools, techniques and procedures to be able to adapt to the scenario at hand.

Malware Analysis for IOS Options

On Device (use a test device not your normal device!)

  • You will likely need specific configurations.
  • These configurations may be detected by malware.
  • Consider JailBreaking the device but also consider that malware may detect this and not function (this also invalidates the warranty etc.)
  • On iOS it is quite cool that you can PCAP the data being sent over GSM from a MAC device

Via Simulator (Part of Xcode)

  • There are some limitations, you can’t install apps from the app store.
  • You can run safari etc.

Using Cloud Based Virtual Machines

  • https://www.corellium.com/

Using a Public Sandbox

  • Avira Cloud Sandbox

Using the Iphone Backup/MAC Synchronization

Using MDM Data

Using Environmental Data (e.g. Wifi network Provider data, DNS Provider Data)

Using VPN/Proxy Server Data (Network Traffic Data/HTTPS Inspection Data)

Emulate a smart phone browser (e.g., use mobile mode from a desktop browser and a custom user agent)

Incident Response & Forensics tools for IOS

This isn’t an exhaustive list but here some tools/suites:

  • Axiom
  • GrayShift GrayKey
  • XRY
  • Cellebrite
  • Lantern
  • MPE
  • Elcomsoft EIFT
  • Backlight
  • Oxygen Forensics
  • iRecovery

Please bear in mind IOS (and generally mobile) forensics is not simple, there are so many variables.


Can you do analysis on hardware? Of course! Can you also use emulators/simulators and virtual machines? Absolutely. Is there a one size fits all approach that meets all the scale, scenario and safety requirements in one? It doesn’t appear so. Let me know if you think I’ve missed anything major, this is a broad and deep subject that’s constantly changing (for example Joe’s Sandbox used to support IOS at Version 13!) so shout if you have cool tips and tricks!