About The Training

By the end of this course, participants will have gained practical knowledge and hands-on experience in the following areas:

• Understanding the iOS Security Model:

Learn how iOS enforces security through its architecture, including hardware, software, and data protection mechanisms.

• Mastering the iOS Process Lifecycle and Data Model:

Explore how apps and processes behave on iOS, how data is managed, and what normal vs. suspicious behavior looks like.

• Identifying Threats Targeting iOS Devices:

Analyze both commercial and commodity threats, including:

• (Commercial) Spyware campaigns such as Pegasus, Predator, Triangulation, and Paragon.
• Jailbreaks, side-loaded applications, and common malware families.
• Extracting Key Data for Malware Detection:

Develop skills to acquire and process critical forensic and telemetry sources, including:

• iOS backups (iTunes, Finder, iCloud).
• System Diagnostics
• Device logs and crash reports.

Build a forensic workflow to:

• Examine artifacts for indicators of compromise.
• Interpret system logs and crash logs for signs of attacker activity.
• Analyze real-world iOS malware samples.

Basic - Intermediate

Day 1: Understanding the iOS Security Model and Detecting Jailbreaks
The first day lays the foundation for the rest of the training. We will dive into the iOS Security and Data Protection architecture, focusing on how Apple secures devices and user data. We’ll cover the app lifecycle, process management, and the security boundaries enforced by the system. Throughout the day, we will reference historical malware cases to understand common attack vectors and learn where to find up-to-date threat intelligence.
In the afternoon, we’ll shift to practical exercises using jailbroken devices. You’ll learn how to identify signs of compromise, detect traces left behind by jailbreaks, and understand the typical footprint of a modified device. We will also explore methods for detecting side-loaded apps, unauthorized elevated permissions, and deviations from Apple’s security model. By the end of the day, you’ll have a strong grasp of how a secure iOS device should behave — and how to spot when it doesn’t.

Day 2: Investigating Forensic Data Sources and Backup Analysis
The second day is all about exploring the forensic artifacts available for analysis. We’ll start by focusing on iOS backups — what data they contain, their strengths and limitations for compromise assessment, and how to extract meaningful evidence.
We’ll examine a variety of important databases stored on the device, including both well-documented sources and some lesser-known artifacts that can offer valuable insights into device activity. Using a combination of public tools like MVT (Mobile Verification Toolkit) and custom scripts, you will learn how to parse and analyze backup data for indicators of compromise.
The afternoon session will introduce you to sysdiagnose captures — an essential, but often underused, forensic goldmine. We’ll break down how sysdiagnoses are structured and how to extract logs, metrics, and traces useful for incident response.

Day 3: iOS Log Recovery and Practical Malware Analysis
The final day will focus entirely on working with logs and malware analysis. In the morning, we’ll start with crash logs: how to interpret iOS crash reports, identify anomalies, and connect crashes to possible exploit attempts or system tampering. You’ll learn a structured approach to root cause analysis using real-world examples.
We will then move into analyzing system logs (logarchives) — one of the richest sources of forensic data on iOS — with a particular focus on uncovering attacker activity, persistence mechanisms, and signs of malware execution.
In the afternoon, we’ll bring everything together by examining several real-world iOS malware samples, including Pegasus, I-SOON implants, and the Triangulation spyware. You’ll learn how to dissect these threats, recognize their behavioral patterns, and apply forensic techniques to detect them even in partial data sets.
By the end of Day 3, you will have a complete practical workflow for investigating iOS devices in suspected compromise cases.

A Mac with a recent version of macOS would be recommended. Its possible to follow the training on other platforms as most scripts and tools are OpenSource. But some specific artifacts are easier to analyze on macOS.
 

Participants should know how to use a terminal and install python based scripts and tooling. Knowledge of the iOS platform and owning an iPhone is helpful but not required.
 

CERT, SOC Analysts
Mobile (Criminal) Forensic Analysts who want to learn more about compromise assessment on iOS
Anyone who wants to learn more about malware on iOS and how to find it.

You can expect to get a hands-on class which is build based on real world iOS malware. We are going to take a look at past examples of malware, how they infected devices, tried to cover their tracks and got detected in the end. The training features a combination of theory and practical sessions that will show you how to discover malware on your own and what data sources can be extracted from iOS.
 

All the slides and materials from the training. Multiple hands-on labs including the forensic data sources to analyze. All the scripts and tools from the training.
 

We wont be working with any proprietary tools. We'll focus on OpenSource tools with their strength and weaknesses. I wont be able to disclose or share any privare IOCs or Malware samples. But there are plenty of public sources to go with. We wont be working on any Full File System dumps. As those tools are only limited to a couple of organisations we'll focus on data sources available to anyone.