Low-level iOS forensics
Thu 28 June 2012 by jean
iOS filesystem encryption and data protection mechanisms are now well documented and supported by many forensics tools. iOS devices use NAND flash memory as their main storage area, but physical imaging usually refers to a “dd image” of the logical partitions. The iOS Flash Translation Layer for current devices is software-based (implemented in iBoot and the kernel), which means that the CPU has direct access to raw NAND memory. In this post we will describe how to acquire a NAND image and use FTL metadata to recover deleted files on A4 devices. The information presented here is based on the great reverse engineering work done by the iDroid/openiBoot team.[…]
http://esec-lab.sogeti.com/posts/2012/06/28/low-level-ios-forensics.html
https://code.google.com/archive/p/iphone-dataprotection/wikis