I would like to be able to run a forensic analysis on my iPhone from a disk dump copy made on my Mac or any kind of Unix as I would from any external disk with a dd command.
For those who are curious: why do I want to perform such a forensic analysis?
I would like to detect malware, data leaks, to check what is encrypted, what isn't…, this is a method I would like to be able to
run easily and as frequently as I need as a security audit.
I only trust what I understand!
I am open to any software method I can replay.
How may I proceed to see my iPhone as a normal disk?
How may I decrypt the dump obtained since I know my password, but not how is built the AES key from it?
Best Answer
You can read about how the encryption is performed and how the AES keys are built in Apple's iOS Security Guide:
https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
In particular this describes that the key is not available to the application processor. It is only available within the Secure Enclave. This means that even though you know your password, you cannot rebuild the AES-key from it on a different computer.
This means that it is not possible to do what you want (i.e. dumping the raw disk contents and decrypting it on another computer using AES keys that you build from your own password on that computer).
In regards to dumping raw disk content, you can use the dd command if you want - but you cannot really use it for anything.