TLPBLACK at Ringzer0 COUNTERMEASURE
We joined Ringzer0 COUNTERMEASURE in Ottawa to deliver our TLPBLACK iOS Forensics training - a hands-on course for DFIR professionals focused on real-world iOS threat hunting and malware analysis.
TLPBLACK TeamRingzer0 COUNTERMEASURE is a leading international cybersecurity conference held in Ottawa, Canada - a travel-friendly (heh!), globally connected capital city.
Ringzer0 CounterMeasure
Our team showcased the TLPBLACK iOS Forensics training which focuses on cyber threat hunting and discovery with a practical angle.
This course was designed for digital forensics and incident response professionals who want hands-on expertise in real-world iOS investigations. It provides some insights into iOS internals, security mechanisms, and the full forensic workflow — from data collection to malware detection.
TLPBLACK Apple iOS Forensics
Training overview
The training began with an overview of iOS architecture, secure boot, hardware protections, and app/network security. It then moved into practical acquisition methods using open-source tools like libimobiledevice, mobile verification toolkit (aka MVT), and pymobiledevice3 to extract system logs, backups, and network data. Participants learn to generate and interpret sysdiagnose and reboot logs, decrypt backups, and analyze captured traffic for potential compromise indicators.
A major focus is on forensic methodology — how to collect and preserve evidence, identify indicators of compromise through logs and artifacts, and use frameworks like EC-DIGIT-CSIRC’s analysis tools and YARA rules for malware detection. The course also covers jailbreaking techniques for deeper data access required for advanced malware analysis within a controlled environment, emphasizing associated risks and forensic implications. In later sections, learners explore well-known iOS malware families such as Pegasus, Predator, and FinSpy, understanding their persistence and evasion tactics. The training concludes with exposure to commercial forensic suites like Cellebrite, Magnet AXIOM, and Elcomsoft, and security tools like iVerify and iMazing, helping participants evaluate and use both open-source and commercial options effectively in investigations.
TLPBLACK Apple iOS Forensics Certificates
This course explores the intricacies of Apple’s iOS security model, practical data acquisition methods, and forensic analysis workflows using both open-source and commercial tools. We show how to extract and analyze backups, crash logs, and capture network data; detect known and unknown malware and leverage compromise indicators and YARA rules; perform controlled jailbreaks; and handle warnings about advanced threats such as Pegasus and Predator. Through hands-on exercises with tools like libimobiledevice, MVT and pymobiledevice3, attendees gain the expertise to navigate iOS’s closed ecosystem while understanding its forensic limitations.
The training was led by our founder Costin Raiu and advisory board member Vitaly Kamluk, better known for uncovering new APTs and developing forensics frameworks such as Bitscout.
Three Buddy Problem Live Recording
During the conference, the popular Three Buddy Problem podcast – Ryan Naraine, Juan Andres Guerrero-Saade, who are also advisors to TLPBLACK, and Costin Raiu - discussed the Google v FFmpeg open-source patching brouhana, ransomware negotiators charged and linked to ransomware attacks, the looming TP-Link ban in the U.S., and the discovery of LANDFALL, an APT attack caught using a Samsung mobile zero-day. Catch the live episode recording here: https://securityconversations.fireside.fm/google-ffmpeg-ransomware-landfall
Three Buddy Problem
See you at Def.Camp this week!
Although the snow storm decided to keep us in Canada for a little longer, we’re back to developing more TLPBLACK services and hope to catch up with some of you at DefCamp in Bucharest!
Cheers!