Normal mode

When an iPhone is switched on, its operating system is booted; this mode is known as normal mode. Most regular activities (calling, texting, and so on) that are performed on an iPhone will be run in normal mode.

When an iPhone is turned on, internally, it goes through a secure boot chain, as shown in the following diagram. This does not occur for jailbroken devices. Each step in the boot-up process contains software components that are cryptographically signed by Apple to ensure integrity:

The boot ROM, known as the secure ROM, is read-only memory (ROM) and is the first significant piece of code that runs on an iPhone (https://www.apple.com/business/docs/iOS_Security_Guide.pdf). An explanation of the boot process for iOS devices is defined in the following steps:

1. The boot ROM code contains the Apple root certificate authority (CA) public key, which is used to verify the signature of the next stage before allowing it to load.
2. When the iPhone is started, the application processor executes the code from the boot ROM.
3. The boot ROM, in turn, verifies whether the Low-Level Bootloader (LLB) is signed by Apple and loads it. The LLB is loaded and verified by the boot ROM, but this only occurs on devices with an A9 or earlier A-series processor.
4. When the LLB finishes its tasks, it verifies and loads the second-stage boot loader (iBoot). iBoot verifies and loads the iOS kernel.
5. The iOS kernel, in turn, verifies and runs all the user applications.

When an iOS device is in this state, it's possible to gain a part that is accessible to the user through forensic acquisition. Most often, this includes a logical acquisition, which will be discussed later in this chapter.