The normal mode

When an iPhone is switched on, it is booted to its operating system; this mode is known as the normal mode. Most regular activities (calling, texting, and so on) performed on an iPhone will be run in the normal mode.

When an iPhone is turned on, internally, it goes through a secure boot chain, as shown in the following figure. This does not occur for jailbroken devices. Each step in the boot-up process contains software components that are cryptographically signed by Apple to ensure integrity.

The Boot ROM, known as the secure ROM, is read-only memory (ROM), and is the first significant code that runs on an iPhone (https://www.apple.com/business/docs/iOS_Security_Guide.pdf). An explanation of the boot process for iOS devices is defined in the following steps:

1. The Boot ROM code contains the Apple root CA public key, which is used to verify the signature of the next stage before allowing it to load.
2. When the iPhone is started, the application processor executes the code from the Boot ROM.
3. The Boot ROM, in turn, verifies whether the Low Level Bootloader (LLB) is signed by Apple or not, and loads it.
4. When LLB finishes its tasks, it verifies and loads the second-stage boot loader (iBoot). iBoot verifies and loads the iOS kernel.
5. The iOS kernel, in turn, verifies and runs all the user applications, as shown in the preceding figure.
6. The secure boot chain ensures that iOS runs only on validated Apple devices.

When an iOS device is in this state, it is possible to gain a part that is accessible to the user through forensic acquisition. Most often, this includes a logical acquisition, which will be discussed later in this chapter.