Elcomsoft Phone Password Breaker Enhances iCloud Forensics and Speeds Up Investigations

August 22nd, 2013 by Vladimir Katalov
Category: «Clouds», «Elcomsoft News», «General», «Software», «Tips & Tricks»

It’s been a while since we updated Elcomsoft Phone Password Breaker, dedicating our efforts to physical acquisition of iOS devices instead. Well, now when the new iOS Forensic Toolkit is out, it is time to update our classic phone recovery tool.

The new version of Elcomsoft Phone Password Breaker is released! While you can read an official press-release to get an idea of what’s new and updated, you may as well keep reading this blog post to learn not only what is updated, but also why we did it.

Dedicated to iCloud Forensics

This new release is more or less completely dedicated to enhancing support for remote recovery of iOS devices via iCloud. Why do it this way?

Because iCloud analysis remains one of the most convenient ways to acquire iOS devices. You can read more about iCloud analysis in a previous post here. Let’s see what else is available.

Logical acquisition. This method involves analyzing an offline backup produced by the iOS device. Investigators can even force the device to create a new backup if one is not already available. Analyzing these backups returns a lot of data. However, there are limitations. Backups can be password-protected (in which case a password must be broken first). Even if you already have access to the suspect’s iPhone, you cannot produce an unencrypted backup if you do not already know the backup password! And if this password is long and strong enough, breaking it can take forever even if you use a GPU-accelerated tool such as Phone Password Breaker.

Interestingly, a password-protected backup, if we know the password, can deliver more information than an unprotected one. Unencrypted backups encrypt keychain information with a hardware key that can be only extracted with physical acquisition. Password-protected backups, on the other hand, encrypt keychain data with the same password used for protecting the rest of the backup, allowing the investigator accessing the keychain without resorting to physical acquisition.

Physical acquisition (iOS Forensic Toolkit). This is the fastest and very comprehensive method allowing to acquire a given device within a definite timeframe (e.g. a 32-GB iPhone can be acquired in about 40 minutes). There are limitations though. You cannot extract deleted information, and there are quite significant issues limiting the ability to acquire last-generation devices such as iPhone 4S and 5, iPad 2 and up.

Remote analysis of iOS backups from the cloud. The pros are obvious: no access to physical device is required, and you can spy on device owners without them even knowing. The contras are also there: you must know the user’s Apple ID and password, the user must have created an iCloud backup fairly recently, and there’s also the same issue about the keychain encrypted with a hardware password. In addition, initial download of a large data set can take several hours as iCloud is not the fastest cloud storage system out there.

Why Use Phone Password Breaker for iCloud Analysis

We received several comments pointing that retrieving data from the iCloud is something easy and not worth mentioning. Why spend enormous effort analyzing source that can be easily accessed with native tools?

Well, let’s just say that there are no Apple tools available that could download an iPhone backup from the iCloud to your PC. None. All you can technically do with an iCloud backup is restoring it onto the phone itself, using a new device or a freshly reset one. As such, investigating an iPhone backup without Phone Password Breaker would require using a fresh iPhone to download the complete backup from iCloud (which may already take several hours), then acquiring information from that phone by either forcing an offline backup or doing physical (or logical) acquisition. Doesn’t it seem like a bit too much? We thought so, too, and added the ability to download iCloud backups directly onto your PC in one of the earlier versions of Elcomsoft Phone Password Breaker.

There is also another essential difference between restoring the backup onto a fresh iPhone and using Phone Password Breaker. If you restore a fresh Apple device using an iCloud backup, the rightful owner will receive the following notification by email:

Your Apple ID (apple@elcomsoft.com) was used to sign in to iCloud on an iPhone 4.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn more.

This is hardly exciting for mobile forensic specialists, so here’s the good news: if you use Phone Password Breaker to download that backup, the notification email will not be sent.

Faster Downloads

As already noticed, iCloud is not the fastest cloud storage out there. Downloading a large backup for the very first time can take hours (while subsequent updates are incremental, and occur much faster).

In this update to Elcomsoft Phone Password Breaker we solved the speed issue, allowing investigators to only download select information and skip information that’s taking the longest to download (such as music and videos, for example).

As you may already know if you read our recent presentation, Apple stores iCloud backups on Amazon and Microsoft servers. The backups are split into chunks, and indexes are available with file to chunk mappings. Interestingly, a single file can be split into chunks some of which will be stored on Microsoft servers, and some others at Amazon. We don’t know whether the chunks are duplicated on both services (which would mean higher storage reliability) or if one half is stored here and the other half there (which would imply higher security as no single third party would have full access to the whole backup).

We learned how to parse those index files long ago. This is essential for downloading Apple backups. In this release, we took this knowledge one step further, adding the ability to only download chunks containing select essential information.

So here’s what can be downloaded selectively:

  • General device information including UDID, serial number, model name and iOS version
  • Camera roll (photos and videos)
  • Messages (SMS and iMessage)
  • Message attachments (can be retrieved even if the original message was deleted)
  • Phone settings
  • Wi-Fi connections and Bluetooth pairings
  • Call log
  • Address book
  • Notes
  • Calendar
  • Last viewed latitude and longitude on the map
  • Email account settings (except passwords)

These data sources are relatively compact. We normally deal with about 20 MB worth of chunk files, or about 10 MB of actual data. This allows us to retrieve them in minutes instead of hours, and without downloading the complete backup. Note that similar functionality is NOT available with Apple’s tools. If you choose to recover an iCloud backup onto the new iPhone, you MUST wait for a long time until the complete data set is downloaded.

The following categories are available.

General Information

The phone’s general information is stored in just a few small files:

Info.plist
Manifest.mbdb
Manifest.plist
Status.plist

These files contain the name of the phone as specified by the user, model name, serial number, UDID, AppleID, PersonID, iOS version, and last backup date and time.

In addition, everything contained in the following folders is also extracted:

\HomeDomain\Library\Accounts\*.*
\HomeDomain\Library\ConfigurationProfiles\*.*
\HomeDomain\Library\Preferences\*.*
\RootDomain\Library\Preferences\*.*
\SystemPreferencesDomain\*.*
\WirelessDomain\Library\Preferences\*.*

These files contain information on various settings, stored Wi-Fi access points, Bluetooth pairings etc.

Address Book

The phone’s address book is contained in the two SQLite databases:

\HomeDomain\Library\AddressBook\AddressBook.sqlitedb
\HomeDomain\Library\AddressBook\AddressBookImages.sqlitedb

Notes

These two files contain user notes (once again a SQLite database):

\HomeDomain\Library\Notes\notes.idx
\HomeDomain\Library\Notes\notes.sqlite

Messages (SMS and iMessage)

Text messages and iMessage are kept in the following database:

\HomeDomain\Library\SMS\sms.db

In addition, the following information is downloaded:

\HomeDomain\Library\SMS\Drafts\*.*

Message attachments

\MediaDomain\Library\SMS\*.*

This folder contains .vcf contacts, pictures and videos sent and received via iMessage. Apparently, this folder is never cleaned up automatically, so it may contain pictures captured a long time ago.

Calendar

\HomeDomain\Library\Calendar\Calendar.sqlitedb

Call history

\WirelessDomain\Library\CallHistory\call_history.db

Most of these files are SQLite databases, which means that investigators can easily view existing records and, with the right tools, can even gain access to deleted records. In many situations this allows recovering messages, contacts and other types of data that have been deleted by the user.

Camera Roll

Pictures and videos captured with current and previous devices can be downloaded from the following folder:

\CameraRollDomain\*.*

Interestingly, the folder contains information about which files have been modified using built-in picture editing tools. In addition, this folder keeps information about album settings.

Eliminating Network Errors

In this update to Elcomsoft Phone Password Breaker we also solved a few reliability issues. Downloading large backups could preciously lead to timeout errors due to expired security tokens (more information about the process is available in our recent presentation we already mentioned). While this wasn’t such a big deal as it may seem (resuming the download caught up from the same point it was broken), in this update we are handling the issue graciously by detecting expired tokens and performing authentication once again. This is completely transparent to the user, and no interaction is required.

Incomplete Backups

Another issue that’s been fixed in the recent update is the downloading of incomplete backups. If an attempt was made to download a backup that has not been completed (e.g. the user removed the charger or took the phone out of the Wi-Fi network it was using to upload a backup), the old version of Phone Password Breaker would fail. iCloud keeps three last backups; the incomplete one does not count. Phone Password Breaker would list 4 available backups, and attempt to download all four. After successfully downloading the first three backups, it would try to read the last one, and throw an error box. This no longer happens.

Incremental Backups

Apple makes incremental backups, meaning that, after downloading the full backup for the first time, subsequent updates are fast, as only the changes are being transferred.

Phone Password Breaker works with incremental backups correctly and reliably. First, it downloads all the chunks and their indexes for all three last backups. The chunks are then converted into “raw” backups (the first backup being a full one, the subsequent ones are incremental). Incremental backup files are usually rather small (we usually see sizes of up to 100 MB). The raw backups are then processed to produce three separate full backups, allowing investigators analyzing any one or all of them.

I’ve Got the Backup. What Shall I Do Now?

Extracting the content of an iPhone is only half the job. Recovering meaningful information from raw data is yet another matter. The good news is there are plenty of powerful tools providing iOS analytics. The bad news? You’re about to spend a lot of time analyzing the files and documenting the findings. Depending on the purpose of your investigation, your budget and your level of expertise using forensic tools, you may want using one tool or the other. Let’s see what’s available.

…to be continued in the next post.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »