For many months, a working jailbreak was not available for current versions of iOS. In the end of July, Pangu released public jailbreak for iOS 9.2-9.3.3. A few days ago, Apple patched the exploit and started seeding iOS 9.3.4. This was the shortest-living jailbreak in history.

With iOS getting more secure with each generation, the chance of successfully jailbreaking a device running a recent version of iOS are becoming slim. While this may not be the end of all for mobile forensic experts, we felt we need to address the issue in our physical acquisition toolkit.

iOS Forensic Toolkit: The New Logical Acquisition Option

In the latest release of iOS Forensic Toolkit, we added a new option. The “Backup” command makes an iTunes-style backup of a connected iOS device whether or not the device has a jailbreak installed. This logical acquisition can and should be used even if the iOS device you’re about to acquire was or can be jailbroken. In fact, we strongly recommend using logical acquisition before attempting any other type of acquisition because of the following reasons.

1. Jailbreaking is a dangerous process that can brick your device, rendering data permanently inaccessible.
2. Jailbreaking always introduces unwanted artifacts. Those must be carefully documented in order for the evidence to remain admissible. A logical backup helps tremendously.
3. Physical acquisition of 64-bit devices (iPhone 5s and newer) does not decrypt the keychain. Logical acquisition does.
4. For devices locked with an unknown passcode, logical may be the only way as you may be able to access device data using a lockdown file obtained from the suspect’s computer.

As you can see, a combination of two acquisition methods results in more information obtained from the device, and gives you a much better chance of successfully extracting the data.

Logical Acquisition: iOS Forensic Toolkit vs. Apple iTunes

Why would anyone use Elcomsoft iOS Forensic Toolkit to extract local backups if Apple iTunes is available for free? The ElcomSoft tool is a forensic-grade solution that works directly and without using any iTunes libraries. Compared to Apple iTunes, iOS Forensic Toolkit offers the following benefits.

1. Acquisition is available from any computer, including portable devices on the go.
2. We know how to deal with encrypted data. If no backup password is set, the keychain will remain securely encrypted with an unbreakable hardware key. For this reason, we’ll automatically set a temporary password (“123”) when acquiring devices without a backup password. (We’ll reset it back after extraction.) This allows decrypting keychain data that would otherwise remain inaccessible.
3. You can use a pairing record (lockdown file) extracted from the suspect’s PC to perform logical acquisition with iOS Forensic Toolkit even if the device is locked with an unknown passcode. Lockdown files remain valid until the iOS device restarts or is powered off.
4. You specify exactly where the local backup will be stored.
5. No risk that the device will automatically sync with iTunes.
6. You get logical and physical acquisition support in a single package.

Decrypting the Keychain

Creating an iOS backup with an empty password does not encrypt the majority of information. However, some of the most sensitive data stored in iOS keychain will remain encrypted with a hardware key. In 32-bit devices such as iPhone 4s, 5 and 5c we were able to extract the key and use it to decrypt the keychain during the physical acquisition process.

Secure Enclave introduced in 64-bit devices (iPhone 5s, 6/6s/Plus) effectively locked us out, blocking access to the hardware key regardless of jailbreak status. As a result, the physical acquisition process can extract but cannot decrypt the keychain, while keychain data backed up without a password remains similarly inaccessible.

We addressed this issue by making iOS Forensic Toolkit set a temporary password (“123”) when performing logical acquisition. After the extraction, the password is reset to its original state. Since password-protected iOS backups allow access to keychain, you can successfully decrypt keychain data by using that password.

What if the iOS device is already configured to produce password protected backups, and you don’t know the password? If this is the case, iOS Forensic Toolkit will not be able to change the password, and you’ll have to produce a local backup as is. You can then use Elcomsoft Phone Breaker to attack the password.

Using Lockdown Records to Access iOS Devices

One of the most common situations in the forensic world is attempting to extract data from an iPhone that is locked with an unknown passcode. With Apple’s new Touch ID expiration rules using a fingerprint to unlock becomes iffier than ever. Jailbreaking the device without specifying the correct passcode is also out of the question.

If this is the case, you can obtain a lockdown file from the suspect’s PC and use it in iOS Forensic Toolkit to perform logical acquisition. It is important to realize that lockdown records expire immediately once the iOS device is restarted or switched off, so proper acquisition technique is essential to preserve evidence.

Lockdown files are stored as follows.

Windows Vista, Windows 7 and newer: %ProgramData%\Apple\Lockdown

Sample path:

C:\ProgramData\Apple\Lockdown\6f3a363e89aaf8e8bd293ee839485730344edba1.plist

Windows XP: %AllUsersProfile%\Application Data\Apple\Lockdown

Sample path:

C:\Documents and Settings\All Users\Application Data\Apple\Lockdown\6f3a363e89aaf8e8bd293ee839485730344edba1.plist

Mac OS X: /var/db/lockdown

Conclusion

By including logical acquisition support into our physical acquisition toolkit, we are offering forensic specialists a better chance of successful extraction while enabling access to the keychain, which would remain inaccessible if you used physical acquisition on a 64-bit device.