For many months, a working jailbreak was not available for current versions of iOS. In the end of July, Pangu released public jailbreak for iOS 9.2-9.3.3. A few days ago, Apple patched the exploit and started seeding iOS 9.3.4. This was the shortest-living jailbreak in history.
With iOS getting more secure with each generation, the chance of successfully jailbreaking a device running a recent version of iOS are becoming slim. While this may not be the end of all for mobile forensic experts, we felt we need to address the issue in our physical acquisition toolkit.
So you’ve got an iPhone, and it’s locked, and you don’t know the passcode. This situation is so common, and the market has so many solutions and “solutions” that we felt a short walkthrough is necessary.
What exactly can be done to the device depends on the following factors:
From the point of view of mobile forensics, there are three distinct generations:
iPhone 4 and older (acquisition is trivial)
iPhone 4S, 5 and 5C (32-bit devices, no Secure Enclave, jailbreak required, must be able to unlock the device)
iPhone 5S, 6/6S, 6/6S Plus and newer (64-bit devices, Secure Enclave, jailbreak required, passcode must be known and removed in Settings)
Big news! iOS Forensic Toolkit receives its first major update. And it’s a big one. Not only does version 2.0 bring support for iOS 9 handys. We also expanded acquisition support for jailbroken devices, enabling limited data extraction from jailbroken devices locked with an unknown passcode.
Last but not least. For the first time ever, we’ve added physical acquisition support for 64-bit devices! We’ve done what was long considered to be impossible. Intrigued? Read along to find out! Can’t wait to see what can be done to 64-bit iDevices? Skip right to that section!
New in EIFT 2.0
iOS 9: Full physical acquisition support of jailbroken 32-bit devices running iOS 9
64-bit: Physical acquisition for jailbroken 64-bit devices running any version of iOS
Locked: Limited acquisition support for jailbroken 32-bit and 64-bit iOS devices that are locked with an unknown passcode and cannot be unlocked
It’s probably a bit too much for a modest one-digit version bump… we should’ve named this version 3.0! (more…)
With hardware-backed full-disk encryption and additional protection of sensitive user data located in the keychain, Apple iOS is the most secure mobile operating system out there. Acquisition approaches that are traditional for Android and Windows Phone devices (namely, JTAG, ISP and chip-off) are completely meaningless for iOS devices running even years-old generations of the system. Bypassing screen lock password (passcode) has also been long considered to be useless due to the fact user data stored in the keychain is additionally encrypted with a secure key based on the passcode.
While we can’t do much with the former, our recent research shows that the latter is not entirely true. Bypassing the passcode does reveal quite a bit of information that can be useful for an investigation. And this is not just a theoretical research. We are building this functionality into a ready-to-use commercial tool, iOS Forensic Toolkit, to allow extracting data from locked iDevices – providing they have a jailbreak installed. The tool will allow pull available information from devices locked with an unknown passcode. That includes devices that were powered on (or rebooted) and never unlocked. Naturally, a pre-installed jailbreak is required in order to access the data.
As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!
Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud. (more…)
Nowadays, computer data is everywhere around and it’s growing at amazing speeds from hour to hour. It’s really fast, easy and convenient to stay active online day and night. No matter how easy it may be for the user, for computer crime investigators, on the contrary, it is the toughest challenge to collect and decrypt digital evidence. Even more important for them is to be able to evaluate a particular situation and understand what exactly they can collect, where it may be stored, how quickly and effectively they can get hands on it leaving the data intact and authentic in order to keep it still useful and trustworthy in court.
The crime scene has also moved or better to say spread from computers to mobile devices that can not only “carry” but also produce, process and transfer valuable information among other mobile devices or even into the cloud. This introduces another big challenge, which is tracing a connection between various electronic devices, collecting necessary information from them and gathering evidence into one case.
A successful completion of the investigation requires a well thought-out and structured incident response scenario and a whole arsenal of tools, techniques and methods at hand that could be implemented quickly and effectively.
Everyone must comply with government requests to disclose information. How far should one go when disclosing such information? This is up to the company. In a recent trend, several big IT companies including Apple, Facebook, Google and Microsoft among others teamed up to propose a change in US legislatures concerning governments spying on its citizens. The reform would make government surveillance “consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight”.
It’s been a while since we updated Elcomsoft Phone Password Breaker, dedicating our efforts to physical acquisition of iOS devices instead. Well, now when the new iOS Forensic Toolkit is out, it is time to update our classic phone recovery tool.
Switching iPhones into a DFU (Device Firmware Update) mode is a hassle. Power off, press that and hold those that many seconds, release this but continue holding that until hopefully something happens on the phone. Many iPhone users have major troubles switching their iPhones into DFU mode. Luckily for them, they don’t have to do the Apple Dance too often.
Criminal investigators, police officers and workers of the intelligence are not as lucky. They have dozens of iPhones to process every day, hundreds every week. “When I get an iPhone, I only have two hours”, says a police officer who’s name we cannot disclose. “In 120 minutes, I have to acquire and process information from that phone. Honestly, I can rarely complete it in a proper way.”
Here at ElcomSoft, we’re trying to do everything to make the life of investigators easier. Performing a physical acquisition with EIFT, which is the only proper way to capture everything in the phone, only takes 20 to 40 minutes depending on the model. But here comes another pitfall. Unlike pickpockets and fraudsters with long, thin fingers, police officers have big hands and firm, strong fingers. Performing the Apple Dance is extremely frustrating and almost physically painful. “I have to try and try before I can twist my fingers to hold those damn buttons”, confesses another police officer. “These damn things are too small and slick”.
Visiting the EuroForensics conference a few days ago, I was demonstrating how easy it was to switch an iPhone into DFU mode. I did it right the first time, but on a second try I failed miserably. “I’m too old for this shtuff”, commented yet another visitor whose badge simply read “Special Agent”.
I passed my concerns to ElcomSoft R&D department, and they built a mockup of an ingenious device automating this sort of things. They called it “iOS DFU Mode Starter”. As a first mockup, it’s not yet perfect. It requires careful placement of the device, and you have to plug a USB cable by hand. Other than that, iOS DFU Mode Starter can switch the device into Debug Firmware Update mode with 100% reliability. “It’s almost infallible”, says Andrey Belenko, ElcomSoft leading researcher. “And it was incredible fun to build”.
Here’s a video demonstrating how the new device works:
I was shocked at first when I saw the robot. A LEGO? Are you guys kidding me? It turned out our R&D guys were serious as ever. Here’s what Andrey Belenko has to say about this robot.
“Constructing mockups and early prototypes with LEGO bricks is commonplace for building robots. Honestly, LEGO blocks are a godsend to all robot builders. Don’t be fooled with the look of the thing; these bricks are a serious prototyping tool.”
“LEGO bricks hold together amazingly well under low and medium load. LEGO blocks come in a wide assortment of shapes and sizes. They give a tight fit, they are reusable, and they save us a lot of time when prototyping. We’re not building an industrial piece; this robot simply handles a modern electronic device. No force is required.”
Whether or not this device goes into production, and what the price is going to be like if it does is yet to be determined.
Today, we released an updated version of iOS Forensic Toolkit. It’s not as much of an update to make big news shout, but the number of improvements here and there warrants a blog post, and is definitely worth upgrading to if you’re dealing with multiple iPhones on a daily basis.
The newly updated Elcomsoft iOS Forensic Toolkit now supports iOS 5.1 and adds a number of small and not-so-small enhancements to the already sound package. The ability to try top 100 most common passcodes gives a chance to recover a passcode in a matter of minutes. There’s one more thing new with the updated iOS Forensic Toolkit: an iPhone booted with iOS Forensic Toolkit now displays a small ElcomSoft logo instead of the default one.
Top 100 Passcodes
We’ve seen lots of iPhones. Most are locked with simple, easy to remember passcodes. We were able to compile a list of most commonly used passcodes. There are the obvious ones like 1111, 2222, 1234, 5555, vertical raw 2580, and there are many ‘convenience’ passcodes that are just easier to remember or enter on the iPhone’s screen. There’s a whole range of passcodes representing possible dates significant to iPhone owners; these passcodes range from early 1930 to 2020. The updated iOS Forensic Toolkit will now try these passcodes before launching a brute-force attack.
How good are the chances? A recent study demonstrated that as many as 15% of all passcode sets are represented by only 10 different passcodes (out of 10,000 possible combinations). That’s 1 in 7 iPhones unlocked within minutes or even seconds.
iPhones booted by iOS Forensic Toolkit will now display ElcomSoft logo when loading. Not a big deal, but a nice and pleasant for us visual effect 🙂
We also added a few other improvements and enhancements here and there, making the new version a recommended update.