Big news! iOS Forensic Toolkit receives its first major update. And it’s a big one. Not only does version 2.0 bring support for iOS 9 handys. We also expanded acquisition support for jailbroken devices, enabling limited data extraction from jailbroken devices locked with an unknown passcode.

Last but not least. For the first time ever, we’ve added physical acquisition support for 64-bit devices! We’ve done what was long considered to be impossible. Intrigued? Read along to find out! Can’t wait to see what can be done to 64-bit iDevices? Skip right to that section!

New in EIFT 2.0

• iOS 9: Full physical acquisition support of jailbroken 32-bit devices running iOS 9
• 64-bit: Physical acquisition for jailbroken 64-bit devices running any version of iOS
• Locked: Limited acquisition support for jailbroken 32-bit and 64-bit iOS devices that are locked with an unknown passcode and cannot be unlocked

It’s probably a bit too much for a modest one-digit version bump… we should’ve named this version 3.0!

iOS 9, Jailbreak and Physical Acquisition

Apple users are keen on installing the latest iOS update. As of today, some 66% of compatible devices are already running iOS 9. When developing the new OS, Apple paid special attention to make it as difficult to exploit as they could. They even had a name for it, calling iOS 9 the “rootless” OS. Yet, we’ve seen jailbreak released only weeks after.

With Pangu code floating around, iOS 9 users can successfully jailbreak their devices to install Cydia and use the many tweaks available in the repository.

Jailbreaking is great for tweaking the phone. It’s also great when it comes to extracting information from that device. If we encounter an iPhone which runs iOS 9, we can’t do much about it if the device is locked with an unknown passcode – unless it’s jailbroken. If the phone *is* jailbroken, we can do a lot – even if we don’t know the passcode. What exactly can be done depends on the model; particularly, on whether the device uses 32-bit or 64-bit hardware.

Note: physical acquisition techniques are only available for jailbroken devices, and applicable to iPhones and iPads running iOS 7, 8 and 9 up to and including 9.0.2. iOS 9.1 is not jailbreakable at this time, meaning there’s no support for devices running iOS 9.1 (and 9.2 beta).

32-bit Devices: Full Steam Ahead!

iOS 9, pre-installed jailbreak and 32-bit hardware is the perfect combination exposing the device for physical acquisition. If the device is not jailbroken but you do know the passcode (or if it’s just unlocked), you can install the jailbreak and do physical acquisition after. It’s just that Apple no longer sells a lot of 32-bit devices in the US or Europe. However, some of these devices are still being actively used. Below is the list of fairly recent devices with 32-bit hardware.

• iPhone 4S, 5, 5C
• iPod Touch (5th gen)
• iPad 2 through 4
• iPad mini (original)

Notes on physical acquisition of 32-bit devices:

• Jailbreaking is not as reliable and straightforward as we’d like it to be.
• You can’t jailbreak a locked device if you don’t know the passcode.
• Find My Phone and backup password must be disabled before installing jailbreak. If Find My Phone is on, you must enter the user’s Apple ID password to turn it off. If the backup password is not known, you can recover it with Elcomsoft Phone Breaker.
• In order to perform physical acquisition of a jailbroken device, you’ll need to manually install OpenSSH from Cydia.

Retrieving iOS Backup Password

There is an interesting use case scenario for jailbroken 32-bit devices allowing investigators gain access to destroyed evidence stored in old backups of the device. Let’s say you are in the following situation:

• There is a jailbroken 32-bit iOS device with a known passcode (or if the device is already unlocked and you can install a jailbreak)
• You know (or can retrieve) the Apple ID password
• You have an old local backup but don’t know the password
• You want access to data stored in that backup

As you know, there is no easy way to retrieve the backup password from an iOS device. Using Elcomsoft Phone Breaker, you can try to recover the password by running a dictionary or brute-force attack. However, the recovery can take a lot of time, and may not be successful after all if a long, complex password was used.

Resetting the password will do little in order to help you extracting information from an existing local backup. However, you can combine physical and logical acquisition techniques to actually retrieve the original plain-text backup password!

1. Make the device produce both local and cloud backups
2. Reset the device to factory settings
3. Jailbreak the device
4. Use iOS Forensic Toolkit to retrieve the hardware key (securityd, 0x839)
5. Download cloud backup with Elcomsoft Phone Breaker
6. Using Elcomsoft Phone Breaker and the extracted securityd key, decrypt the keychain from the cloud backup (that’s why we needed a cloud backup)
7. From the decrypted keychain, obtain plain-text backup password (you can also retrieve everything else from the keychain, as it will be fully decrypted by using the securityd key)
8. Use the retrieved backup password to decrypt the old local backup
9. Gain access to evidence stored in that old backup (that could be recently deleted from the device)

 
64-bit Devices: Physical Acquisition Is Here (Finally)!

iOS 9 support, so what? This isn’t the first iOS update, and it’s certainly not the last one. Why bumping EIFT to version 2.0?

In this release, we finally managed to get physical acquisition to work on 64-bit devices. If you have one of the following devices, and if they are jailbroken, we can help regardless of the version of iOS installed (if that version of iOS supports jailbreaking):

• iPhone 5S, 6, 6 Plus, 6S, 6S Plus
• iPad Air, Air 2, Pro
• iPad mini Retina, iPad mini 3 and 4

Apple’s 64-bit platform is inherently more secure compared to the 32-bit SoC it replaces, featuring a dedicated security chip holding the decryption keys. For this reason, physical acquisition for 64-bit devices remains somewhat limited compared to a similar technology applied to older iPhones and iPads equipped with previous-generation architecture. One of the major limitations of the new acquisition technique is that it cannot decrypt the keychain.

Compared to physical acquisition of 32-bit devices, the 64-bit extraction process will yield a UNIX-style .tar archive containing a copy of the device’s file system (as opposed to the bit-precise image returned with the 32-bit process). However, all the files that aren’t accessible with any other acquisition method such as location information and downloaded mail are extracted, as well as tons of other information such as application cache, Web browser history, cache and cookies; application and system logs and much more – except for the keychain. The required pre-requisite for performing physical acquisition on a 64-bit device is actually removing the passcode prior to the acquisition (and not just entering it on the lock screen like on 32-bit devices).

To sum it up, the 64-bit process has the following limitations compared to physical acquisition for 32-bit devices:

1. Keychain is extracted but currently cannot be decrypted since the decryption key is not available anywhere within our reach. We’ll keep working on this one.
2. Everything stored in the keychain remains encrypted and inaccessible. In iOS 8 and 9, that’s quite a lot of data including email and account passwords, passwords to Wi-Fi etc.
3. .tar file instead of bit-precise image. The new process returns the content of the file system in a UNIX-style TAR file instead of a binary image of the device.
4. Passcode must be removed prior to acquisition. Since you must know (or recover) the passcode anyway in order to access the device, removing that passcode in iOS settings is just an easy extra step.

Now let’s consider Apple’s official policy on denying government requests for devices running iOS 8 and newer. The company claims that since iOS 8 its devices became so secure that even Apple themselves can do nothing to extract information. They cite technical limitations preventing the company from doing that.

When developing the 64-bit acquisition code, we couldn’t stop thinking: if we can make this on a jailbroken device, what sort of a technical limitation prevents Apple from doing the same on *any* device?

Steps to Perform Physical Acquisition on a 64-bit iOS Device

The internals of the 64-bit acquisition process differ significantly from how it works on 32-bit devices. As a result, an extra step is required to perform physical acquisition on an iPhone 5S, 6/6S or any of the Plus versions.

1. Ensure that the device is jailbroken. Physical acquisition for 64-bit devices is exclusive to jailbroken iPhones, iPads and iPods.
2. Unlock the device with the correct passcode.
3. Go to iOS Security settings and disable passcode protection altogether. This step is new compared to physical acquisition for 32-bit devices. Without disabling passcode protection, you won’t be able to acquire most of the data.
4. Use the “TAR FILES” function in iOS Forensic Toolkit. This will return a UNIX-style TAR archive of the file system complete with all application data. The keychain database will also be extracted; however, it won’t be decrypted as keychain decryption keys are not accessible on 64-bit devices.

Jailbroken Devices Locked with Unknown Passcode

If that was not enough, we’ve also added the ability to pull some information from devices locked with an unknown passcode, including devices that were powered on (or rebooted) and never unlocked. A jailbreak is required.

The following data can be pulled from jailbroken, passcode-locked devices:

• Some geolocation data (cellular tower and compass calibration data incl. coordinates)
• Incoming calls (numbers only) and text messages (*)
• App and system logs (installs and updates, net access logs etc.)
• SQLite temp files including WAL (Write-ahead logs) (*)

(*) What exactly may or may not be available from a locked device depends, in particular, on whether or not the device was unlocked at least once after booting up. For example, incoming text messages will be placed into a temporary, unencrypted database if the device was never unlocked after booting up. If, however, the device was unlocked at least once, all text messages will be transferred into the encrypted database even if they were received while the device was subsequently locked. As a result, if a device was unlocked at least once AND is has a jailbreak installed, it may be possible to pull a lot more data compared to devices that were never unlocked after the boot. This is one of the reasons why you should do your best to prevent seized devices from switching off (using the Faraday bag and charger routine).

So why does that work, what consequences does it have, and what does it all mean for the investigator? You can read about it in our recent article.

A Word on iOS 9.1 and 9.2

New versions of iOS are a constant challenge for the jailbreaking community. The latest released build of iOS (9.1 at this time, with 9.2 still in beta) does not currently have a jailbreak. Apple has already stopped signing iOS 9.0.2 update, making it impossible to install the last jailbreakable build of iOS 9 or roll back from iOS 9.1. Those who want to keep their jailbreak will probably want to stay with iOS 9.0.2 for a little longer.

Known Issues and Workarounds

We stumbled upon an irregular issue with some iPhone 5C devices. When performing physical acquisition of a jailbroken device with Elcomsoft iOS Forensic Toolkit, the tool may successfully recover the passcode and decrypt the keychain but fail to decrypt the disk image. If this happens, you’ll see the following error:

[ERROR] Keys are not valid for this encrypted image (-8)

This issue was reported on some iOS 8 and iOS 9 devices. We don’t know what causes this behavior. We can loosely attribute it to the method of updating the device to its current version of iOS (whether the device was updated with an OTA update or via iTunes, and whether it was an update or a full wipe and restore).

The issue occurs on a relatively minor number of affected devices. We’re keeping an eye on this issue. Once we’re able to lay our hands on an affected device, we may be able to develop a solution.

The official workaround for this issue is using the “TAR FILES” option, which is the same option used to acquire 64-bit devices. In addition, you can use “GET PASSCODE” and “DECRYPT KEYCHAIN” options to recover the passcode and decrypt the keychain afterwards (keychain decryption is not available when acquiring 64-bit devices). If you are able to recover the passcode, disabling passcode protection in the device’s security settings is strongly recommended before capturing the TAR image.

Another issue is particular to the Mac OS version. While OS X versions 10.10.5 through 10.11 are generally supported, the Mac version will not support DFU mode for old iPhones (such as the iPhone 4 and older). Jailbroken iPhones are fully supported though as DFU mode is not required for extracting jailbroken devices.