Archive for November, 2016

Acquisition of a Locked iPhone with a Lockdown Record

Monday, November 28th, 2016

The previous article was about the theory. In this part we’ll go directly to practice. If you possess a turned on and locked iOS device and have no means of unlocking it with either Touch ID or passcode, you may still be able to obtain a backup via the process called logical acquisition. While logical acquisition may return somewhat less information compared to the more advanced physical acquisition, it must be noted that physical acquisition may not be available at all on a given device.

Important: Starting with iOS 8, obtaining a backup is only possible if the iOS device was unlocked with a passcode at least once after booting. For this reason, if you find an iPhone that is turned on, albeit locked, do not turn it off. Instead, isolate it from wireless networks by placing it into a Faraday bag, and do not allow it to power off or completely discharge by connecting it to a charger (a portable power pack inside a Faraday bag works great until you transfer the device to a lab). This will give you time to searching user’s computers for a lockdown record.

(more…)

Forensic Implications of iOS Lockdown (Pairing) Records

Friday, November 25th, 2016

In recent versions of iOS, successful acquisition of a locked device is no longer a given. Multiple protection layers and Apple’s new policy on handling government requests make forensic experts look elsewhere when investigating Apple smartphones.

In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:

  1. Runs iOS 8.x through 10.x
  2. When seized, the device was powered on but locked with a passcode and/or Touch ID
  3. Device was never powered off or rebooted since it was seized
  4. Does not have a jailbreak installed and may not allow installing a jailbreak
  5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past

While this list may appear extensive and overly detailed, in real life it simply means an iPhone that was seized in a screen-locked state and stored properly in its current state (i.e. not allowed to power down or reboot). If this is the case, we might be able to access information in the device by using a so-called lockdown file, or pairing record. This record may be available on the suspect’s home or work PC that was either used to sync the iOS device with iTunes or simply used for charging if the suspect ever tapped “OK” on the “Trust this PC” pop-up. (more…)

“We take privacy very seriously” – Apple, we do not buy it, sorry

Friday, November 18th, 2016

Good news: Apple has officially responded.

Bad news: We don’t buy it. Their response seems to address a different issue; worse, some of the reporters just quoted what Apple said without real understanding of the actual issue. So let’s try to follow the story step by step.

Apple has an option to back up phone data to iCloud. Doing that for many years now. On our side, we have a feature to download iCloud backups. The feature has been there for years, too. We are also able to download everything from iCloud Drive (including data belonging to third-party apps, something that is not available by standard means). We can download media files from iCloud Photo Library (and by the way, we discovered that they were not always deleted, see iCloud Photo Library: All Your Photos Are Belong to Us). Then we started to research how iOS devices sync data with iCloud, and discovered that Apple stores more than they officially say. All iOS versions allow users to choose which bits of data are to be synced – such as contacts, notes, calendars and other stuff. Here is a screen shot from iCloud settings captured on iPhone running iOS 10:


icloud_drive

(more…)

iOS Call Syncing: How It Works

Thursday, November 17th, 2016

In our previous article, we figured that iPhone call logs are synced with iCloud. We performed multiple additional tests to try to understand exactly how it works, and are trying to guess why. (more…)

iPhone User? Your Calls Go to iCloud

Thursday, November 17th, 2016

iCloud sync is everywhere. Your contacts and calendars, system backups and photos can be stored in the cloud on Apple servers. This time, we discovered that yet another piece of data is stored in the cloud for no apparent reason. Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not. In fact, most users we’ve heard from don’t want this “feature”, yet Apple has no official way to turn off this behavior other than telling people “not using the same Apple ID on different devices”. What’s up with that? Let’s try to find out.

Why It Matters

Ever since the release of iOS 8, Apple declines government requests to extract information. According to Apple, “On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode. For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”

So far, we had no reasons to doubt this policy. However, we’ve seen Apple moving more and more data into the cloud. iCloud data (backups, call logs, contacts and so on) is very loosely protected, allowing Apple itself or any third party with access to proper credentials extracting this information. Information stored in Apple iCloud is of course available to law enforcement. (more…)