With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release.

Out previous article touches the issue of iOS 11 forensic implications. In this article we’ll cover what you can and what you cannot do with an iOS 11 device as a forensic expert. We’ll talk about which acquisition methods still works and which don’t, what you can and cannot extract compared to iOS 10, and what you need to know in order to make the job don’t.

Physical Acquisition

Let’s start with physical acquisition. With no jailbreak on the horizon, physical acquisition remains unavailable. Even when (or if) an iOS 11 jailbreak appears, you’ll still have to wait for us to update Elcomsoft iOS Forensic Toolkit.

What will you need to perform physical acquisition of an iOS 11 device?

1. A working jailbreak.
   One is not available at this time.
2. Device passcode.
   In order to install the jailbreak, you will need to pair the iOS device with the computer, which, in turn, will require you to enter device passcode.
3. iOS Forensic Toolkit.
   We’ll have to update iOS Forensic Toolkit to support iOS 11.
4. Passcode (again).
   You will need to remove the passcode in order to perform physical acquisition, and in order to do that you’ll have to enter it first.

Logical Acquisition

There are two steps in logical acquisition: acquiring a local backup from the iOS device and accessing information stored in that backup. While in previous versions of iOS logical acquisition was possible once you unlocked the device with whatever methods (e.g. with Touch ID), iOS 11 requires you to enter device passcode in order to pair it with a computer.

To perform logical acquisition (making the device produce a local backup), you will need:

1. Device passcode OR valid pairing record (lockdown file).
   A fingerprint unlock is no longer sufficient for logical acquisition. iOS 11 now prompts for the passcode when pairing the device to a computer. If you don’t know the passcode, you can still use a pairing record (lockdown file) extracted from the user’s computer.
2. iOS Forensic Toolkit.
   We updated iOS Forensic Toolkit to support iOS 11. iOS Forensic Toolkit can conveniently use a pairing (lockdown) file extracted from the user’s computer to unlock the device and produce a backup. Note that you will be able to decrypt significantly more information from a backup protected with a known password compared to backups without a password.

If the user specified a backup password, you will need to recover that password first in order to decrypt the content of the backup. The recovery is only possible by running a brute-force or dictionary attack; there are no known weaknesses in iOS 11 backups that would allow to bypass the password. Note that password attacks are extremely slow for iOS 11 backups (about 100 passwords per second using an NVIDIA GTX 1080 board).

Elcomsoft Phone Breaker supports backups produced by iOS 11 devices.

1. Elcomsoft Phone Breaker.
   You will need Elcomsoft Phone Breaker to attack backup passwords and/or decrypt the backup.
2. Elcomsoft Phone Viewer 4.0.
   EPV will be soon updated to support iOS 11 backups. You need this version or newer to view and analyze iOS 11 backups.

Keychain Acquisition

There are still two possible methods allowing experts to obtain information stored in iOS 11 Keychain.

1. Logical acquisition > Password-protected backup > decrypted keychain
2. iCloud Keychain

In order to access the keychain via logical acquisition, do the following:

1. In Elcomsoft iOS Forensic Toolkit, use option “B” (Backup).
   Note: if you are running iOS Forensic Toolkit on a new PC that does not have a pairing relationship established with the iOS device, you will need to either establish such relationship (see above) or to provide a pairing record extracted from the user’s computer.
2. If backup password is empty, EIFT will temporarily use “123” as a password.
3. If backup password is present and it is not known, use Elcomsoft Phone Breaker 8.0 or newer to recover that password.
4. Open the backup in Elcomsoft Phone Breaker 8.0 or newer.
5. In EPB, select “Keychain Explorer” and provide path to the location of the backup.
6. Enter backup password (“123” or the one recovered on step 3) to allow the tool to decrypt the backup.
7. You will now be able to view, analyze or export keychain items.

In order to access keychain items synced with iCloud Keychain, follow the instructions outlined in the following article: How to Extract iCloud Keychain with Elcomsoft Phone Breaker

Briefly, you will need the following:

1. No 2FA:
   – Apple ID and password
   – iCloud Security Code
2. For accounts with 2FA:
   – Apple ID and password
   – access to trusted device (to receive or generate one-time code)
   – passcode from a device registered on that Apple ID account
3. Elcomsoft Phone Breaker 8. 0 or newer

Additional steps are available in the article mentioned above.

Cloud Acquisition: Two-Step Verification No More

iOS 11 continues supporting cloud backups. As in the previous version of iOS, cloud backups are stored in iCloud Drive. They are still not accessible without specialized tools such as Elcomsoft Phone Breaker.

While internally iOS 11 made a number of changes to iCloud backups, the acquisition process still looks familiar except for one thing: Two-Step Verification is no longer supported. All Apple ID accounts that used Two-Step Verification before will be automatically migrated to the much stronger Two-Factor Authentication once the user updates at least one of their devices to iOS 11 or macOS High Sierra.

Therefore, the acquisition process will look as follows.

No Two-Factor Authentication:

1. Apple ID and password or valid iCloud authentication token.
   Note that iCloud authentication tokens carry an expiration date. At this time, you only have 12 hours since the user signed in to iCloud on their computer to access iOS system backups in iCloud Drive by using a token. After 12 hours, the token can no longer be used for obtaining iOS system backups; however, it can still be used for downloading iCloud synced data (more on that later) and iCloud Photo Library.
2. Elcomsoft Phone Breaker 8.0.
   We updated EPB to support changes in the iCloud communication protocol introduced in iOS 11. You will need EPB 8.0 or newer to download iCloud backups.

Accounts with Two-Factor Authentication:

1. Apple ID and password or valid iCloud authentication token.
   Same as above: iCloud authentication tokens carry an expiration date.
2. If using Apple ID and password: access to trusted device.
   You will need to enter a one-time security code delivered to or generated by the trusted device.
3. Elcomsoft Phone Breaker 8.0.
   Same as above; you’ll need the updated EPB to support changes in the iCloud communication protocol introduced in iOS 11.

No longer applicable: accounts with Two-Step Verification.

Two-Step Verification was finally discontinued in iOS 11. Updating just one device to iOS 11 causes the user’s entire Apple ID to automatically migrate from 2SV to 2FA. While an option to go without the secondary authentication still remains, Apple has now left a single option. This is a welcome step as it will reduce confusion among users and possibly increase the use of Apple’s more secure Two-Factor Authentication process.

No Notifications in Backups

Compared to iOS 10, we have one less bit of information available in both local and cloud backups. In iOS 11, notifications are no longer part of any backups, local or iCloud. With no iOS 11 jailbreak (yet), we have no way to verify whether notifications older than 7 days are still stored on the device or not. More information (scroll to the Notifications No Longer Stored in Backups chapter).

Synced Data

Little has changed in regards to synchronized data. You still have access to everything you could access in iOS 10, and unlike the last major Android update, there are no new bits of data added to the synced set.

You can still fetch synced call logs, Safari browsing history and bookmarks from iCloud accounts. Contacts, calendars, notes, reminders and mail remain accessible.

In order to obtain synced data from the user’s Apple Account, you will need the following:

1. Elcomsoft Phone Breaker 8.0 or newer.
   In order to access information synced across iOS 11 devices, you’ll need Elcomsoft Phone Breaker 8.0 or newer.
2. Apple ID and password or iCloud authentication token.
   While iCloud authentication tokens carry an expiration date when you try to use them for accessing iOS system backups, those same tokens can still be used for downloading iCloud synced data even after they expire. At this time, iCloud authentication tokens can be used for downloading synced data (call logs, browsing history, contacts etc.) without any sort of time limitations.
3. If Apple ID/password are used and Two-Factor Authentication enabled: access to a trusted device is required.
   You will need to access a trusted device in order to receive or generate a one-time security code. Not required if using a token. 

Conclusion

Quite a few things have changed in iOS 11. We miss notification backups, but we applaud the removal of Two-Step Verification and Apple’s overall push towards the more secure Two-Step Authentication. We understand the reasons of requiring a passcode in order to pair an iOS device with a computer, yet we are mildly surprised that old pairing (lockdown) records can still be used without re-authentication.

In iOS 11, the role of device passcode is more important than ever. One can no longer pair a device to a computer without entering the correct passcode. Installing a jailbreak (if one is ever released) will not be possible without a passcode either.