iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.
This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).
Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.
iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.
But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.
The Passcode
No, we don’t break the iPhone passcode (we were able to do that for legacy devices only). Yes, we know it’s theoretically possible. Right now, there are two companies that have such solutions – one with a special device, and the other that offers a service. They do not disclose any details. For obvious reasons, they keep their mouth shut on how they do what they do. However, they are very tightlipped about the limitations, even failing to disclose the complete list of supported combinations of device models, iOS versions and other conditions. But from what we have learned from various leaks, they can quickly attack the passcode only if the device has been unlocked at least once since last reboot. If not, the recovery speed will be about 10 minutes per passcode. That’s over two months for a simple 4-digits passcode; however, one can try to cut that time by trying the most popular passcodes first or simply using the dictionary with all 4-digit passcodes sorted by popularity (here is some analysis). If the passcode is 6 digits long (which is the default since at least iOS 10), the maximum time is almost 20 years, which is obviously not practical. There are other limitations, too: for example, iOS 11.4 and newer throw these solutions to “slow brute-force mode” at least for now; also, even for the fast mode, you can only try a limited number of combinations before hitting the limit: we’ve heard of 300,000 combinations (which is about 1/3 of the total passcode space for 6-digits passcode). After that, Secure Enclave seems to switch the device (at least temporary) into the mode where only slow brute-force is possible. Again, these are only rumors based on anonymous sources and some leaks – neither company makes public comments.
Did I mention the new USB Restricted Mode? Once it’s engaged, the device Lightning port completely disables all data communications and acts as a “dumb” charging port. The USB Restricted Mode engages if the device has not been unlocked for an hour and remains active until you unlock it with valid passcode, even surviving reboots (Recovery mode and DFU still work though). The USB Restricted Mode briefly appeared in iOS 11.3 betas but was not included into final release (not even in iOS 11.4); currently it is available in iOS 11.4.1 beta and iOS 12 beta. Seems that Apple is testing it intensively, and second beta of 11.4.1 improves it even more: now it can be activated manually (regardless of when you unlocked the device). That renders the abovementioned solutions useless – until, of course, some kind of workaround will be found (e.g. through the Recovery or DFU mode, where the port become working again).
If you know the passcode, you can do a lot (btw, read how to protect yourself). That sounds obvious, but I bet many of you did not know that you can even change the iCloud password, replace trusted number and access iCloud keychain. Still, if you are perform forensic analysis, the passcode itself is not enough to access all the data stored on the device.
Logical vs Physical Acquisition
Logical acquisition is the fastest and easiest to perform. We covered it in details, but briefly, it is creating iTunes-style backup, plus some useful extras: complete device information, media files, shared files, and now (with iOS Forensic Toolkit update) the crash logs, which may help to get detailed information on device/application usage, including activities of the apps that were already removed from the devices. Again, you need the device passcode; in many cases, the acquisition is also possible with lockdown records obtained from a trusted desktop where the given devices has been connected to.
Is that all? Far from it. There is quite a lot of data on the device that is not included into a backup: cached mail, location data, various system logs, temporary files, third-party app data and more. Also, there is something special about the keychain.
The Keychain
The keychain is probably the most secure part of the iOS file system. At the same time, it is the most interesting for investigations: the keychain contains credit card data, web/mail/Wi-Fi passwords, and tons of certificates, tokens and encryption keys. If one can access the keychain, they will be able to access virtually all software and services installed on the device (well, except those that require some extra input from the user when starting).
The keychain isincluded into iTunes (and iCloud) backups, but it is additionally encrypted. However, the encryption may be different depending on whether or not the local backup is protected with a password. In a nutshell, in iCloud backups and local backups without the password, the keychain encryption key is derived from a device-specific key that is protected with Secure Enclave. Stronger security, as usual, means less convenience: if you restore a different device from iCloud or from an unprotected iTunes backup, you are going to lose most keychain items: the new device will not be able to decrypt it. With local backups protected with a password, the situation is different: most keychain items are encrypted with the key that is derived from the backup password.
In order to extract the content of the keychain, you must know the backup password. The main issue with the keychain extracted from a local backup is that it is notcomplete. Quite a lot of records are encrypted with the highest protection class and so cannot be obtained from a local backup. The synced iCloud Keychain contains passwords only, but no encryption keys or tokens, at least that’s what Apple key – though we saw at least some tokens there).
Is there anything that can be done to access the complete keychain, even if you cannot break the backup password? The new iOS Forensic Toolkit 4.0 can now decrypt the keychain completely, but only if you can install a jailbreak on the device. We did not break Secure Enclave. We have just found the way to access all the keychain items, and that feature is now part of iOS Forensic Toolkit. Enjoy the new bunch of secret data stored on the device!
Please note that when you start the keychain decryption in the Toolkit, device should be unlocked (if it is not, we will wait until you unlock). Also, the device may prompt you to unlock with a passcode, Touch ID or Face ID during keychain extraction. There is something special about Meridian jailbreak here: this particular jailbreak is a bit buggy, so the unlock prompt does not always appear on the device; as a workaround, we implemented two modes: with one, our keychain extraction/decryption utility will wait till you unlock, and with the other mode it tries to decrypt the keychain without interaction (however, not all the items will be decrypted). Always try normal operation first, and select the other option only if you do not get the prompt, but our utility still ways for it and so operation cannot complete.
Also, passcode decryption utility will prompt you for iOS version: 7-8 or 9-11. Yes, we do know the iOS version once the script is running and device is connected, but still it is better to ask (due to some technical nuances that are outside the scope of this article).
Screen Lock
There is something special about the screen lock and passcode lock, the setting that locks the device after some period of inactivity, usually from 1 to 30 minutes.
For a long time, we used to recommend to actually remove the passcode lock from the device before acquisition because some files could not be acquired when the device is locked, while managed devices (including the ones that just have corporate Exchange mail account set up, like mine) simply do not allow to set the screen lock option to Never. In the meantime, acquisition may take several hours, and that means that you will have to prevent the device from locking – e.g. by touching the screen every 15 minutes.
This is no longer the case. We have implemented the trick so the lock turns off even if there is no such option – by uploading the special utility to the device. Note that executing this utility causes the device to respring (restaring the UI), and then you will have to unlock the device one more time by entering the passcode. Also, changing that option is temporary, and you will back to old settings on device reboot.
What is the profit (of acquiring the device without removing the passcode)? The problem is right when you remove the passcode, some of the data is physically removed from the device: cached Exchange mail is just one example. So to get everyting, we strongly recommend you to keep the passcode.
Finally, please also note that these two operations (temporary disabling the screen lock and decryption of the keychain) require the device to be paired with the computer you run the Toolkit on.
Jailbreaking
Why jailbreak? Now you have the answer: in order to get all possible evidence from the device. Can we do the same without jailbreaking? In theory, yes. But that’s like writing your own jailbreak using publically available kernel vulnerabilities. Some modifications still have to be made to the device (so the whole process still will not be forensically sound, despite what the others say). At the same time, existing jailbreaks are verified by many people, and the chances that they will corrupt any data on the device are very low, while direct use of the above mentioned vulnerabilities may cause unpredicted results, and in worst case, even brick the device.
Here is the list of jailbreaks we tested our Toolkit with:
As noted above, we have got some (minor) problems with Meridian only, but even in something goes wrong, you just will get only part of keychain decrypted (but still, we will do our best to fix that).
The latest iOS version jailbreak is available for is 11.1.2. Preliminary (not stable) version of iOS 11.2 jailbreak is now also available, and we started looking at it; we also expect 11.3 jailbreak to be release soon. We are almost sure that one day 11.4 jailbreak will be available as well (fingers crossed).
Conclusion
Logical, physical and iCloud acquisition of iOS devices – we cover them all, and working hard to deliver some unique features not available anywhere else.