Accessing Lockdown Files on macOS

July 12th, 2018 by Oleg Afonin
Category: «General», «Security», «Software»

Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, forensic specialists can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Logical acquisition helps obtain information stored in system backups, access shared and media files, and even extract device crash logs. However, lockdown records may be tricky to access and difficult to extract. macOS protects lockdown files with access permissions. Let’s find out how to access the lockdown files on a live macOS system.

What Are Lockdown Records, Technically?

A down to the Earth explanation of a lockdown records is it’s simply a file stored on the user’s computer. More technically, lockdown files keep cryptographic keys that are used to allow iOS devices communicate with computers they are paired to. Such pairing records are created the first time the user connects their iOS device to a Mac or PC that has iTunes installed. Lockdown records help the iPhone talk to the computer even if the iPhone in question is locked, so that the user does not have to unlock the device every time it’s connected to the PC. This means that experts may be able to perform logical acquisition of locked iOS devices if they can obtain a valid, non-expired lockdown record. There are some “ifs and buts” though. Namely, lockdown records expire after a while. And you can only use lockdown records if the iPhone in question was unlocked (with its passcode) at least once after it was powered on or rebooted. Otherwise, the data partition remains encrypted, and you can access very little information (yet you can still get some info about the device).

macOS Protects Access to Lockdown Files

In macOS, lockdown records are stored at /private/var/db/lockdown. Starting with macOS High Sierra, Apple restricts access to this folder. If you are analyzing a live system, you’ll need to manually grant access rights to this folder. This is how.

Interestingly, Apple used to have a KB article on modifying the lockdown folder permissions. This article was later removed from the company’s Web site.

There are two methods of granting access permissions to the lockdown folder if you are analyzing a live system. The first method uses Terminal and requires administrative password. If you don’t know the admin password, you can use the GUI method instead.

How to Give Access Permissions to Lockdown Folder via Terminal

In order to give permissions to access the lockdown folder, you will need to issue the following command:

sudo chmod 755 /private/var/db/lockdown

This command requires administrative privileges:

If you don’t know the admin password, use the other method.

How to Give Access Permissions to Lockdown Folder via GUI

You can also change permissions to access the lockdown folder via macOS GUI. Do the following:

  1. In Finder, go to /private/var/db
  2. Find the “lockdown” folder. Observe the “locked” icon.
  3. Right-click on that folder.
  4. Open Sharing & Permissions
  5. Change access to Read only or Read & Write.

You have now successfully granted access permissions to the lockdown folder.

What Next?

You can now copy the lockdown files to a different location. You can use these files to perform logical acquisition with iOS Forensic Toolkit – even if the iPhone or iPad is locked with an unknown passcode:


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »