Technical and Legal Implications of iOS File System Acquisition

February 21st, 2019 by Vladimir Katalov
Category: «Did you know that...?», «General», «Tips & Tricks»

There has been a lot of noise regarding GrayKey news recently. GrayKey is an excellent appliance for iOS data extraction, and yes, it can help access more evidence. As always, the devil is in the detail.

A couple of quotes first, coming from the company who now partners with GrayShift to bundle their mobile forensic software (one of the best on the market, I would say) with GrayKey. They do support GrayKey-extracted data as well, and here is what they say:

“From the first iPhone extraction from GrayKey we were blown away with the amount of data they recovered”

“we’re seeing data we haven’t seen in years”

Actually, this is not exactly the case. Speaking of full file system acquisition, it’s been us who were the first on the market some 3 years ago, see Physical Acquisition for 64-bit Devices, iOS 9 Support.

Since then, we’ve been actively developing and updating iOS Forensic Toolkit, adding support for newer versions of iOS. We published a number of articles in our blog describing the benefits of file system extraction and what you can get: location data, cached mail, app-specific data, CPU and network usage data and much more.

Yes, we use the different approach, that requires jailbreaking (more on that later).

GrayKey’s lack of transparency

To be honest, we don’t know a lot about GrayKey due to the company’s lack of transparency. GrayShift makes their hardware available exclusively to select law enforcement organizations in select countries. We aren’t one, so we don’t have first-hand experience with GrayKey.

For devices running iOS 10 and 11, GrayShift claims to be able to brute-force the passcode. There are certain details that they would rather keep private. First, the speed. If the iPhone device has been unlocked at least once after rebooting or being powered on, the brute-force speed is very fast at about 20-25 passcodes per second. This translates to just minutes for a 4-digit passcode, or about half a day to check all possible 6-digit combinations. There is one caveat. After the first 300,000 passwords are checked, Secure Enclave will engage brute-force protection, and the device switches to “slow brute-force mode”. We don’t know whether this “slow” mode is a permanent (until the passcode is found) or temporary condition.

If the device has not been unlocked (e.g. if you received it in a switched-off state), then brute-forcing is still possible, but at the rate of about one password in 10 minutes (or ~150 passwords a day). At this speed, one can reasonably recover only a very simple password such as 1234, 2580, 987987 etc). This is still better than nothing.

iOS 12? From what we know, passcode recovery is not available on iOS 12 devices. In this case, GrayKey can perform file system extraction only (for devices that have been unlocked). No public information is available on iOS version compatibility, but using exploits discovered by Google Project Zero, one should be able to support iOS versions up to and including iOS 12.1.2. Thereis a good chance that newer versions (12.1.3 and 12.1.4 are the only ones that are currently signed by Apple) are also supported, using some private exploits. Success rate is also unknown – in reality, exploits might not work on some specific devices, even with compatible iOS versions.

USB Restricted Mode (available from iOS 11.4 and enhanced in iOS 12)? Not really clear either. They say they have a workaround, but details are revealed only to GrayShift customers, who are under a strict NDA. That could be the trick with Lightning accessories that we discovered last year, or something else.

CAS

Are there any alternatives? Yes, there is one from Cellebrite. Cellebrite provides Advanced Unlocking Services and Advanced Extraction Services, so basically doing the same thing as GrayKey. However, Cellebrite makes you send the device to one of their labs, pay the fee and wait till device is unlocked (which may take a long time) or the file system is acquired. No information on supported iPhone models and iOS versions is publicly available, and success rate or password recovery speed are also not known. These services are also exclusively available to the law enforcement.

Jailbreaking to the rescue?

Why not?

At this time, public jailbreaks are available for all versions of iOS up to and including iOS 12.1.2. Using a jailbreak, one is able to extract the full image of the file system (see Physical Extraction and File System Imaging of iOS 12 Devices) as well the keychain (we introduced that feature in June 2018, see iOS Forensic Toolkit 4.0 with Physical Keychain Extraction).

Is jailbreaking forensically sound? Absolutely not. Jailbreaks do make modifications to the file system, and some of them are worse than the others. The iOS 12 jailbreak is “rootless”; at very least, it does not modify the system partition and can be removed after use without any permanent damage to device software.

Forensic implications

Let’s start with Cellebrite; here is what they say (source):

Cellebrite uses a forensic process that avoids to any extent possible modification of the file system, and thus should not be recognizable in post extraction analysis.

We have a hard time trusting this statement. The only way to make acquisition without any modifications at all is booting the device into the DFU mode or its likes, and using your own firmware image (that loads into volatile memory); kind of the same process we did with legacy 32-bit devices. Cellebrite offers a similar process to some Android devices via decrypting bootloaders. However, if you work with a device that is up and running and sideload an app (the extraction agent, for example), it’s going to leave some traces behind. Some files on the device will be modified as well. The same applies to GrayKey.

Is it possible to verify it? It seems not. There is currently no way to create bit precise images of the iPhone (starting with iPhone 5S, the first 64-bit model equipped with Secure Enclave) before and after the extraction – except by using the chip-off method to dump encrypted memory contents, to compare “before” and “after” memory images, and make sure that no data has been modified. I seriously doubt that anybody ever performed such tests.

Everything is much simpler with desktop forensic. If you need to analyse a hard drive in order to extract some evidence, you can just put it into a write blocker and create an image. For modern iPhones, imaging is not possible. We can only extract the data (more or less, depending on circumstances), but it is really important how accurate and how safe that data is. Jailbreaking is definitely not the best method, though it was seriously improved with the availability of the rootless jailbreak (where you can rollback the changes almost completely), but other methods are not that far away – the legal questions still arise.

One more thing. rootlessJB is fully transparent and available in source code. In fact, there is no binary IPA file to download; one has to compile the jailbreak from the source code (or rely on a third-party Web site if transparency/accountability is not a requirement). You can audit the source code and gain basic understanding of what exactly the jailbreak does and, more importantly, what it does not do. It is also possible to understand what exactly the jailbreak modifies on the data partition. In the meantime, GrayKey is a classic “black box”, and nobody except its developers knows exactly what it does. As for the Cellebrite service, you give all your data to the third party. So, you decide.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »