iOS 13 (Beta) Forensics

July 25th, 2019 by Vladimir Katalov
Category: «Clouds», «Did you know that...?», «Elcomsoft News», «Tips & Tricks»

iOS 13 is on the way. While the new mobile OS is still in beta, so far we have not discovered many revolutionary changes in the security department. At the same time, there are quite a few things forensic specialists will need to know about the new iteration of Apple’s mobile operating system. In this article, we’ll be discussing the changes and their meaning for the mobile forensics.

iCloud backups

We’ve seen several changes to iCloud backups that break third-party tools not designed with iOS 13 in mind. Rest assured we’ve updated our tools to support iOS 13 iCloud backups already. We don’t expect the backup format to change once iOS 13 is officially released, yet we keep an eye on them.

First, Apple has changed the protocol and encryption. There’s nothing major, but those changes were more than enough to effectively block all third-party tools without explicit support for iOS 13.

Second, cloud backups (at least in the current beta) now contain pretty much the same set of info as unencrypted local backups. Particularly missing from iCloud backups made with iOS 13 devices are call logs and Safari history. This information is now stored exclusively as “synchronized data”, which makes it even more important for the investigator to extract synced evidence in addition to backups. Interestingly, nothing was changed about synced data; you can still use the same tools and sign in with either Apple ID/password/2FA or authentication tokens.

Other than that, the content of iCloud backups didn’t change much in iOS 13 compared to what we see in iOS 12.3.1 and iOS 12.4 beta. Cloud backups still contain less data than iTunes backups; the difference is about the same as it used to be in iOS 12. To see what is not included into iCloud backups, refer to What does iCloud back up?

According to Apple, this is what you do get in iCloud backups:

Your iPhone, iPad, and iPod touch backup only include information and settings stored on your device. It doesn’t include information already stored in iCloud, like Contacts, Calendars, Bookmarks, Mail, Notes, Voice Memos, shared photos, iCloud Photos, Health data, call history, and files you store in iCloud Drive.

There are certain changes in iCloud backups produced by iOS 13 devices. iCloud backups produced by iOS 13 will not include any of the following:

  • Keychain *
  • Health data
  • Home data
  • iCloud Photos **
  • Messages **
  • New in iOS 13: Call logs
  • New in iOS 13: Safari history

* In fact, the keychain is still there, but it is encrypted using a device-specific key.

** Photos and Messages are not included if (and only if) the iCloud syncing of those categories is not enabled in device settings.

There are some changes to local backups as well. Proceed to the local backups section to learn more.

Elcomsoft Phone Breaker is now able to download iOS 13 (and iPadOS) backups too – the first and only solution in the industry!

Authentication tokens

Normally, you would need proper credentials to access iCloud data, including the login, password, and second authentication factor. The other way is to use authentication tokens. Start reading with iCloud security overview:

When you access iCloud services with Apple’s built-in apps (for example, Mail, Contacts, and Calendar apps on iOS or macOS), authentication is handled using a secure token. Secure tokens eliminate the need to store your iCloud password on devices and computers.

We were the first who learned how to use the tokens to access iCloud, read our old article Breaking Into iCloud: No Password Required; I’d also recommend to read iCloud Authentication Tokens Inside Out.

iOS 13 further restricts our ability to use authentication tokens. Today, you cannot use tokens to access any of the following:

  • iCloud backups
  • iCloud keychain
  • Messages in iCloud
  • Health data

Moreover, Apple did its best to limit the tokens even more: since iCloud for Windows (released about a year ago) and macOS update available from about the same time, the tokens became “pinned” to a particular device, and can only be used to access the iCloud from the very same device.

We were able to discover a resolution, but only for macOS computers. Sorry, no Windows and no iOS device keychain. We can extract fully-featured iCloud authentication tokens from macOS computers and use those tokens on any other computer. The token can be used to authenticate into iCloud without using the login, password and two-factor authentication process. Still, a token cannot be used for accessing backups, iCloud Keychain, Messages and Health.

Synchronized data

Apple iCloud keeps more data than you can probably imagine. Have you read Apple’s Privacy – Government Informatriomn Requests? You definitely should; you will understand what data is stored in a typical iCloud account.

At this time (iOS 13 Beta 3) we have not detected any changes to iCloud synchronized data. (As a reminder, iOS 12 introduced a major change there, encrypting Health data with device passcode or system password, gradually deprecating legacy unencrypted containers). Here is what Elcomsoft Phone Breaker can extract and decrypt:

  • iCloud backups
  • Files from iCloud Drive
  • iCloud Photos
  • iCloud Keychain
  • Health and Messages
  • FileVault2 recovery token
  • Synced iCloud data including Safari history and call logs (which are no longer included in iCloud backups)

Local backups: iTunes or no iTunes

Apple announced a major overhaul to iTunes, the only ‘official’ app to make local backups of iOS devices. While we still have not seen an ‘overhauled’ version of iTunes for Windows, Mac users are already affected. In future versions of macOS (including the current beta version of macOS Catalina), local backups will be created in the Finder app instead of iTunes. Yes, there will be no iTunes on the Mac.

There are also quite a few changes to the content of local backups.

  1. When you set or change a password protecting a local backup, you will now require a passcode. Similar to new pairing requests (since iOS 11), you’ll need to enter the passcode on the device itself. We are still evaluating how this change will affect iOS Forensic Toolkit.
  2. In iOS 12, iCloud backups already contained less information than unencrypted local backups. In iOS 13, iCloud backups contain even less information compared to local backups, even those that aren’t encrypted with a password. Compared to iOS 12, iOS 13 is missing Call logs, Safari browsing history and Tabs open in Safari. These are still included in encrypted local backups but missing from iCloud backups and unencrypted iTunes backups.

Elcomsoft mobile forensic tools and iOS 13

With the exception of iOS Forensic Toolkit, we’ve made our mobile forensic tools ready for the upcoming OS. Elcomsoft Phone Breaker has recently received an update with support for the beta versions of iOS 13. The tool can download iCloud backups created with Apple devices running a beta version of iOS 13; both public and developer betas of iOS 13 are supported including the new iPadOS. In addition, EPB is now able to extract fully-featured iCloud authentication tokens from macOS computers. Elcomsoft Phone Viewer received a similar update to support local (iTunes) and iCloud backups produced by iOS 13 devices.

If you are using a Mac, you’ll be pleased to know that both tools (Phone Viewer and Phone Breaker) support macOS 10.15 Catalina now. To tell the truth, the support is not perfectly complete yet, but neither is macOS Catalina. We’ve got all the major functions running, and we don’t see any major bugs or crashes. Still, if you’ll be using our software on macOS Catalina, do let us know if you encounter any problems on 10.15 beta.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »