The Art of iPhone Acquisition

July 9th, 2019 by Vladimir Katalov
Category: «Clouds», «Did you know that...?», «Mobile», «Tips & Tricks»

We all know how much important data is stored in modern smartphones, making them an excellent source of evidence. However, data preservation and acquisition are not as easy as they sound. There is no silver bullet or “fire and forget” solutions to solve cases or extract evidence on your behalf. In this article, which is loosely based on our three-day training program, we will describe the proper steps in the proper order to retain and extract as much data from the iPhone as theoretically possible.

The first steps: data preservation

Probably the most important step is data preservation. You have to make sure that the iPhone will remain in the same state, and that no data is be modified (or lost) while the device is in your possession. Here is what you’ll need to do:

  1. Activate Airplane mode, if possible (it is usually possible even if the device is locked)
  2. Check and manually disable, if necessary, the Wi-Fi and Bluetooth toggles (these may be left on even in Airplane mode if the user enabled Wi-Fi once in that mode)
  3. Connect the phone to a power bank
  4. Use a Lightning adapter to prevent USB Restricted mode from being activated (for devices running iOS 11.4.1 only; iOS 12 and 13 may restrict USB immediately)
  5. If you have a Faraday bag handy, place the phone along with the adapter and charger into the Faraday bag

Why: we are trying to prevent self-discharge of the phone. If the phone is fully discharged, it may turn off. Once the iPhone is turned off, you’ll have to deal with the BFU (Before First Unlock) state, which limits your options severely compared to the AFU (After First Unlock) state. Even if the phone has a passcode set, it is much easier to break the passcode in AFU mode compared to BFU. Breaking the passcode, however, requires the lightning port to be operational, and here is what the adapter for. Finally, there is a risk the the phone will be remotely locked or wiped if it remains connected to the network.

Sounds simple? Not at all! You’ll have to handle the iPhone with utter care, or else…

  1. If the iPhone is equipped with a fingerprint sensor, don’t touch the Touch ID reader! Else you’ll be wasting one of the five attempts to unlock the phone with a fingerprint. If you need to check whether the phone is locked or not, use the side button instead (top button on some models).
  2. If it’s the newer ‘X’ model, don’t look at the Face ID sensor. When you pick up the phone, the Face ID system immediately starts looking for a face. If a face is detected, it then attempts to identify the face. If identification returns a negative result, you have just wasted one of the five attempts to unlock the phone with the suspect’s face. It’s not new, and this exact thing happened during Apple’s very own presentation of the original iPhone X: Apple Says Face ID Didn’t Fail Onstage During iPhone X Keynote
  3. Be aware of the various expiration rules of the iPhone’s biometric identification subsystem. More in our old article on Fingerprint unlock.
  4. Be aware of the S.O.S. mode and its consequences. Once the Power button (Sleep/Wake) is pressed five times in rapid succession, or once the user holds both the Sleep/Wake button and one of the volume keys for a few seconds, the iPhone displays an “Emergency” menu. This menu presents various options including an option to cancel. Regardless of the option chosen (including the Cancel button), iOS will temporarily disable Touch ID (Face ID) and require the user to enter a passcode in order to unlock the device. In addition, the USB Restricted Mode will be activated immediately once the S.O.S. mode is invoked.
  5. If you forget to enable Airplane mode and disable the Wi-Fi and Bluetooth networks toggles (and/or place the iPhone into a Faraday bag), this may happen:
    • BBC News: Cambridgeshire, Derbyshire, Nottingham, and Durham police “don’t know how people wiped them.“ (9.Oct.14)
    • Darvel Walker, Morristown wiped his iPhone remotely, charged with tampering with evidence (7.Apr.15)

Not just the iPhone

Given proper authority, make sure to collect not only the smartphone itself but also all computers (laptops and desktops) that belong to the same owner, or any computers that iPhone probably has been connected to in the past. Flash drives and external drives may sometimes help, too. Collect all companion devices such as the Apple Watch and Apple TV.

Why: computers (and external storage devices) may contain valuable information that may help to get access to locked phones, access iCloud data and more.

Collecting evidence

Of course, you need to identify the seized device. It is quite easy to look at the phone model printed on the back cover (and then use Apple web site to find out what’s that), but you can also use software such as Elcomsoft iOS Forensic Toolkit (the “I” command) to extract comprehensive information about the device. If you have lockdown records handy (extracted from the user’s computer to which the iPhone has been paired to), you’ll be able to extract the most comprehensive set of information.

How to deal with a locked iPhone

If the iPhone is locked, you’ll have to break the passcode in order to extract evidence. There are several ways to break the passcode:

  • GrayKey from GrayShift (costly; available only for LEA in selected countries; offline solution; according to manufacturer, supports all versions of iOS)
  • Cellebrite UFED Premium (about the same as above, speaking of iPhone unlocking; supports up to iPhone 8/8 Plus/iPhone X generation; newer models must be sent in to CAS)
  • Cellebrite Advanced Services (or CAS; also seems to be limited to LEA; you will have to send the device to Cellebrite to unlock or extract the data)

The only budget solution available to everyone is logical acquisition using lockdown/pairing records that can be sometimes found on computers the device has been connected to. See Acquisition of a Locked iPhone with a Lockdown Record for this method. We published multiple updates to this topic though, including the lockdown records validity period and USB restricted mode).

Logical acquisition

Logical acquisition is the safest and easiest extraction method that does not change anything on the device (except for the last backup date) while still returning most of the data. The extraction is not limited to the backup. You can also obtain extended device information, extract media files (including music and lots of metadata), shared files, debug and diagnostics logs, and shared files. Some information about logical extraction is available in Demystifying Advanced Logical Acquisition, but there is more in our blog.

There are two issues with backup extraction though.

  1. The backup may be password-protected. Since iOS 11, one can reset the backup password; however, this operation a) requires to enter the passcode on the device (so you must know it), and b) deletes some evidence. Refer to The Most Unusual Things about iPhone Backups for details.
  2. The backup may not be password-protected. Now, are wining here? Didn’t we just complain about password-protected backups? The thing is, local backups that aren’t protected with a password contain less information compared to backups that are encrypted with a password. Can’t we just set a temporary backup password like we always did in iOS Forensic Toolkit? The other thing is, iOS 13 requires you to enter the lock screen password on the iPhone you’re attempting to back up. If you don’t know the passcode, you won’t be able to change the backup password.

Physical acquisition

Some very important data never makes it to device backups. If possible, one should always attempt the full file system acquisition. This was possible for all versions of iOS 11 and some versions of iOS 12 (at this time, up to and including iOS 12.1.2). See Step by Step Guide to iOS Jailbreaking and Physical Acquisition for details, but make sure to read Forensic Implications of iOS Jailbreaking too.

However, before you go for the file extraction and jailbreak the device, make sure to perform logical acquisition first. File system acquisition is not that risky, but the jailbreak can make too many modifications to the file system of the device to be considered “forensically sound”. The rootless jailbreak is even safer than conventional jailbreaks since it does not modify the system partition; however, it offers limited device support. You can read about the differences between conventional and rootless jailbreaks in our article Forensic Implications of iOS Jailbreaking, which also raises a very important issue of how you sign the jailbreak IPA when sideloading it to the device. Signing an IPA file requires a valid Apple account. We recommend using an Apple account enrolled in Apple’s Developer Program for reasons described in the article mentioned above.

Jailbreaking, things to be aware of:

  • Conventional (classic) jailbreaks are invasive. They modify the system partition and break OTA updates. Clean removal questionable.
  • Rootless jailbreak is cleaner; does not remount system partition; does not break OTA updates; can be removed (almost) completely.
  • Installing a jailbreak requires sideloading an IPA file. The IPA must be signed before iOS will agree to run it.
  • Signing the IPA requires an Apple account. If you use a regular Apple account, you will need to allow the device connect to an Apple server in order to verify the signature (which poses a risk).
  • If you use a Developer account to sign the jailbreak IPA, the iPhone can remain offline. Be aware of Developer account restrictions concerning the maximum number of devices.

Important: you can extract both the user’s Apple ID password and the device backup password from a jailbroken device. If you followed the guide and made a local backup before jailbreaking, this is the point where you can decrypt the backup.

Currently, public jailbreaks exist for all devices and all versions of iOS 11 and all devices running iOS 12.0 through 12.1.2. RootlessJB is available for all devices except A12 devices (the iPhone Xs/Xs Max/Xr generation).

Cloud acquisition

Cloud acquisition becomes the most important acquisition method. Its advantages are:

  1. No need for the device itself: it works even if the device is lost or broken.
  2. From the cloud, you may be able to obtain even more data than available on the device itself. Many people use more than one Apple device, and they all sync (or back up) some data to the cloud.
  3. The cloud may contain data that has been already deleted from the device(s).
  4. Cloud acquisition is extremely fast.

There is actually a lot we can share about iCloud acquisition. We were the first who implemented iCloud backups downloading several years ago, and we are still the first here, extracting much more data from iCloud than any other vendor. Here is what we can get:

  • iCloud backups (including those from accounts with Two-Factor Authentication on latest version of iOS; the first and only in the industry)
  • iCloud Drive (full content, including third-party app data not available by any other means)
  • iCloud Photos
  • FileVault2 recovery token
  • iCloud keychain
  • Health data (including data protected with “p2p encryption”)
  • Messages (iMessage and SMS; not included in backups if sync is enabled)

More data categories are on the way, including Screen Time and Home.

The major problem of cloud acquisition is that you need proper authentication credentials. You will need the user’s Apple ID and password, plus the second authentication factor (if 2FA is enabled). Alternatively, parts of iCloud data can be access with authentication tokens that can be extracted from the iPhone itself, Windows or Mac computer from which the iCloud account has been accessed.

Final thoughts

There were too many points we just couldn’t cover in a single article, or two articles, or even three. Want to know more? Attend our training course!

There’s more to iPhone analysis than acquisition. Data extraction is only the first step followed by data analysis and reporting. We have a tool for that (Elcomsoft Phone Viewer), but it only provides basic analysis and reporting. You may need a third-party tool or several tools with more advanced features.