Full File System Extraction for iOS 13.3.1, 13.4 and 13.4.1

May 26th, 2020 by Vladimir Katalov
Category: «Elcomsoft News», «Mobile», «Tips & Tricks»

Elcomsoft iOS Forensic Toolkit 6.0 is out, adding direct, forensically sound extraction for Apple devices running some of the latest versions of iOS including iOS 13.3.1, 13.4 and 13.4.1. Supported devices include the entire iPhone 6s, 7, 8, X, Xr/Xs, 11, and 11 Pro (including Plus and Max versions) range, the iPhone SE, and corresponding iPad models. Let’s review the changes and talk about the new acquisition method in general.

Agent-based extraction: the technology

For a long time, we relied on publicly available jailbreaks to perform full file system and keychain acquisition. That is not a forensically sound method as there are risks (though minimal) to brick the device. Even if you are using the rootless jailbreak (so the file system is not remounted), some significant changes to the system are still being made, and they cannot be always rolled back.

We’ve developed a method allowing to perform the extraction without jailbreaking by installing a special custom-made agent on the iPhone. The agent then obtains root privileges, escapes the sandbox and reads the file system. Most operations are performed in the RAM, without modifying the storage of the device. The agent itself is uninstalled cleanly, the only traces left on the device being a few log entries.

You know that iOS does not allow running unsigned apps, so an Apple developer account is needed (to sign the app with proper certificate); read Why Mobile Forensic Specialists Need a Developer Account with Apple for details.

What’s the big deal

The good old logical acquisition won’t let you access all the files from the device. Lots of files are not included into iTunes or iCloud backups, while they may contain crucial evidence ranging from the detailed location history to Telegram and Signal chats, as well as Apple Pay transaction history and more. Last but not least, you can also decrypt the keychain, the gold mine. This includes records protected with ThisDeviceOnly attribute (such records cannot be obtained from encrypted backups for devices equipped with Secure Enclave).

Compared to checkra1n

You may wonder why you ever need the agent-base method if there’s the checkra1n jailbreak (iOS Device Acquisition with checkra1n Jailbreak). Chackra1n even allows BFU (Before First Unlock) acquisition, even for locked and disabled devices, as it works though the DFU mode and has a workaround for the USB restricted mode.

There are reasons to prefer agent-based extraction to checkra1n. First, the checkra1n jailbreak it is not as reliable as we want it to be. We witnessed many situations when the jailbreak simply failed without a reason.

Second, checkra1n is compatible with a limited set of devices ranging from the iPhone 5s to iPhone X, and only supports iOS 12.3 and up.

Our direct acquisition method is 100% safe (the worst that could happen is a simple reboot of the iOS device). It has better device compatibility, supporting all devices up to the latest iPhone 11 Pro and SE 2020 range, while offering greater iOS compatibility. While it may not (yet) support the latest version of iOS, it works just fine for most versions of iOS 13, all iOS 11 and iOS 12 releases. Support for iOS 9 and 10 will be added soon.

Compatibility information

With the latest update, iOS Forensic Toolkit works with iPhone 5s to iPhone 11 Pro Max and iPhone SE (2020 edition) running iOS 11.0 to iOS 13.4.1, with some exotic exclusions (they will be covered in the next version).

Disadvantages

The first limitation of agent-based extraction is related to the specific versions of iOS 13.3.1, 13.4 and 13.4.1. For these iOS builds, we can only obtain the full file system but not the keychain. That is the limitation of the underlying exploit, which is not as advanced as the other ones we’ve used for previous versions of the tool, and does not provide the full root access. We are looking forward for new iOS exploits, and will do our best to extract the maximum amount of data available.

Second, for those versions of iOS mentioned above, we cannot access the following folders:

  • private/var/root/ – contains some general information on the device, and some location data
  • private/var/wireless/ – some wireless connections data, partially duplicated in other databases (may be useful for iOS 8 and older, and for extended call log analysis)
  • private/var/db/ – system databases, used by forensic software to get TZ information and a bit other useful data
  • private/var/Keychains/ – in fact useless; binary keychain files cannot be decrypted anyway

With few exceptions, even in these versions of iOS the agent can extract almost everything (again, except the keychain).

Last but not least, the latest iOS 13.5 is not supported yet.

Conclusion

Elcomsoft iOS Forensic Toolkit 6.0 once again pushes the boundaries of iOS acquisition. We have once again expanded the range of compatible iOS devices supported by the direct acquisition agent. The latest release plugs the gap of excepted and unsupported iOS releases, now covering the entire range of iOS versions from iOS 11 through the latest iOS 13.4.1 for all Apple device models from the iPhone 6s all the way up through the iPhone 11 range.

Agent-based extraction utilizes a direct communication channel that does not require a jailbreak, becoming a forensically sound alternative to traditional acquisition methods. Based on direct access to the file system, agent-based extraction is safer, faster and more robust compared to jailbreak-based extraction, eliminating the risks and footprint associated with installing a third-party jailbreak. Our direct acquisition agent is safe to use, does not modify the system partition and does not remount the file system. Notably, the checkra1n jailbreak is not available for the A12-A13 generation of devices, which makes the extraction agent the only extraction method available for these latest-gen models, even though we support them all.

Apple makes a good job improving the iOS security all the time. But we are doing our best, too 😊


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »