Extracting the iPhone: (No) Tools Required?

October 27th, 2020 by Vladimir Katalov
Category: «General», «Mobile», «Tips & Tricks»

If the iPhone is locked with a passcode, it is considered reasonably secure. The exception are some older devices, which are relatively vulnerable. But what if the passcode is known or is not set? Will it be easy to gain access to all of the data stored in the device? And why do we have the countless forensic tools –is analysis and reporting the sole reason for their existence? Not really. If you’ve been wondering what this acquisition thing is all about, this article is for you.

Today’s phones can store some half a terabyte of data. On a typical iPhone, only a small part of that data is easily accessible without special tools. These are contacts, messages, pictures, and a few other categories. But even with these data, you are missing a solid chunk of information including valuable metadata, tons of system files and ‘hidden’ records and other things are simply missing in the iOS user interface.

Back in 2012, we were the first who discovered a way to get the data from Apple iCloud, see ElcomSoft Discovers an Alternative Way of Accessing iPhone User Data, Provides Forensic Access to iCloud Backups. The reception of this feature was, well… mixed. Opinions ranged between “those pesky Russians cracked everything” to “with a login and password, anyone can access that data”.

And then we had to explain that one cannot pull all the data from iCloud even with the correct login and password. Some records are available only to Apple proper (like Siri recordings) or not available even to Apple (credit card data). Then there is the “end-to-end” encryption issue. The rest of the data is only partially accessible, and can only be synced to another Apple device, but cannot be directly downloaded. Moreover, it could be modified during the time that you sync.

Is it any better if you have the iPhone in hands? The situation with physical iOS devices is about the same or worse. Whatever you do with the device that is powered on, the system is working and is constantly making changes to the data. You cannot just image the “hard drive” and work with the copy due to deliberate security-related technical constraints.

Data preservation

Due to legal reasons, the process must be forensically sound. Depending on who you ask, there can be different explanations of this term; the consensus can be described as authenticity and repeatability. Ideally, the forensic expert should be able to prove the authenticity of the data, and to obtain identical result during repeat extractions.

Data acquisition

Once the phone is unlocked, you can obviously look through the user’s conversations, browse their photo gallery and even get some recorded health data. But then, you only have a view from a single point.

Also, you always see only a small part.

For example, let us look at iMessage data stored in sms.db file (a SQLite database). On the iPhone, you can only see the message body, the “from” and “to” fields, and a single timestamp (the time the message was delivered or read), and that’s it. But did you know that the database contains 14 tables (as of iOS 13), and the main one has over 70 columns with lots of metadata that is extremely useful for investigations?

Another good example: pictures. Even more metadata, including editing information and the time when it was synced to iCloud. Sometimes, the source. Did I mention EXIF data?

Next, there is deleted data. There is no way to recover deleted files from the iOS file system, but some traces might be left (in the logs and some system databases). In addition, some deleted records from SQLite databases can be often recovered.

Data acquisition, part two

There are several methods to extract information from an iPhone. The simplest, fastest and most compatible of them is logical acquisition, but it only returns the most critical data. There is also advanced logical that also gives access to crash logs and diagnostic logs. And sometimes it is also possible to extract the full file system, which is a real gem – you receive virtually everything, including detailed location history, third-party application data (including apps not included into backups) and a lot more; most of this data can never be explored with manual device analysis.

Data analysis

When it comes to data analysis, the tools become even more important. There are several hundred thousand files on any iOS device (speaking of backups, maybe tens of thousands). Are you able to go through all of them manually? Can you establish relationships between different data sources? Can you classify images and quickly find ones with weapons or drugs? Can you find all occurrences when the device has been around a certain location? Can you locate conversations with a specific recipient in the dozen messengers installed on that iPhone? Can you find which apps were installed at a specific date (and later uninstalled)? Can you find our whether the person used keyboard or voice dictation when composing a message? Did they use a headset at a given time? What is the total number of messages sent to a given number?

Data reporting

Once the data is properly preserved, extracted and analyzed, it should be presented in a human-readable way. This is yet another task you will not be able to complete without proper software.

Conclusion

While you can do something with an iPhone even without the tools, this would be wrong, and the results would not be admissible in the court as neither authentic nor repeatable nor even readable. You need tools to do the extraction, tools to analyze the data, and tools to make a presentable report. You can almost never achieve all of that with a single toolkit. Multiple forensic tools are required to get the job done.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »