The Forensic View of iMessage Security

October 29th, 2020 by Vladimir Katalov
Category: «Clouds», «Mobile», «Tips & Tricks»

Apple iMessage is an important communication channel and an essential part of forensic acquisition efforts. iMessage chats are reasonably secure. Your ability to extract iMessages as well as the available sources of extraction will depend on several factors. Let’s discuss the factors that may affect your ability to extract, and what you can do to overcome them.

When it comes to instant messaging on the iOS platform, there are multiple potential sources for extracting messages:

  • Intercept messages in transit (the MITM attack, often performed with a certificate swap)
  • Extract from local backups (iTunes style)
  • Extract from vendor cloud (e.g. Skype, Telegram)
  • Extract from platform cloud (Apple iCloud for iOS, or Google Drive for Android)
  • Extract from endpoints (physical devices)

Speaking of iMessage, the availability of these potential extraction methods may vary.

  • Intercept messages in transit: not available. The iMessage protocol has no known vulnerabilities, so there is no way to decrypt messages in transit.
  • Extract from local backups: depends on whether the backup is protected with a password. Even if it is, you still may have options available.
  • Extract from vendor cloud: iMessage was developed by Apple and is only available on Apple platform, so vendor and platform clouds are one and the same.
  • Extract from platform cloud: may be possible, with caveats.
  • Extract from endpoints (physical devices): may be possible, with caveats.

Let’s talk about the “ifs” and “buts” of iMessage extraction from various sources.

Extract iMessages from iTunes-style backups

The iMessage database (sms.db), as well as all the attachments, is included as a part of the iTunes backup whether or not the backup is protected with a password.

iTunes backup, no password: simply launch Elcomsoft Phone Viewer and open the unprotected backup to analyze iMessages.

iTunes backup, password-protected: this is where the complexity begins. If you know the password, you can either decrypt the backup with Elcomsoft Phone Breaker, or open it directly in Elcomsoft Phone Viewer or another forensic tool of your choice that supports encrypted backups.

If you don’t know the password, you still have options. Read The Four Ways to Deal with iPhone Backup Passwords for more information.

Option 1: password recovery. You can attempt to recover the password by running an attack with either Elcomsoft Phone Breaker or Elcomsoft Distributed Password Recovery (faster, distributed attacks). Since the recovery speed is going to be extremely slow, your only chance would be using a targeted dictionary composed of the user’s existing passwords, complemented with masks and reasonable mutations. Note that recovering the password will be a very slow process without guaranteed outcome.

Option 2: resetting the password. Requirements: the original physical iPhone; screen lock passcode must be known or empty. The password can be reset through iPhone settings (how to do it), but the reset might be blocked by Screen Time password if one is set (you may be able to extract and remove the Screen Time password).

It is also recommended to get the address book together with messages, for easier identification of the other party in conversations. Good forensic analysis software should also parse all the fields from message database, as it contains tons of useful metadata.

Extract iMessage conversations from the device

If the password cannot be reset, the data can be obtained with full file system acquisition via checkra1n jailbreak or by using the agent (in Elcomsoft iOS Forensic Toolkit). This method is preferred even if a backup is available and is not password protected because you can pull not only the database itself, but also the WAL (Write-Ahead Log) file, which may contain deleted messages. One can also try to recover deleted messages directly from the SQLite database, but it does not work well with recent iOS versions.

How to: run Elcomsoft iOS Forensic Toolkit and extract the file system. Open the file system image in Elcomsoft Phone Viewer for analysis.

One more thing you should be aware of: the use of checkra1n allows extracting some message data (at least message drafts and some message attachments) even from locked devices with full file system acquisition in BFU (Before First Unlock) mode.

Obtaining iMessage conversations from iCloud, part one

What if you cannot reset the backup password, the file system acquisition does not work due to model/iOS compatibility reasons, or the device itself is not available?

First thing to try is iCloud backups (if available). All you need is authentication credentials (Apple ID and password), and the second authentication factor (SMS or trusted device). Please note that usually two recent iCloud backups are available, and it is worth downloading them both, as the older one may contain deleted messages (otherwise not recoverable from iCloud). iCloud backups can be downloaded with Elcomsoft Phone Breaker (Windows and macOS versions are available).

Obtaining iMessage conversations from iCloud, part two

Starting with iOS 11.4, you can Keep all your messages in iCloud. That requires two-factor authentication and iCloud Keychain, but both options are enabled by default. If set, the iMessage database is not included to iCloud backups (local backups remain unchanged); instead, they are directly synced with the user’s iCloud account.

How secure is that? Look at the iCloud security overview:

Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple.

Apple’s implementation of “end-to-end” encryption is only partially secure. With the proper credentials, one can download messages along with attachments directly from iCloud. However, in addition to the login and password, one extra thing is needed: the passcode of an already trusted device (yes, just the passcode but not the device itself). Here is everything that is needed:

  • Apple ID
  • Password
  • Second authentication factor (SMS or trusted device)
  • Passcode of any trusted device

For more details, see iMessage Security, Encryption and Attachments. TL;DR: just use Elcomsoft Phone Breaker (the only product on the market that can download iMessage from the iCloud).

Conclusion

Is Apple iMessage a secure communications channel? Yes, it absolutely is, yet I’d struggle to name it the most secure. Is it still possible to extract messages and attachments? Yes, in most cases, though many limitations apply.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »