A lot of folks (and even some law enforcement experts) are looking for a one-click solution for mobile extractions and data decryption. Unfortunately, in today’s day and age there are no ‘silver bullet’ solutions. In the days of high-tech mobile devices and end-to-end encryption one must clearly understand the available options, and plan their actions accordingly. The time of ‘snake oil’ exploits is long gone. The modern world of mobile forensics is complex, and your actions will depend on a lot of factors. Today, we’re going to make your life a notch more complex by introducing a new iCloud authentication option you’ve never heard of before.
Being a mobile forensic specialist, you probably know of some manufacturers offering “magic solutions” that work straight out of the box, supporting unadvertised range of devices running a secret range of OS versions. In real life, those solutions only work in very specific conditions, on very specific devices, running very specific versions of the software. In order to use these and other tools efficiently, one must learn the theory, and one must constantly improve one’s level of knowledge from day to day. This is a factor of your success. I want to draw your attention at how important it is to understand the things happening under the hood, especially when performing cloud extractions where someone else has physical control over the data you’re attempting to access.
Today, I will introduce a very different methods for authenticating into iCloud when doing cloud extractions. But before I do this, let me briefly remind you of our achievements in iCloud extractions.
It’s been almost 10 years since we learned how to download iCloud backups; a lot of improvements has been made since then:
I think there is no need to tell why iCloud acquisition is important in general. Even if you have an unlocked device compatible with low-level file system and keychain acquisition (and so Elcomsoft iOS Forensic Toolkit could do the job for you), you may not get the all the data theoretically available; more on that below. We have a good feeling that future iPhones will not have a Lightning port (latest Apple Watch already has diagnostics port removed, so even limited logical acquisition is not available anymore), while iCloud acquisition method should remain forever.
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.
Before I start talking about the new authentication method, let me tell you about why we felt the pressure to develop it. Several major iOS releases ago, the following things have happened:
iCloud may contain significantly more information than the device itself because of the following reasons:
The value of a trusted device
A “trusted” device is not just a device that contains valuable information (probably including critical evidence); it has more value than you can imagine.
First, let me remind you our old article: iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About. While this was about iOS 11, the issue has been fixed a couple of major iOS releases ago. Today (since version iOS 14 at least) the passcode is always requested when you try changing the iCloud password. Still, a trusted device allows you to change the password (without entering the old password); all you need is the device passcode.
You may think that there is noting really new about the feature we have just added. After all, the device is trusted, so it should allow you to do everything your want with your iCloud account, that’s what it is for. And honestly, Apple did its best about iCloud protection: as you can see, modern devices (based on the A12 or later SoC) running the latest version of iOS cannot be used as a key to full iCloud access. But thanks to the checkm8 exploit and several kernel-level vulnerabilities, quite a lot of devices (older ones, as well as those without the latest iOS update) expose the risk of not only reading your data stored locally, but also of exposing all your iCloud account data, including the data contributed by other devices on your account (such as your Mac protected with FileVault2, as the recovery key is also stored in the cloud). Do you still have some old device connected to the account and trusted? Think twice. You have been warned.
Stay safe!