Right Method, Wrong Order

February 23rd, 2023 by Oleg Afonin
Category: «Mobile», «Tips & Tricks»

In today’s digital age, extracting data from mobile devices is an essential aspect of forensic investigations. However, it must be done carefully and correctly to ensure the highest possible level of accuracy and reliability. To accomplish this, the appropriate extraction methods should be used in the right order, considering all available options for a given device running a specific version of the operating system. So what is the best order of extraction methods when acquiring an iPhone? Read along to find out.

1. checkm8 (if compatible)

checkm8 extraction is the first process to consider if one is supported by the device. If successful, do not use any other extraction methods (except cloud extraction).

The reason for prioritizing checkm8 as the first extraction method is that it’s the only forensically sound extraction method that our extraction tools support. By utilizing checkm8, the content of the device remains unchanged, and subsequent extractions will be identical to the first one, which can be verified through matching checksums. Conversely, using any other extraction methods will lead to changes in the data partition that can’t be avoided, resulting in subsequent extractions no longer being 100% identical.

This extraction method (as well as the extraction agent and extended logical acquisition) are supported in iOS Forensic Toolkit.

Detailed instructions: checkm8 Extraction Cheat Sheet: iPhone and iPad Devices

2. Extraction agent (if compatible and device not supported by checkm8)

Next, consider using the extraction agent. If successful, do not use any other extraction methods (except cloud extraction).

The reason for ranking the extraction agent as the next best method after checkm8 is that it’s a safe and reliable option to extract data that extracts the full file system image and decrypts all keychain records including those that cannot be decrypted by analyzing a local backup.

If a device is compatible with both checkm8 and the extraction agent, it’s recommended to use checkm8 first. However, if the extraction agent supports the version of the operating system installed on the device, it should be utilized instead. In the event that neither checkm8 nor the extraction agent is supported, logical extraction is the recommended method.

Detailed instructions: iOS Forensic Toolkit 8 Extraction Agent Cheat Sheet

3. Logical extraction (local backup)

Make a local backup even if you don’t know the backup password.

It’s recommended to create a backup of the device “as is” first to preserve its original state. If necessary, the backup password can be reset in the device settings. However, resetting the backup password has serious forensic implications, such as the removal of the screen lock passcode. This, in turn, affects the device’s trust in iCloud and prevents access to end-to-end encrypted data for cloud extraction. Additionally, some types of data, such as Apple Pay data and transaction history, may be deleted from the device. If there’s no backup password, a temporary backup password of “123” can be assigned to access otherwise inaccessible types of data, like the keychain.

Detailed instructions: Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet

4. Extended logical extraction

The reason for performing an extended logical extraction is that it allows for the extraction of additional types of data, even if the backup password is set. For instance, using the “advanced logical” process to extract media files will not only return the media files themselves but also provide detailed metadata. This metadata can be useful in gaining more information about the extracted media files, such as album names, people and object recognition results, location data, and mode. In addition, metadata may contain information about deleted media that is no longer present on the device. Therefore, conducting an extended logical extraction can yield more comprehensive results, making it one of the preferred methods for data extraction.

Detailed instructions: Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet

5. Unknown backup password

We strongly suggest performing a risk assessment when encountering a backup protected with an unknown password. In the event that the password cannot be recovered with a brute-force or dictionary attack, you may be able to perform a soft reset by using the “Reset All Settings” command in the Settings app that also removes the backup password. However, it’s important to note that resetting the backup password also results in the removal of the screen lock passcode, which has significant forensic implications. After resetting the backup password, repeat the logical extraction process to obtain the data stored in the backup.

Please note that the chance of recovering the backup password with a brute-force or dictionary attack is low as the encryption used by Apple for backups is extremely robust; it may take a lot of time to break  even when using a powerful GPU accelerator. Given that a local backup may contain valuable evidence, it’s essential to exhaust all available options before considering the password unrecoverable.

Detailed instructions: iCloud backups: the Dark Territory and iOS Backups: Leftover Passwords

6. Cloud extraction

Apple offers by far the most sophisticated solution for backing up, restoring, transferring and synchronizing data across devices belonging to the company’s ecosystem. Apple iCloud can store cloud backups and media files, synchronize essential information between Apple devices, and keep highly sensitive information such as Health and authentication credentials securely synchronized.

Apple iCloud contains information belonging to several different categories, and you will require a different set of credentials to access some of these data.

For backups and synchronized data, you will need all of the following:

  • The user’s Apple ID and password.
  • A way to pass two-factor authentication (you can use one of the user’s trusted devices or a SIM card with a trusted phone number).

To access end-to-end encrypted data including iCloud Keychain containing the user’s stored passwords, you will need the following in addition to the above credentials:

  •  A password or screen lock passcode to one of the user’s trusted devices.

Cloud extraction can be performed with Elcomsoft Phone Breaker.

Detailed instructions: Cloud Forensics: Obtaining iCloud Backups, Media Files and Synchronized Data

Conclusion

When it comes to obtaining evidence from Apple devices, using the right extraction methods in the right order is essential to ensure admissible results.

If the device is compatible, go with the checkm8 extraction method. it is the only forensically sound way to access the data, and using it will not alter the content of the device.

If checkm8 is not an option, consider another low-level acquisition option using the extraction agent. This one will return a full file system image and access to keychain records, even the ones that cannot be accessed by analyzing a local backup.

If neither of those work out, resort to the logical extraction. Be sure to create a backup of the device “as is” first, then try resetting the backup password to get access to the data. Extended logical extraction comes next, as it can extract additional types of data, even if the backup password is set.

If you’re dealing with an unknown backup password, first, try brute-force or dictionary attack to recover it, but chances are low that it will work. If all else fails, you can always do a soft reset and start over.

Last but not least, you could always try cloud extraction, but be warned that there are some risks involved with that method.

Overall, following these guidelines will help you get that data accurately and reliably, without damaging or altering it.