Archive for the ‘Did you know that…?’ category

Today’s smartphones collect overwhelming amounts of data about the user’s daily activities. Smartphones track users’ location and record the number of steps they walked, save pictures and videos they take and every message they send or receive. Users trust smartphones with their passwords and login credentials to social networks, e-commerce and other Web sites. It is hard to imagine one’s daily life without calendars and reminders, notes and browser favorites and many other bits and pieces of information we entrust our smartphones. All of those bits and pieces, and much more, are collected from the iPhone and stored in the cloud. While Apple claims secure encryption for all of the cloud data, the company readily provides some information to the law enforcement when presented with a legal request – but refuses to give away some of the most important bits of data. In this article we’ll cover the types of data that Apple does and does not deliver when served with a government request or while processing the user’s privacy request.

What’s Stored in iCloud

Apple uses iCloud as an all-in-one cloud backup, cloud storage and cloud synchronization solution for the user of iOS, iPasOS and macOS devices. iOS 12 and 13 can store the following types of data in the user’s iCloud account:

iCloud backups

iCloud backups contain a lot of data from the iPhone, which includes device settings and home screen icons, the list of installed apps and individual apps’ private data (if allowed by the app developer).

The content of iCloud backups is exclusive. Any information that is synchronized with iCloud is excluded from cloud backups. For example, if the user enables the iCloud Photo Library, pictures and videos will synchronize to iCloud and will not be included in iCloud backups. The same is true for many other categories. Here’s what Apple says in What does iCloud back up?

Your iPhone, iPad, and iPod touch backup only include information and settings stored on your device. It doesn’t include information already stored in iCloud, like Contacts, Calendars, Bookmarks, Mail, Notes, Voice Memos, shared photos, iCloud Photos, Health data, call history, and files you store in iCloud Drive.

In iOS 13, iCloud backups do not include any of the following:

  • Keychain *
  • Health data
  • Home data
  • iCloud Photos **
  • Messages **
  • Call logs
  • Safari history

* While the keychain is still physically included, records marked as ThisDeviceOnly are encrypted with a device-specific key and can only be restored onto the same physical device they were saved from.

** Photos and Messages are not included if (and only if) the iCloud sync of those categories is not enabled in device settings.

Synchronized data

iOS allows synchronizing many types of data with the user’s iCloud account. While users can enable or disable the sync for some of the data categories (as defined in Change your iCloud feature settings), some other types of data (e.g. the call log) are always synchronized unless the user disables the iCloud Drive feature entirely.

The following types of data are synchronized to iCloud:

  • Photos
  • Safari History & Bookmarks
  • Calendars
  • Contacts
  • Find My (Devices & People)
  • Notes
  • Reminders
  • Siri Shortcuts
  • Voice Memos
  • Wallet passes
  • iCloud Mail
  • Maps
  • Clips
  • Data covered by the iCloud Drive category (e.g. Call logs)

Files

There are two distinct data types that fall under the “Files” category.

The first category includes files the user stores in their iCloud Drive (e.g. by using the iOS Files app). These files are user-accessible, and can be downloaded by using the iCloud Drive app on a Mac or Windows PC.

The second category includes files stored by system apps (e.g. downloaded books and documents in the Books app) and third-party apps (e.g. stand-alone WhatsApp backups, game saves etc.) While large amounts of data may accumulate under this category, users have no direct access to these files. For example, any files stored by third-party apps are only displayed as toggles in the iCloud | Apps section. The only control the user has over these files is the ability to disable sync (and remove stored files) for a certain app.

End-to-end encrypted data

Apple uses end-to-end encryption to secure sensitive types of data such as the users’ passwords, Health data or credit card information. The data is secured with an encryption key derived from some device-specific information and the user’s screen lock passcode. Users must enroll their devices into the trusted circle in order to enable the sharing of end-to-end encrypted data.

The following types of data are covered by end-to-end encryption as per iCloud security overview:

  • Home data
  • Health data (iOS 12 or later) *
  • iCloud Keychain (includes saved accounts and passwords)
  • Payment information
  • QuickType Keyboard learned vocabulary (iOS 11 or later)
  • Screen Time password and data
  • Siri information
  • Wi-Fi passwords
  • Messages in iCloud **

* iOS 11 devices synchronize Health data as a regular data category without using end-to-end encryption. According to Apple, “End-to-end encryption for Health data requires iOS 12 or later and two-factor authentication. Otherwise, your data is still encrypted in storage and transmission but is not encrypted end-to-end. After you turn on two-factor authentication and update iOS, your Health data is migrated to end-to-end encryption.”

** According to Apple, “Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple. Since iOS 13, Apple no longer stores Messages in iCloud backups if the user activates Messages in iCloud.

What Apple Provides When Serving Government Requests

Apple discloses certain types of information when serving a valid government request. This data typically includes information that falls into iCloud backups, Synchronized data and Files categories.

When serving government requests, Apple also delivers iCloud backups. End users exercising their rights under the European Data Protection Directive (EDPR) or requesting their personal data via Apple’s Data & Privacy portal do not receive a copy of their iCloud backups.

The following principles apply when Apple serves government requests: https://www.apple.com/privacy/government-information-requests/; of particular interest are the following excerpts:

Apple will notify customers/users when their Apple account information is being sought in response to a valid legal request from government or law enforcement, except where providing notice is explicitly prohibited by the valid legal request, by a court order Apple receives, by applicable law or where Apple, in its sole discretion, believes that providing notice creates a risk of injury or death to an identifiable individual, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case, or where Apple reasonably considers that to do so would likely pervert the course of justice or prejudice the administration of justice.

The second category includes files stored by system apps (e.g. downloaded books and documents in the Books app) and third-party apps (e.g. stand-alone WhatsApp backups, game saves etc.) While large amounts of data may accumulate under this category, users have no direct access to these files. For example, any files stored by third-party apps are only displayed as toggles in the iCloud – Apps section. The only control the user has over these files is the ability to disable sync (and remove stored files) for a certain app.

Apple defines information provided to the LE as follows:

iCloud stores content for the services that the subscriber has elected to maintain in the account while the subscriber’s account remains active. Apple does not retain deleted content once it is cleared from Apple’s servers. iCloud content may include email, stored photos, documents, contacts, calendars, bookmarks, Safari browsing history, Maps Search History, Messages and iOS device backups. iOS device backups may include photos and videos in the Camera Roll, device settings, app data, iMessage, Business Chat, SMS, and MMS messages and voicemail. All iCloud content data stored by Apple is encrypted at the location of the server. When third-party vendors are used to store data, Apple never gives them the keys. Apple retains the encryption keys in its U.S. data centres.

While Apple correctly claims that it does not keep deleted content once it is cleared from Apple’s servers, we have found that, in many cases, some content may still be available on Apple servers. As a result, tools such as Elcomsoft Phone Breaker can access and download such content.

Additionally, Apple does not explicitly mention certain types of data such as the phone-to-cloud communication logs. These logs record the phone’s dynamic IP address and store records going back some 28 days.

What Apple Provides When Serving Privacy Requests

Apple is committed to disclosing information to end users according to the European Data Protection Directive (EDPR) or serving a request for personal data submitted via Apple’s Data & Privacy portal. Users can request a download of a copy of their data from Apple apps and services. This, according to Apple, may include purchase or app usage history and the data users store with Apple, such as calendars, photos or documents. Below is the list of information disclosed by Apple:

Note: iCloud backups are only provided when Apple serves government requests. End users exercising their rights under the European Data Protection Directive (EDPR) or requesting their personal data via Apple’s Data & Privacy portal do not receive a copy of their iCloud backups.

What Apple Does Not Provide

Any information that falls under the End-to-end encrypted data category as defined in the iCloud security overview is never disclosed to the law enforcement. End users may only obtain end-to-end encrypted data by setting up a compatible Apple device and typing a screen lock passcode of their past device.

Obtaining End-to-End Encrypted Data

Since Apple refuses to provide legal access to any of the data the company protects with end-to-end encryption, experts must use third-party tools to extract this information from iCloud. Elcomsoft Phone Breaker is one of the few tools on the market that can touch these encrypted categories. Elcomsoft Phone Breaker can extract the iCloud backups, files and synchronized data. In addition, the tool can download and decrypt the following types of end-to-end encrypted data:

  • iCloud Keychain
  • Health
  • Messages in iCloud
  • Screen Time password
  • FileVault2 recovery token

In order to access end-to-end encrypted data, the following information is required:

  1. The user’s Apple ID and password
  2. A valid, non-expired one-time code to pass Two-Factor Authentication
  3. The user’s screen lock passcode or system password to any current or past device enrolled in the trusted circle

More information:

Conclusion

In this article, we described the discrepancy between the data Apple collects from its users and stores on its servers, and the data the company gives away to the law enforcement when serving a government request. Some of the most essential categories are not disclosed, particularly the user’s passwords (iCloud Keychain), text messages and iMessages (Messages in iCloud), the user’s physical activity logs (Health), device usage patterns (Screen Time) and Home data. Most of this information can be only accessed by using third-party tools such as Elcomsoft Phone Breaker, and only if the complete set of authentication credentials (the login and password, 2FA code and screen lock/system password) are known.

What is DFU, and how is it different from the recovery mode? How do you switch the device to recovery, DFU or SOS mode, what can you do while in these modes and what do they mean in the context of digital forensics? Can you use DFU to jailbreak the device and perform the extraction if you don’t know the passcode? Read along to find out.

iOS Recovery Mode

The recovery mode is the easiest to explain. According to Apple, you can put your iOS or iPadOS device in recovery mode to restore it using your computer.

The recovery mode comes handy if one of the following situations occurs:

  • Your iOS or iPadOS device is locked after multiple unsuccessful unlock attempts and displays the infamous “Connect to iTunes” message. In many cases, connecting the device to iTunes will be unsuccessful because the data connection of the device is blocked with USB restricted mode. If this is the case, you must switch the device to recovery mode and connect to iTunes to restore.
  • You forgot the screen lock passcode and want to reset the device to factory settings. Activation lock: following the reset, you’ll have to provide the Apple ID/iCloud password of the device’s Apple ID account.
  • The device cannot fully boot; the display is stuck on the Apple logo for several minutes with no progress bar. I have personally seen this multiple times after unsuccessful iOS updates (the latest case being the almost-full iPhone 7 updated from iOS 9 straight to the latest iOS 13.3).
  • Your computer doesn’t recognize your device or says it’s in recovery mode, or you see the recovery mode screen.

How to switch the device into recovery mode

The recovery mode is well-documented in “If you can’t update or restore your iPhone, iPad, or iPod touch” (link). Connect the device to a computer with iTunes installed. Perform a force restart of the device by following instructions laid out in “If your screen is black or frozen” (link):

If your screen is black or frozen

If your screen is black or frozen, you might need to force-restart your device. A force-restart won’t erase the content on your device. You can force-restart your device even if the screen is black or the buttons aren’t responding. Follow these steps:

  • iPad models with Face ID: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then press and hold the Power button until the device restarts.
  • iPhone 8 or later: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then press and hold the Side button until you see the Apple logo.
  • iPhone 7, iPhone 7 Plus and iPod touch (7th generation): Press and hold both the Top (or Side) button and the Volume Down buttons until you see the Apple logo.
  • iPad with Home button, iPhone 6s or earlier and iPod touch (6th generation) or earlier: Press and hold both the Home and the Top (or Side) buttons until you see the Apple logo.

After following the force-restart instructions, do not release the buttons when you see the Apple logo, wait until the recovery mode screen appears:

  • iPad models with Face ID: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Press and hold the Top button until your device begins to restart. Continue holding the Top button until your device goes into recovery mode.
  • iPhone 8 or later: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then, press and hold the Side button until you see the recovery mode screen.
  • iPhone 7, iPhone 7 Plus, and iPod touch (7th generation): Press and hold the Top (or Side) and Volume Down buttons at the same time. Keep holding them until you see the recovery mode screen.
  • iPad with Home button, iPhone 6s or earlier, and iPod touch (6th generation) or earlier: Press and hold both the Home and the Top (or Side) buttons at the same time. Keep holding them until you see the recovery mode screen.

(source)

How to use the recovery mode

We know of several viable usage scenarios for the recovery mode.

  1. Reinstall iOS (if the iOS device is running the latest version), perform an in-place update or switch from a beta version of iOS to the current release version using the iTunes app. In this scenario, the data is preserved.
  2. Restore the device. This is what you want if you forgot the passcode. The passcode will be removed and USB restrictions disabled, but the data will be already erased by that time. Mind the activation lock.
  3. Perform a (limited) forensic extraction through recovery mode. You’ll need a reasonably up to date version of iOS Forensic Toolkit (EIFT 4.10 or newer).

Information available in recovery mode

When performing a forensic extraction of a device running in the recovery mode, note that only a very limited set of data will be available. The following information is available:

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXX
IMEI: XXXXXXXXXXXXXXX
MODE: Recovery

The Recovery mode may return the following information:

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID (UCID): XXXXXXXXXXXXXXXX. The ECID (Exclusive Chip Identification) or Unique Chip ID is an identifier unique to every unit, or more accurately, to every SoC.
  • Serial number: XXXXXXXXXXX (or N/A)
  • IMEI: XXXXXXXXXXXXXXX (or N/A). Note that we have not seen IMEI information on any of our test devices, with or without a SIM card.
  • Mode: Recovery

How to exit recovery mode

The procedure for leaving the recovery mode is different for different devices. In general, you’ll use the following steps:

  • Unplug the USB cable.
  • Hold down the sleep/wake button or side button depending on device model until the device turns off.
  • Either keep holding the button combination or release and hold it down again until the Apple logo appears.
  • Let go of the buttons and let the device start up.

This is the Apple-recommended procedure for exiting the recovery mode:

  • iPhone 6s and earlier, Touch ID equipped iPads: hold the Home button and the Lock button until the device reboots.
  • iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.
  • iPhone 8 and newer: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.

Forensic implications of iOS recovery mode

The recovery mode has a positive yet limited value for mobile forensic specialists.

  • Enables obtaining device information without a passcode.
  • Allows bypassing the USB restricted mode (albeit accessing limited amounts of information).
  • For newer iOS devices (A12 and newer), returns more information compared to the DFU mode.

Interestingly, when users install the checkra1n jailbreak from the device GUI, the jailbreak first switches the device into recovery (unlike DFU, the recovery mode is available through the API). Only after the device is switched to recovery, the jailbreak prompts for a switch to DFU and displays step-by-step instructions and timings. Alternatively, the jailbreak can be installed from the command line, which will bypass the intermediary recovery mode.

iOS DFU Mode

The undocumented DFU stands for “Device Firmware Upgrade”. Unlike the recovery mode, which is designed with an ordinary user in mind, the DFU mode was never intended for the public. There is no documentation about DFU anywhere in Apple Knowledge Base. Entering the DFU more involves a complicated sequence of pressing, holding and releasing buttons with precise timings. Wrong timings during any of the multiple steps would reboot the device instead of switching it to DFU. Finally, there is no on-screen indication of DFU mode. If the device is successfully switched to DFU, the display remains black. Entering DFU mode can be difficult even for experts.

DFU is part of the bootrom, which is burned into the hardware. On A7 through A11 devices, a vulnerability has been discovered allowing to bypass SecureROM protection and jailbreak the device via DFU mode. More in our blog: BFU Extraction: Forensic Analysis of Locked and Disabled iPhones.

Steps for entering DFU mode differ between devices. Some devices have several different methods to invoke DFU, making it even more confusing. The differences in procedures may be severe between device generations. Since no official instructions are available, we have to rely on third-party sources for information.

Note: the device screen will be completely black while in DFU mode. The iPhone Wiki explains steps required to enter the DFU mode in a dedicated article. According to the article, this is how you enter DFU mode on the different device models. If you are more of a visual learner, check out this link with video tutorials instead: How To Put An iPhone In DFU Mode, The Apple Way

Apple TV

  1. Plug the device into your computer using a USB cable.
  2. Force the device to reboot by holding down the “Menu” and “Down” buttons simultaneously for 6-7 seconds.
  3. Press “Menu” and “Play” simultaneously right after reboot, until a message pops up in iTunes, saying that it has detected an Apple TV in Recovery Mode.

A9 and older devices (iPad other than the ones listed below, iPhone 6s and below, iPhone SE and iPod touch 6 and below)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Home button and Lock button.
  3. After 8 seconds, release the Lock button while continuing to hold down the Home button.
    • If the Apple logo appears, the Lock button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Alternative method 1:

  1. Hold the Lock Button for 3 seconds
  2. Continue holding the Lock button and also hold the Home button (15 seconds)
  3. Release the Lock button while continuing to hold the Home button (10 seconds)
  4. Your device should enter DFU mode

Alternative method 2:

  1. Connect the device to your computer and launch iTunes. Turn the device off.
  2. Hold down the Lock button and Home button together for exactly 10 seconds, then release the Lock button.
  3. Continue holding the Home button until iTunes on your computer displays a message that a device in recovery mode has been detected. The device screen will remain completely black.

A10 devices (iPhone 7 and iPhone 7 Plus, iPad 2018, iPod touch 7)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Side button and Volume Down button.
  3. After 8 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

A11 and newer devices (iPhone 8 and above, including the iPhone Xr, Xs and Xs Max; iPad Pro 2018, iPad Air 2019, iPad Mini 2019)

  1. Connect the device to a computer using a USB cable.
  2. Quick-press the Volume Up button
  3. Quick-press the Volume Down button
  4. Hold down the Side button until the screen goes black, then hold down both the Side button and Volume Down button.
  5. After 5 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  6. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Sources: iphonewiki and other third-party sources

Information available in DFU mode

The DFU mode returns even less information compared to the recovery mode.

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: N/A
IMEI: N/A
MODE: DFU

To obtain this information, use iOS Forensic Toolkit 4.10 or newer.

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID/Unique Chip ID: XXXXXXXXXXXXXXXX
  • Serial number: not available in DFU mode
  • IMEI: not available in DFU mode
  • Mode: DFU
  • Exiting DFU Mode

How to exit DFU mode

The process of exiting DFU mode is also different across devices.

For devices with a physical Home button (up to and including iPhone 6s and iPhone SE): hold the Home button and the Lock button until the device reboots.

For iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.

For iPhone 8 and iPhone 8 Plus, iPhone X: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.

Forensic implications of DFU mode

The DFU mode may have a huge value for mobile forensic specialists depending on the device model. iPhone, iPod Touch and iPad devices based on A5 through A11 generations of Apple processors (iPhone generations from iPhone 4s through iPhone 8, 8 Plus and iPhone X, as well as the corresponding iPad models) have a non-patchable, hardware-based bootrom vulnerability. This vulnerability allows installing a jailbreak on affected devices regardless of the version of iOS that is installed. This also makes it possible to extract a limited but still significant amounts of data through DFU mode without knowing or breaking the passcode.

  • All devices: enables obtaining device information without a passcode
  • All devices: allows bypassing the USB restricted mode (albeit accessing limited amounts of information)
  • Vulnerable iOS devices (A5 through A11 generations): returns significantly more information compared to the recovery mode
  • Criminals exploit the vulnerability to remove Activation Lock from vulnerable devices (A5 through A11 generations) running older versions of iOS. Reportedly, this vulnerability has been fixed by Apple in iOS 13.3; however, considering the nature of the exploit, this functionality may reappear.

The following information is extractable from vulnerable iOS devices:

  • Limited file system extraction: the list of installed applications, some Wallet data, the list of Wi-Fi connections, some media files, notifications (these may contain some chat messages and other useful data), and many location points.
  • Keychain records with kSecAttrAccessibleAlways and kSecAttributeAccessibleAlwaysThisDeviceOnly
  • Oxygen Forensic Detective additionally processes files such as /private/var/wireless/Library/Databases/DataUsage.sqlite (apps’ network activities), /private/var/preferences/ (network interfaces) or /private/var/mobile/Library/Voicemail/ (voicemail messages) to display even more information.

More information in BFU Extraction: Forensic Analysis of Locked and Disabled iPhones and iOS Device Acquisition with checkra1n Jailbreak.

Differences between DFU and recovery modes

While both DFU and recovery are designed to fulfil essentially the same goal of recovering a non-bootable device by flashing known working firmware, they are very different in the way they work.

The recovery mode boots into the bootloader (iBoot), and works by issuing commands through the bootloader. The bootloader is part of the operating system, and can be flashed, updated or patched if there are any vulnerabilities discovered. The recovery mode will only accept signed firmware images, so going back to firmware that is no longer signed by Apple is not possible. While the device is in recovery mode, the user gets a clear visible indication on the device:

DFU or Device Firmware Upgrade, on the other hand, allows restoring devices from any state, including devices with corrupted bootloader. DFU does not operate through a software-upgradeable bootloader. Instead, DFU is burned into the hardware as part SecureROM. DFU cannot be updated, patched or disabled. As a result, the bootrom vulnerability and the corresponding checkm8 exploit cannot be patched by Apple, allowing experts extract certain data from affected devices while bypassing passcode protection and USB restrictions.

DFU will also accept only signed firmware packages. As long as a package is still signed by Apple, the user can upgrade and downgrade firmware at will since there is no downgrade protection in DFU. There is no indication on the device that the device is in DFU mode. During DFU interfacing, the device screen remains black.

The recovery mode was designed for end users and Apple facilities, while the DFU mode was never meant for the end user at all. Entering the recovery mode is easy; any reasonably experienced user can follow the instructions. Entering the DFU mode is not only significantly trickier, but requires precise timings. Hold a button one second too long, and the device simply reboots instead of entering DFU.

The S.O.S. mode

The third and final special mode we’re about to discuss today is the S.O.S. mode. The S.O.S. mode can be manually invoked by the user while the device is running. Apple has a comprehensive description of S.O.S. mode in Use Emergency SOS on your iPhone.

Activating S.O.S. mode

On newer devices without the Home button (as well as the iPhone 8 and 8 Plus), the S.O.S. mode is activated in exactly the same way as the power-off sequence. Users press and hold one of the volume buttons and the side button. The power off/emergency screen appears.

On older devices, the S.O.S. mode is activated by rapidly pressing the side (or top) button five times. The Emergency SOS slider will appear. Users in India only need to press the button three times, after which the iPhone automatically makes an emergency call.

“If you use the Emergency SOS shortcut, you need to enter your passcode to re-enable Touch ID, even if you don’t complete a call to emergency services.” (Source: Use Emergency SOS on your iPhone)

How to exit S.O.S. mode

To exit the S.O.S. mode, users tap on the “Cancel” icon. The device will prompt for the passcode (biometric identification methods are disabled). Alternatively, one can slide the Power off slider to the right to switch off the device.

Forensic implications of S.O.S. mode

Once invoked, the S.O.S. mode has the following forensic implications.

  • All biometric authentication methods (Touch ID and Face ID) are disabled. The device must be unlocked with a passcode.
  • Data transmission on USB port is switched off (USB restricted mode is immediately activated). This makes traditional acquisition efforts fruitless, potentially affecting passcode recovery solutions offered by companies such as Cellebrite and GrayShift.

For us, this year has been extremely replete with all sorts of developments in desktop, mobile and cloud forensics. We are proud with our achievements and want to share with you. Let’s have a quick look at what we’ve achieved in the year 2019.

Mobile Forensics: iOS File System Imaging

We started this year by updating Elcomsoft iOS Forensic Toolkit, and by a twist of a fate it became our most developed tool in 2019. The developments went through a number of iterations. The release of unc0ver and Electra jailbreaks enabled Elcomsoft iOS Forensic Toolkit to support physical acquisition for iOS 11.4 and 11.4.1 devices, allowing it to produce file system extraction via jailbreak.

In the meanwhile, we updated Elcomsoft Phone Viewer with support for file system images produced by GrayKey, a popular forensic solution for iOS physical extraction. Analysing GrayKey output with Elcomsoft Phone Viewer became faster and more convenient.

Later in February, Elcomsoft iOS Forensic Toolkit received a major update, adding support for physical acquisition of Apple devices running iOS 12. The tool became capable of extracting the content of the file system and decrypting passwords and authentication credentials stored in the iOS keychain. For the first time, iOS Forensic Toolkit made use of a rootless jailbreak with significantly smaller footprint compared to traditional jailbreaks.

Not long ago, Elcomsoft iOS Forensic Toolkit 5.20 was updated with file system extraction support for select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Making use of the new future-proof bootrom exploit built into the checkra1n jailbreak, EIFT is able to extract the full file system image, decrypt passwords and authentication credentials stored in the iOS keychain. And finally, the sensational version 5.21 raised a storm of headlines talking about iOS Forensic Toolkit as the ‘New Apple iOS 13.3 Security Threat’. Why? We made the tool support the extraction of iOS keychain from locked and disabled devices in the BPU-mode (Before-first-unlock). The extraction is available on Apple devices built with A7 through A11 generation SoC via the checkra1n jailbreak.

Mobile Forensics: Logical Acquisition

Later on, Elcomsoft Phone Viewer was further updated to recover and display Restrictions and Screen Time passwords when analysing iOS local backups. In addition, version 4.60 became capable of decrypting and displaying conversation histories in Signal, one of the world’s most secure messaging apps. Experts became able to decrypt and analyse Signal communication histories when analysing the results of iOS file system acquisition.

Desktop Forensics and Trainings

In 2019 we’ve also updated Advanced PDF Password Recovery with a new Device Manager, and added support for NVIDIA CUDA 10 and OpenCL graphic cards to Advanced Office Password Recovery. Advanced Intuit Password Recovery added support for Quicken and QuickBooks 2018-2019 covering the changes in data formats and encryption of newest Intuit applications. In addition, the tool enabled GPU acceleration on the latest generation of NVIDIA boards via CUDA 10.

We are proud to say that the many changes we implemented in Elcomsoft Distributed Password Recovery are based on the users’ feedback we received by email and in person, during and after the training sessions. We had several trainings this year in the UK, Northern Ireland and Canada. “Fantastic. Time well spent on the training and on software that will be very useful on cases in the future”, commented Computer Forensic Examiner.

Cloud Forensics

We learned how to extract and decrypt Apple Health data from the cloud – something that Apple won’t provide to the law enforcement when serving legal requests. Health data can serve as essential evidence during investigations. The updated Elcomsoft Phone Viewer can show Apple Health data extracted with Elcomsoft Phone Breaker or available in iOS local backups and file system images.

Very soon Elcomsoft Phone Breaker 9.20 expanded the list of supported data categories, adding iOS Screen Time and Voice Memos. Screen Time passwords and some additional information can be extracted from iCloud along with other synchronized data, while Voice Memos can be extracted from local and cloud backups and iCloud synchronized data.

Skype anyone? In December, Elcomsoft Phone Viewer and Elcomsoft Phone Breaker were updated to extract and display Skype conversation histories.

Desktop Forensics: Disk Encryption

Elcomsoft System Recovery received a major update with enhanced full-disk encryption support. The update made it easy to process full-disk encryption by simply booting from a flash drive. The tool automatically detects full-disk encryption, extracting and saving information required to brute-force passwords to encrypted volumes. In addition, the tool became capable of saving the system’s hibernation file to the flash drive for subsequent extraction of decryption keys for accessing encrypted volumes.

Cloud Forensics: iOS 13 & Authentication Tokens

Elcomsoft Phone Breaker 9.15 added the ability to download iCloud backups created with iPhone and iPad devices running iOS 13 and iPadOS. In addition, the tool became able to extract fully-featured iCloud authentication tokens from macOS computers.

Following this, Elcomsoft Phone Breaker 9.30 delivered a new iCloud downloading engine and low-level access to iCloud Drive data. Thanks to the new iCloud engine, the tool became capable of downloading backups produced by devices running all versions of iOS up to iOS 13.2. While advanced iCloud Drive structure analysis allows users to enable deep, low-level analysis of iCloud Drive secure containers.

Cloud Forensics: Google

Elcomsoft Cloud Explorer 2.20 boosted the number of data types available for acquisition, allowing experts to additionally download a bunch of new types of data. This includes data sources in the Visited tree, Web pages opened on Android devices, requests to Google Assistant in Voice search, Google Lens in Search history, Google Play Books and Google Play Movies & TV.

We have recently updated Elcomsoft iOS Forensic Toolkit, adding the ability to acquire the file system from a wide range of iOS devices. The supported devices include models ranging from the iPhone 5s through the iPhone X regardless of the iOS version; more on that in iOS Device Acquisition with checkra1n Jailbreak. In today’s update (for both Windows and macOS platforms as usual), we’ve added the ability to extract select keychain records in the BFU (Before First Unlock) mode. We have a few other changes and some tips on extracting locked and disabled devices.

BFU Forensics

The BFU stands for “Before First Unlock”. BFU devices are those that have been powered off or rebooted and have never been subsequently unlocked, not even once, by entering the correct screen lock passcode.

In Apple’s world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode. The screen lock passcode is absolutely required to generate the encryption key, which in turn is absolutely required to decrypt the iPhone’s file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.

It is the “almost” part of the “everything” that we target in this update. We’ve discovered that certain bits and pieces are available in iOS devices even before the first unlock. In particular, some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock. This is by design; these bits and pieces are needed to allow the iPhone to start up correctly before the user punches in the passcode. (more…)

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

Are you excited about the new checkm8 exploit? If you haven’t heard of this major development in the world of iOS jailbreaks, I would recommend to read the Technical analysis of the checkm8 exploit aricle, as well as Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer. The good news is that a jailbreak based on this exploit is already available, look at the checkra1n web site.

The jailbreak based on checkm8 supports iPhone devices based on Apple’s 64-bit platform ranging from the iPhone 5s all the way up to the iPhone 8 and iPhone X. Unlike previous jailbreaks, this one supports most iOS versions, up to and including iOS 13.2.2 at the time of  this writing. Support for future versions of iOS is also possible due to the nature of this exploit. Most iPads are also supported. Currently, there is no support for the Apple Watch, though theoretically it is possible for Series 1, 2 and 3. The Apple TV series 4 and 4K are supported by the exploit, and a jailbreak for series 4 is already available.

What does that mean for the forensic crowd? Most importantly, the jailbreak can be installed even on locked devices, as it works through DFU mode. That does not mean that you will be able to break the passcode. While you can extract some data from a locked device / unknown passcode, it won’t be much. From the other side, the jailbreak allows to dump the complete image of the file system if the passcode is known. This works for all devices from the iPhone 5s to X, many iPads, and Apple TV 4.

In this article, we will briefly describe how to install the jailbreak on Apple TV and what you can expect out of it.

(more…)

Why wasting time recovering passwords instead of just breaking in? Why can we crack some passwords but still have to recover the others? Not all types of protection are equal. There are multiple types of password protection, all having their legitimate use cases. In this article, we’ll explain the differences between the many types of password protection.

The password locks access

In this scenario, the password is the lock. The actual data is either not encrypted at all or is encrypted with some other credentials that do not depend on the password.

  • Data: Unencrypted
  • Password: Unknown
  • Data access: Instant, password can be bypassed, removed or reset

A good example of such protection would be older Android smartphones using the legacy Full Disk Encryption without Secure Startup. For such devices, the device passcode merely locks access to the user interface; by the time the system asks for the password, the data is already decrypted using hardware credentials and the password (please don’t laugh) ‘default_password’. All passwords protecting certain features of a document without encrypting its content (such as the “password to edit” when you can already view, or “password to copy”, or “password to print”) also belong to this category.

A good counter-example would be modern Android smartphones using File-Based Encryption, or all Apple iOS devices. For these devices, the passcode (user input) is an important part of data protection. The actual data encryption key is not stored anywhere on the device. Instead, the key is generated when the user first enters their passcode after the device starts up or reboots.

Users can lock access to certain features in PDF files and Microsoft Office documents, disabling the ability to print or edit the whole document or some parts of the document. Such passwords can be removed easily with Advanced Office Password Recovery (Microsoft Office documents) or Advanced PDF Password Recovery (PDF files).

(more…)

Passwords are probably the oldest authentication method. Despite their age, passwords remain the most popular authentication method in today’s digital age. Compared to other authentication mechanisms, they have many tangible benefits. They can be as complex or as easy to remember as needed; they can be easy to use and secure at the same time (if used properly).

The number of passwords an average person has to remember is growing exponentially. Back in 2017, an average home user had to cope with nearly 20 passwords (presumably they would be unique passwords). An average business employee had to cope with 191 passwords. Passwords are everywhere. Even your phone has more than one password. Speaking of Apple iPhone, the thing may require as many as four (and a half) passwords to get you going. To make things even more complicated, the four and a half passwords are seriously related to each other. Let’s list them:

  • Screen lock password (this is your iPhone passcode)
  • iCloud password (this is your Apple Account password)
  • iTunes backup password (protects backups made on your computer)
  • Screen Time password (secures your device and account, can protect changes to above passwords)
  • One-time codes (the “half-password” if your account uses Two-Factor Authentication)

In this article, we will provide an overview on how these passwords are used and how they are related to each other; what are the default settings and how they affect your privacy and security. We’ll tell you how to use one password to reset another. We will also cover the password policies and describe what happens if you attempt to brute force the forgotten password.

(more…)

The Screen Time passcode is an optional feature of iOS 12 and 13 that can be used to secure the Content & Privacy Restrictions. Once the password is set, iOS will prompt for the Screen Time passcode if an expert attempts to reset the device backup password (iTunes backup password) in addition to the screen lock passcode. As a result, experts will require two passcodes in order to reset the backup password: the device screen lock passcode and the Screen Time passcode. Since the 4-digit Screen Time passcode is separate to the device lock passcode (the one that is used when locking and unlocking the device), it becomes an extra security layer effectively blocking logical acquisition attempts.

Since users don’t have to enter Screen Time passcodes as often as they are required to enter their screen lock passcode, it is easy to genuinely forget that password. Apple does not offer an official routine for resetting or recovering Screen Time passcodes other than resetting the device to factory settings and setting it up as a new device (as opposed to restoring it from the backup). For this reason, the official route is inacceptable during the course of device acquisition.

Unofficially, users can recover their Screen Time passcode by making a fresh local backup of the device and inspecting its content with a third-party tool. In iOS 12, the Screen Time passcode can be only recovered from password-protected backups; in iOS 13, the passcode cannot be obtained even from the local backup. If local backups are protected with a password not known to the expert, the situation becomes a deadlock: one cannot reset an unknown backup password without a Screen Time passcode, and one cannot access the Screen Time passcode without decrypting the backup.

Elcomsoft Phone Breaker 9.20 offers an effective solution to the deadlock by obtaining Screen Time passcodes from the user’s iCloud account. The tool supports all versions of iOS 12 and 13.

(more…)

While the dust surrounding the controversy of rushed iOS 13 release settles, we are continuing our research on what has changed in iOS forensics. In this article we’ll review the new policy on USB restrictions and lockdown record expiration in the latest iOS release. We’ll also analyze how these changes affect experts investigating iPhone devices updated to the latest OS release.

The real purpose of the USB restricted mode may not be immediately obvious, and the new enhancements may cause even more confusion. In our view, using USB accessories while the device is locked creates no additional risk to the user’s security and privacy. However, if we assume that this mode is aimed straight at certain forensic extraction and passcode-cracking solutions (such as GrayKey), the target of the USB restriction would be law enforcement agencies.

USB restricted mode made its appearance in iOS 11.4.1 and further enhanced in iOS 12. We posted five articles on the matter; do check them out if you don’t know what this feature is for. We also recommend the original Apple KB article “Using USB accessories with iOS 11.4.1 and later”.

Apple is still to update its iOS Security Guide. The May 2019 version (iOS 12.3) of the Guide defines USB restricted mode as follows.

(more…)