Archive for the ‘Elcomsoft News’ category

Elcomsoft iOS Forensic Toolkit can perform full file system acquisition and decrypt the keychain from non-jailbroken iPhone and iPad devices. The caveat: the device must be running iOS 11 or 12 (except iOS 12.3, 12.3.1 and 12.4.1), and you must use an Apple ID registered in Apple’s Developer Program. In this article, I’ll explain the pros and contras of the new extraction method compared to traditional acquisition based on the jailbreak.

Why jailbreak?

Before I start talking about the new extraction method that does not require a jailbreak, let me cover the jailbreak first. In many cases, jailbreaking the device is the only way to obtain the file system and decrypt the keychain from iOS devices. Jailbreaking the device provides the required low-level access to the files and security keys inside the device, which is what we need to perform the extraction.

Jailbreaks have their negative points; lots of them in fact. Jailbreaking may be dangerous if not done properly. Jailbreaking the device can modify the file system (especially if you don’t pay close attention during the installation). A jailbreak installs lots of unnecessary stuff, which will be difficult to remove once you are done with extraction. Finally, jailbreaks are obtained from third-party sources; obtaining a jailbreak from the wrong source may expose the device to malware. For these and other reasons, jailbreaking may not be an option for some experts.

This is exactly what the new acquisition method is designed to overcome.

Agent-based extraction

The new extraction method is based on direct access to the file system, and does not require jailbreaking the device. Using agent-based extraction, you can can perform the full file system extraction and decrypt the keychain without the risks and footprint associated with third-party jailbreaks.

Agent-based extraction is new. In previous versions, iOS Forensic Toolkit offered the choice of advanced logical extraction (all devices) and full file system extraction with keychain decryption (jailbroken devices only). The second acquisition method required installing a jailbreak.

EIFT 5.30 introduced the third extraction method based on direct access to the file system. The new acquisition method utilizes an extraction agent we developed in-house. Once installed, the agent will talk to your computer, delivering significantly better speed and reliability compared to jailbreak-based extraction. In addition, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction. Both the file system image and all keychain records are extracted and decrypted. Once you are done, you can remove the agent with a single command.

Compatibility of agent-based extraction

Jailbreak-free extraction is only available for a limited range of iOS devices. Supported devices range from the iPhone 5s all the way up to the iPhone Xr, Xs and Xs Max if they run any version of iOS from iOS 11 through iOS 12.4 (except iOS 12.3 and 12.3.1). Apple iPad devices running on the corresponding SoC are also supported. Here’s where agent-based extraction stands compared to other acquisition methods:

 

The differences between the four acquisition methods are as follows.

  1. Logical acquisition: works on all devices and versions of iOS and. Extracts backups, a few logs, can decrypt keychain items (not all of them). Extracts media files and app shared data.
  2. Extraction with a jailbreak: full file system extraction and keychain decryption. Only possible if a jailbreak is available for a given combination of iOS version and hardware.
  3. Extraction with checkra1n/checkm8: full file system extraction and keychain decryption. Utilizes a hardware exploit. Works on iOS 12.3-13.3.1. Compatibility is limited to A7..A11 devices (up to and including the iPhone X). Limited BFU extraction available if passcode unknown.
  4. Agent-based extraction: full file system extraction and keychain decryption. Does not require jailbreaking. Only possible for a limited range of iOS versions (iOS 11-12 except 12.3.1, 12.3.2, 12.4.1).

Prerequisites

Before you begin, you must have an Apple ID enrolled in Apple’s Developer Program in order to install the agent onto the iOS device being acquired. The Apple ID connected to that account must have two-factor authentication enabled. In addition, you will need to set up an Application-specific password in your Apple account, and use that app-specific password instead of the regular Apple ID password during the Agent installation.

Important: you can use your Developer Account for up to 100 devices of every type (e.g. 100 iPhones and 100 iPads). You can remove previously enrolled devices to make room for additional devices.

Using agent-based extraction

Once you have your Apple ID enrolled in Apple’s Developer Program, and have an app-specific password created, you can start with the agent.

 

  1. Connect the iOS device being acquired to your computer. Approve pairing request (you may have to enter the passcode on the device to do that).
  2. Launch Elcomsoft iOS Forensic Toolkit 5.30 or newer. The main menu will appear.
  3. We strongly recommend performing logical acquisition first (by creating the backup, extracting media files etc.)
  4. For agent-based extraction, you’ll be using numeric commands.
  5. Install the agent by using the ‘1’ (Install agent) command. You will have to enter your credentials (Apple ID and the app-specific password you’ve generated). Then type the ‘Team ID’ related to your developer account. Note that a non-developer Apple ID account is not sufficient to install the Agent. After the installation, start the Agent on the device and go back to the desktop to continue.
  6. Acquisition steps are similar to jailbreak-based acquisition, except that there is no need to use the ‘D’ (Disable lock) command. Leave the Agent (the iOS app) working in the foreground.
  7. Obtain the keychain by entering the ‘2’ command. A copy of the keychain will be saved.
  8. Extract the file system with the ‘3’ command. A file system image in the TAR format will be created.
  9. After you have finished the extraction, use the ‘4’ command to remove the agent from the device.

To analyse the file system image, use Elcomsoft Phone Viewer or an alternative forensic tool that supports .tar images. For analysing the keychain, use Elcomsoft Phone Breaker. For manual analysis, mount or unpack the image (we recommend using a UNIX or macOS system).

Conclusion

If you have unprocessed Apple devices with iOS 11 – 12.2 or 12.4, and if you cannot jailbreak for one or another reason, give the new extraction mode a try. iOS Forensic Toolkit 5.30 can pull the file system and decrypt the keychain, leaves no apparent traces, does not remount and does not modify the file system while offering safe, fast and reliable extraction.

The popular unc0ver jailbreak has been updated to v4, and this is quite a big deal. The newest update advertises support for the latest A12 and A13 devices running iOS 13 through 13.3. The current version of iOS is 13.3.1. None of the older versions (including iOS 13.3) are signed, but still there are a lot of A12/A12X/A13 devices floating around. Until now, file system and keychain extraction was a big problem. The newest unc0ver jailbreak makes it possible.

The new build is based on an exploit that is quite reliable by itself. However, jailbreaking is more than just a single exploit; a lot of things (that are outside the scope of this article) have to be done. So the new version of a jailbreak is not a silver bullet, and may still fail on many devices; we have tested a few and received mixed results. Still, if the given device can be jailbroken with unc0ver, it means that we can pull all the data from it, down to the last bit.

ICYMI: iPhones and iPads based on A12/A12X/A13 SoC are not vulnerable to checkm8 exploit, and there is no room for BFU acquisition (if the passcode is not known). That means that jailbreaking them using iOS (not bootrom) exploits is the only way to get all the data, at least for now.

Installing the jailbreak

The jailbreak (curren version: 4.0.2) is available as an IPA file (iOS/iPadOS package). There are several methods of installing it, but they usually require signing the IPA using a third-party certificate, which is not very safe and requires approving the certificate on the device, which in turn means that you have allow the device make an Internet connection. This in turn means that the device can be remotely locked or wiped (and even if Find My is disabled, it may sync and modify the data. The only workaround is to set up the network so that that it can only access the Apple’s servers that take care of certificate approval, but this is not not as easy as it sounds.

The better and safer way is to sign the jailbreak IPA with a developer’s certificate using Cydia Impactor. You will need a developer’s account to do that. If you have one, create an Application-specific password first as Cydia Impactor does not natively support 2FA.

Once the IPA is installed, just run it and press [Jailbreak]. That simple.

Well, not quite. First, you have to press [Settings] in the top-right corner and enable the following options:

  • Re(Install) OpenSSH
  • SSH Only
  • Read-Only RootFS

What is it all about? Install OpenSSH (which is not installed by default); do not install Cydia (not only you won’t need it for the purpose of file system extraction, but removing Cydia after you’re done is a separate headache); do not remount the system partition, making the jailbreak rootless, safer, and with a minimum impact. I would not say “forensically sound”. But very close to that.

Note that the new build of unc0ver is not very reliable yet. If it fails, here is what the jailbreak developers recommend:

To everyone having reliability issues. You must follow those conditions carefully to have the best success:
– reboot
– airplane mode
– lock device
– wait 30 seconds (don’t do anything)
– jailbreak

A better exploitation method is required to avoid this. We’ll try our best.

Data acquisition

iOS Forensic Toolkit is all you need. First, do not miss some basic usage tips:

Ready to go? Extract the keychain and the file system first. Just note that with the keychain extraction, you may get error/warning messages like the following:

[+] memory_size: 3962028032
[-] no offsets for iPad8,1 17C54
[e] error reading kernel @0x0
[-] no kernel_call addresses for iPad8,1 17C54 [e] error reading kernel @0x0 Injecting to trust cache...
Actually injecting 1 keys
1 new hashes to inject
Successfully injected [1/1] to trust cache.
[e] error writing kernel @0x0

Just ignore them for now, we will take care on them later; they don’t seem to affect the keychain acquisition.

As for the file system, please note that if you forget to set the appropriate unc0ver options and install OpenSSH later from Cydia, acquisition will probably fail. The OpenSSH client installed alongside with the jailbreak works fine.

Anything else? Almost everything matters. Including whether you connect the iPhone directly or through a USB hub; the type of the cable (USB-A or USB-C to Lightning); and even the brand of the cable (original or not). Do not ask us why, ask Apple. To our experience, you get the best results when using an original Apple USB-A to Lightning cable connected directly (with no hubs); also, it works better on Macs. Yes, even that matters.

Data analysis

For “quick and dirty” analysis, use Elcomsoft Phone Viewer to browse the data acquired by iOS Forensic Toolkit. Do not underestimate this little tool; it does not parse all the data categories, but you will be surprised by the amount of data it can extract from media files (including deleted ones), locations, Apple Pay, Wallet etc. All the most-critical evidence is there.

Need more, including system databases, building the complete Timeline, defining social links between device contacts and extractions in Social Graph, getting comprehensive data analysis with facial recognition and image categorization, advanced data search and detailed reports? Get Oxygen Forensic Detective.

Did you extract the keychain? That’s a gold mine. Not just all the passwords and tokens (for dozens web sites, social networks, mail accounts and more), but also the encryption keys that will allow you to decrypt WhatsApp and Signal conversations. Use Elcomsoft Phone Breaker to browse it in a very convenient way (well, three ways); there you will be also able to export passwords to a wordlist, allowing you to break other files, documents and systems almost instantly.

We have updated Elcomsoft Cloud Explorer, our Google Account extraction tool, with Google Fit support. Google Fit is a relatively little known Google service aimed at tracking the user’s health and physical activities. In line with pretty much every other Google service, Google Fit synchronizes massive amounts of data with the user’s Google Account, storing activity-related information collected by all of the user’s devices in a single place. When extracting these data, we discovered massive amounts of location points stored alongside with information related to the user’s physical activities. Learn what is stored in Google Fit and how to extract it from the cloud!

What’s it all about

Google Fit extraction is about the massive amounts of data related to the user’s health and physical activities stored in the Google’s cloud. The detailed, high-frequency location data collected by Google’s fitness app accompanied with information about the user’s physical condition can be truly invaluable during an investigation.

Google Fit is not the only type of information collected by Google. The search giant collects massive amounts of information. The types of data range from many years worth of the user’s location history to all of the user’s password saved in the Chrome browser or used with Android apps. Google Photos, Gmail, contacts and calendars, search requests and Web history, voice snippets, call logs and text messages and a lot more can make for some invaluable evidence. While Google readily returns most of that data when serving legal requests, Elcomsoft Cloud Explorer offers a much easier and near-instant extraction solution that requires far less paperwork. Considering the number of fully encrypted Android smartphones that may or may not be physically unlocked, Elcomsoft Cloud Explorer becomes truly irreplaceable, discovering more evidence than ever by revealing the hidden data one would never imagine existed, browsing deep inside into the user’s online activities going many years back. Elcomsoft Cloud Explorer does what Google itself does not do, offering a single point for downloading, discovering and analyzing evidence collected by Google.

How Google Fit collects information

Google Fit is both an app and a service. The Google Fit app is available for Android and iOS platforms; it can be used on both Android phones and Apple iPhones. The Google Fit service processes and stores information collected from all supported devices where it’s installed in the user’s Google Account.

While many users associate Google Fit with WearOS smartwatches, in reality the app does not require a smartwatch or a fitness tracker. A connected activity tracking device can provide information such as the number of steps walked, the number of stairs climbed, the user’s hear rate or periodic location points obtained from the tracker’s GPS sensor. When used without a compatible fitness tracker, the Google Fit app can source activity data from a smart combination of the phone’s built-in low-energy sensors, frequently obtained location points and a lot of artificial intelligence.

Google Fit data extracted from the user’s Google Account returns massive amounts of precise location points, allowing to pinpoint the user’s location with ultimate precision and granularity. Access to comprehensive location history and other critical real-time evidence can be vital for investigating crime.

Obtaining Google Account credentials

In order to sign in to the user’s Google Account, one requires the full set of Google credentials. The login and password can be often extracted from the user’s computer (with Elcomsoft Internet Password Breaker), from the cloud (with Elcomsoft Phone Breaker) or iOS keychain (with Elcomsoft iOS Forensic Toolkit).

In addition, some data from the Google Account (Google Fit being a notable exception) can be accessed with a token. The token is literally a cookie in Chrome, and can be extracted from the user’s computer. Elcomsoft Cloud Explorer includes a utility that automatically locates and extracts the authentication token from the Chrome browser installed on the user’s Mac or Windows PC. Using the extracted token, Elcomsoft Cloud Explorer authenticates into the user’s Google Account and displays the list of categories available for extraction.

Accessing Google Fit data

In order to extract Google Fit data from the user’s Google Account, you will need Elcomsoft Cloud Explorer 2.30 or newer.

  1. Launch Elcomsoft Cloud Explorer and create a new snapshot. Authenticate with the user’s login and password (Google Account). If required, pass two-factor authentication.
  2. Select the “Google Fit” check box.
  3. The data will be downloaded in several seconds to several minutes.
  4. After the processing, you can access Google Fit data from the main window.

Analyzing Google Fit data

You will be able to sort or group activities. The “Sessions” tab displays activity sessions detected by the Google Fit app. Activity sessions may include sleeping, walking, jogging and other types of activities.

Note that the sessions are detected automatically by the various apps and devices. Have a look at the “Package name” tab to discover which package has detected which session.

“Steps” can be either raw data from the connected smartwatch or fitness tracker, or information generated by the Google Fit app based on a combination of the smartphone’s step counter, the user’s height, and a lot of location data. If no external smartwatch or activity tracker is connected, the Google Fit app uses artificial intelligence to calculate the number of steps based on the abovementioned data. The app only polls the smartphone’s built-in step sensor at large intervals, relying more on location data than on the step counter.

Walking and running activities are automatically detected by the app based on the user’s heart rate, step count and location data.

One of the most interesting reports is “Locations”. By design, Google Fit collects massive amounts or location data. The test account reports 13,788 location points in 9 month. Considering that our test device was used on few rare occasions, the number of location reports is truly excessive. Clicking on a location point opens Google Maps.

Conclusion

Google Fit data may contain detailed information about the user’s location and physical conditions including the number of steps, types of activity, heart rate, elevation, and a lot more. Additional information provided by compatible health tracking devices may include blood pressure, elevation, precise step count, and additional location data collected from the GPS sensor built into the smartwatch or tracker. Analyzing the massive amounts of Google Fit data can become invaluable help when searching for evidence and investigating crime. The detailed, high-frequency location data collected by Google’s fitness app accompanied with information about the user’s physical condition can shed light on the user’s activities in a given timeframe.

For us, this year has been extremely replete with all sorts of developments in desktop, mobile and cloud forensics. We are proud with our achievements and want to share with you. Let’s have a quick look at what we’ve achieved in the year 2019.

Mobile Forensics: iOS File System Imaging

We started this year by updating Elcomsoft iOS Forensic Toolkit, and by a twist of a fate it became our most developed tool in 2019. The developments went through a number of iterations. The release of unc0ver and Electra jailbreaks enabled Elcomsoft iOS Forensic Toolkit to support physical acquisition for iOS 11.4 and 11.4.1 devices, allowing it to produce file system extraction via jailbreak.

In the meanwhile, we updated Elcomsoft Phone Viewer with support for file system images produced by GrayKey, a popular forensic solution for iOS physical extraction. Analysing GrayKey output with Elcomsoft Phone Viewer became faster and more convenient.

Later in February, Elcomsoft iOS Forensic Toolkit received a major update, adding support for physical acquisition of Apple devices running iOS 12. The tool became capable of extracting the content of the file system and decrypting passwords and authentication credentials stored in the iOS keychain. For the first time, iOS Forensic Toolkit made use of a rootless jailbreak with significantly smaller footprint compared to traditional jailbreaks.

Not long ago, Elcomsoft iOS Forensic Toolkit 5.20 was updated with file system extraction support for select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Making use of the new future-proof bootrom exploit built into the checkra1n jailbreak, EIFT is able to extract the full file system image, decrypt passwords and authentication credentials stored in the iOS keychain. And finally, the sensational version 5.21 raised a storm of headlines talking about iOS Forensic Toolkit as the ‘New Apple iOS 13.3 Security Threat’. Why? We made the tool support the extraction of iOS keychain from locked and disabled devices in the BPU-mode (Before-first-unlock). The extraction is available on Apple devices built with A7 through A11 generation SoC via the checkra1n jailbreak.

Mobile Forensics: Logical Acquisition

Later on, Elcomsoft Phone Viewer was further updated to recover and display Restrictions and Screen Time passwords when analysing iOS local backups. In addition, version 4.60 became capable of decrypting and displaying conversation histories in Signal, one of the world’s most secure messaging apps. Experts became able to decrypt and analyse Signal communication histories when analysing the results of iOS file system acquisition.

Desktop Forensics and Trainings

In 2019 we’ve also updated Advanced PDF Password Recovery with a new Device Manager, and added support for NVIDIA CUDA 10 and OpenCL graphic cards to Advanced Office Password Recovery. Advanced Intuit Password Recovery added support for Quicken and QuickBooks 2018-2019 covering the changes in data formats and encryption of newest Intuit applications. In addition, the tool enabled GPU acceleration on the latest generation of NVIDIA boards via CUDA 10.

We are proud to say that the many changes we implemented in Elcomsoft Distributed Password Recovery are based on the users’ feedback we received by email and in person, during and after the training sessions. We had several trainings this year in the UK, Northern Ireland and Canada. “Fantastic. Time well spent on the training and on software that will be very useful on cases in the future”, commented Computer Forensic Examiner.

Cloud Forensics

We learned how to extract and decrypt Apple Health data from the cloud – something that Apple won’t provide to the law enforcement when serving legal requests. Health data can serve as essential evidence during investigations. The updated Elcomsoft Phone Viewer can show Apple Health data extracted with Elcomsoft Phone Breaker or available in iOS local backups and file system images.

Very soon Elcomsoft Phone Breaker 9.20 expanded the list of supported data categories, adding iOS Screen Time and Voice Memos. Screen Time passwords and some additional information can be extracted from iCloud along with other synchronized data, while Voice Memos can be extracted from local and cloud backups and iCloud synchronized data.

Skype anyone? In December, Elcomsoft Phone Viewer and Elcomsoft Phone Breaker were updated to extract and display Skype conversation histories.

Desktop Forensics: Disk Encryption

Elcomsoft System Recovery received a major update with enhanced full-disk encryption support. The update made it easy to process full-disk encryption by simply booting from a flash drive. The tool automatically detects full-disk encryption, extracting and saving information required to brute-force passwords to encrypted volumes. In addition, the tool became capable of saving the system’s hibernation file to the flash drive for subsequent extraction of decryption keys for accessing encrypted volumes.

Cloud Forensics: iOS 13 & Authentication Tokens

Elcomsoft Phone Breaker 9.15 added the ability to download iCloud backups created with iPhone and iPad devices running iOS 13 and iPadOS. In addition, the tool became able to extract fully-featured iCloud authentication tokens from macOS computers.

Following this, Elcomsoft Phone Breaker 9.30 delivered a new iCloud downloading engine and low-level access to iCloud Drive data. Thanks to the new iCloud engine, the tool became capable of downloading backups produced by devices running all versions of iOS up to iOS 13.2. While advanced iCloud Drive structure analysis allows users to enable deep, low-level analysis of iCloud Drive secure containers.

Cloud Forensics: Google

Elcomsoft Cloud Explorer 2.20 boosted the number of data types available for acquisition, allowing experts to additionally download a bunch of new types of data. This includes data sources in the Visited tree, Web pages opened on Android devices, requests to Google Assistant in Voice search, Google Lens in Search history, Google Play Books and Google Play Movies & TV.

We have recently updated Elcomsoft iOS Forensic Toolkit, adding the ability to acquire the file system from a wide range of iOS devices. The supported devices include models ranging from the iPhone 5s through the iPhone X regardless of the iOS version; more on that in iOS Device Acquisition with checkra1n Jailbreak. In today’s update (for both Windows and macOS platforms as usual), we’ve added the ability to extract select keychain records in the BFU (Before First Unlock) mode. We have a few other changes and some tips on extracting locked and disabled devices.

BFU Forensics

The BFU stands for “Before First Unlock”. BFU devices are those that have been powered off or rebooted and have never been subsequently unlocked, not even once, by entering the correct screen lock passcode.

In Apple’s world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode. The screen lock passcode is absolutely required to generate the encryption key, which in turn is absolutely required to decrypt the iPhone’s file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.

It is the “almost” part of the “everything” that we target in this update. We’ve discovered that certain bits and pieces are available in iOS devices even before the first unlock. In particular, some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock. This is by design; these bits and pieces are needed to allow the iPhone to start up correctly before the user punches in the passcode. (more…)

Skype synchronizes chats, text messages and files sent and received with the Microsoft Account backend. Accessing Skype conversation histories by performing a forensic analysis of the user’s Microsoft Account is often the fastest and easiest way to obtain valuable evidence. Learn how to use Elcomsoft Phone Breaker to quickly extract the complete conversation histories along with attachments and metadata from the user’s Microsoft Account.

What’s It All About?

With over 1.55 billion accounts and more than 420 million daily users, Skype is one of the world’s biggest instant messaging apps. While there is no lack of competition in the highly crowded market of instant messaging apps, Skype maintains its user base. This feature-rich app is available for all relevant platforms, and is actively developed and frequently updated by Microsoft. Skype is secure (enough) while maintaining transparency to the law enforcement, which makes Skype the only allowed VoIP communication app in countries such as the UAE. The free Skype-to-phone calls included with all Microsoft Office 365 subscriptions help Skype gain popularity among corporate and small office users, while integration with Alexa and Cortana voice assistants makes Skype the tool of choice for voice calls.

(more…)

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

The release of macOS Catalina brought the usual bunch of security updates. One of those new security features directly affects how you install Elcomsoft iOS Forensic Toolkit on Macs running the new OS. In this guide we’ll provide step by step instructions on installing and running iOS Forensic Toolkit on computers running macOS 10.15 Catalina. Note: on macOS Catalina, you must use iOS Forensic Toolkit 5.11 or newer (older versions may also work but not recommended).

The Issue

In macOS 10.15, Apple made running third-party apps slightly more difficult. The new security measure is designed to prevent users from accidentally running apps downloaded from the Internet by quarantining files obtained from sources that aren’t explicitly whitelisted by Apple.

As Elcomsoft iOS Forensic Toolkit is not distributed through Apple App Store, our tool falls under this restriction and will be quarantined once you install it.

(more…)

The Screen Time passcode is an optional feature of iOS 12 and 13 that can be used to secure the Content & Privacy Restrictions. Once the password is set, iOS will prompt for the Screen Time passcode if an expert attempts to reset the device backup password (iTunes backup password) in addition to the screen lock passcode. As a result, experts will require two passcodes in order to reset the backup password: the device screen lock passcode and the Screen Time passcode. Since the 4-digit Screen Time passcode is separate to the device lock passcode (the one that is used when locking and unlocking the device), it becomes an extra security layer effectively blocking logical acquisition attempts.

Since users don’t have to enter Screen Time passcodes as often as they are required to enter their screen lock passcode, it is easy to genuinely forget that password. Apple does not offer an official routine for resetting or recovering Screen Time passcodes other than resetting the device to factory settings and setting it up as a new device (as opposed to restoring it from the backup). For this reason, the official route is inacceptable during the course of device acquisition.

Unofficially, users can recover their Screen Time passcode by making a fresh local backup of the device and inspecting its content with a third-party tool. In iOS 12, the Screen Time passcode can be only recovered from password-protected backups; in iOS 13, the passcode cannot be obtained even from the local backup. If local backups are protected with a password not known to the expert, the situation becomes a deadlock: one cannot reset an unknown backup password without a Screen Time passcode, and one cannot access the Screen Time passcode without decrypting the backup.

Elcomsoft Phone Breaker 9.20 offers an effective solution to the deadlock by obtaining Screen Time passcodes from the user’s iCloud account. The tool supports all versions of iOS 12 and 13.

(more…)

When you perform Apple iCloud acquisition, it almost does not matter what platform to use, Windows or macOS (I say almost, because some differences still apply, as macOS has better/native iCloud support). Logical acquisition can be done on any platform as well. But when doing full file system acquisition of jailbroken devices using Elcomsoft iOS Forensic Toolkit, we strongly recommend using macOS. If you are strongly tied to Windows, however, there are some things you should know.

(more…)