Archive for the ‘Mobile’ category

We recently introduced a new acquisition method for iPhone and iPad devices. The fast, simple and safe extraction agent requires no jailbreak, and delivers the full file system image and the keychain. The latest release of Elcomsoft iOS Forensic Toolkit expanded this method to iOS 13 and filled the gaps in some versions of iOS 12 that were missing support (such as iOS 12.3 and 12.4.1). Finally, we now officially support the latest generation of iPhone devices including the iPhone 11, iPhone 11 and iPhone 11 Pro. The new compatibility matrix becomes significantly more diverse with this release, so bear with us to learn which iOS devices can be extracted without a jailbreak.

Compatibility

The extraction agent is supported on the following models and iOS versions:

  • iPhone 6s to iPhone X, iPad 5th and 6th gen, iPad Pro 1st and 2nd gen: iOS/iPadOS 11.0 – 13.3
  • iPhone Xr, Xs, Xs Max, iPad Mini 5, iPad Air 3rd gen, iPad Pro 3rd gen, iPod Touch 7th gen: iOS/iPadOS 12.0 – 13.3
  • iPhone 11, 11 Pro, 11 Pro Max: iOS 13.0 – 13.3

For some older models, compatibility remains unchanged. The following models are supported if running iOS 11-12.2 and iOS 12.4:

  • iPhone 5s, 6, 6 Plus
  • iPad Mini 2 and 3
  • iPad Air (1st gen)

There are two ‘iffy’ models: the iPad Mini 4 and iPad Air 2. While the agent-based extraction method will sure work on these models running iOS 11 through 12.2, we have not tested them with iOS 12.3, 12.4.1 or any version of iOS 13.

Requirements

Make sure that your device model and OS version are compatible, and register an Apple Developer account (here is why). Of course, you will need the latest version of iOS Forensic Toolkit, too. The software is really simple to use, but we still recommend to attend our trainings.

General advantages

The main advantage of this method is its wide compatibility with multiple iPhone and iPad models. In the future, we may add support for older iOS versions (to avoid all the troubles with jailbreaking, see below), and of course will do our best to add compatibility with newer versions (iOS 13.3.1 and up).

Next, the extraction agent is safe and reliable. Nothing wrong may happen; the worst is just a reboot of the device, or our method may simply not work on your device. See the Trobleshooting section below for some tips; sometimes it takes several tries (though usually it works from the first try).

Forensically sound? It depends on what you mean by that. Here is a good definition:

Digital evidence is said to be forensically sound if it was collected, analyzed, handled and stored in a manner that is acceptable by the law, and there is reasonable evidence to prove so. Forensic soundness gives reasonable assurance that digital evidence was not corrupted or destroyed during investigative processes whether on purpose or by accident.

(another good source: When is Digital Evidence Forensically Sound?)

For 64-bit iPhones (starting with the iPhone 5s), there is NO method of data acquisition that does not make ANY changes to the system, despite what other vendors say. Some traces are always left, like records in some system logs.

Next, the extraction speed. Instead of re-using ssh, we transfer the data directly over the USB. This method is more reliable and significantly faster; on modern iPhone models, the speed is about 2.5 GB/min.

Finally, the simplicity. No, it is still far from the proverbial “one button” solution, which simply does not exist in the area. Still, we did our best to make acquisition as simple and straightforward as possible, and we are still improving it. Just follow the software manual carefully, and make sure you read the articles published in our blog.

Last but not least. The agent extracts not only the full file system but also the complete keychain. While you can also extract the keychain from iTunes-style-backups, it won’t be complete as a lot of records cannot be decrypted. Use Elcomsoft Phone Breaker to view all the keychain records:

Advantages over jailbreaking

One can also perform full file system acquisition even for latest iPhone models with iOS 13 through jailbreaking. But there are some things you should know.

Jailbreaking is not completely safe. It may brick the device or put it into a boot loop, and it also makes multiple changes to the device file system, even with the rootless jailbreak.

Are there any disadvantages of agent-based extraction? Not a single one, at least for iOS 11.0 to 13.3. Except checkra1n (see below).

One more thing. With iOS 13, some files and folders have improved security attributes and are not accessible by tar over ssh. There is no such problem with agent-based acquisition.

We even made our method compatible with intermediate beta versions of iOS (in the 11-13.3 range) where jailbreaks do not work at all.

Advantages over checkm8 extraction

checkm8-based acquisition is pretty nice, but the devil is in the detail.

First, checkm8 is compatible with a limited number of devices and iOS versions: iPhone 5s to iPhone X, and iOS from 12.3. So forget about the iPhone Xr, Xs, 11 and 11 Pro (as well as many iPads); they are not vulnerable to this exploit. Also, despite the fact that the exploit is hardware-based, the checkra1n jailbreak (and all current checkm8-based acquisition processes) are NOT compatible with iOS 12.2 and below.

Second, the checkra1n jailbreak is not 100% reliable. There are so many compatible devices it does not work on, and the same about direct checkm8 implementation. If there is an error, you’re stuck with it; moreover, you can even ‘brick’ the device with it (it really happened to couple of our test devices). How about the speed? Amazingly low, thanks to ssh and some other things. Some extractions cannot complete in a week, we have no idea why.

The only two real advantages of checkra1n/checkm8 are: they do not require an Apple Developer account, and they allow BFU (Before First Unlock) extractions for devices with an unknown passcode. Also, checkra1n supports iOS 13.3.1 (the latest version at the time of writing this article, though 13.4 is expected very soon). You can use still checkra1n with our iOS Forensic Toolkit to get partial file system and keychain extraction of locked and even desiabled devices.

Usage & troubleshooting

Make sure you have read the iOS Forensic Toolkit manual first, as well as the following two articles:

We described all the steps at iPhone Acquisition Without a Jailbreak (iOS 11 and 12):

  • Put the device into airplane mode (this is mandatory!) and connect it to the computer with EIFT. Make sure that Wi-Fi and Bluetooth are disabled from iOS settings (and not from from the Control Centre)
  • Establish trust relationship (otherwise you will get the “ERROR: Could not connect to lockdownd, error code -2” message in the EIFT)
  • Install the extraction agent though EIFT. You will need to enter Apple ID and app-specific password of the developer’s account, followed by the TeamID; please note that signing the agent requires an internet connection on your computer (but NOT on the iOS device, which should remain offline at all times).
  • Once the agent is installed, it is recommended to disable all Internet connections on the computer you perform the acquisition on.
  • Tun the Agent on the device and leave it running in the foreground.
  • Acquire the keychain and capture the file system; during keychain acquisition, you will have to enter the passcode on the device (sometimes twice), or unlock using Touch ID or Face ID (for devices with Face ID, you will first receive the prompt whether you allow Agent to use it for keychain access)
  • Uninstall the agent.

If something goes wrong when you run the extraction agent on the device (e.g. “Can’t connect to device on specified port” message in EIFT), you may need to reboot the device; make sure to wait for at least one minute after rebooting before starting an agent.


Quick tip: if you do not want to enter Apple ID, password and Team ID when installing the Agent on every new device, you can set them up right in the EIFT script (Windows: Toolkit.cmd, lines 20-22; macOS: macosx/Toolkit.sh, lines 42-44):

AGENT_ID=john.doe@gmail.com
AGENT_PASSWORD=abcd-efgh-ijkl-mnop
AGENT_TEAMID=XXXXXXXXXX

Where AGENT_ID is the Apple ID enrolled into Apple Developer Program; AGENT_PASSWORD is app-specific password you should generate on your account, and AGENT_TEAMID is the Team ID (you can easily find it by logging in to Apple’s Developer Center, under Membership Information in Account | Membership).

What is DFU, and how is it different from the recovery mode? How do you switch the device to recovery, DFU or SOS mode, what can you do while in these modes and what do they mean in the context of digital forensics? Can you use DFU to jailbreak the device and perform the extraction if you don’t know the passcode? Read along to find out.

iOS Recovery Mode

The recovery mode is the easiest to explain. According to Apple, you can put your iOS or iPadOS device in recovery mode to restore it using your computer.

The recovery mode comes handy if one of the following situations occurs:

  • Your iOS or iPadOS device is locked after multiple unsuccessful unlock attempts and displays the infamous “Connect to iTunes” message. In many cases, connecting the device to iTunes will be unsuccessful because the data connection of the device is blocked with USB restricted mode. If this is the case, you must switch the device to recovery mode and connect to iTunes to restore.
  • You forgot the screen lock passcode and want to reset the device to factory settings. Activation lock: following the reset, you’ll have to provide the Apple ID/iCloud password of the device’s Apple ID account.
  • The device cannot fully boot; the display is stuck on the Apple logo for several minutes with no progress bar. I have personally seen this multiple times after unsuccessful iOS updates (the latest case being the almost-full iPhone 7 updated from iOS 9 straight to the latest iOS 13.3).
  • Your computer doesn’t recognize your device or says it’s in recovery mode, or you see the recovery mode screen.

How to switch the device into recovery mode

The recovery mode is well-documented in “If you can’t update or restore your iPhone, iPad, or iPod touch” (link). Connect the device to a computer with iTunes installed. Perform a force restart of the device by following instructions laid out in “If your screen is black or frozen” (link):

If your screen is black or frozen

If your screen is black or frozen, you might need to force-restart your device. A force-restart won’t erase the content on your device. You can force-restart your device even if the screen is black or the buttons aren’t responding. Follow these steps:

  • iPad models with Face ID: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then press and hold the Power button until the device restarts.
  • iPhone 8 or later: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then press and hold the Side button until you see the Apple logo.
  • iPhone 7, iPhone 7 Plus and iPod touch (7th generation): Press and hold both the Top (or Side) button and the Volume Down buttons until you see the Apple logo.
  • iPad with Home button, iPhone 6s or earlier and iPod touch (6th generation) or earlier: Press and hold both the Home and the Top (or Side) buttons until you see the Apple logo.

After following the force-restart instructions, do not release the buttons when you see the Apple logo, wait until the recovery mode screen appears:

  • iPad models with Face ID: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Press and hold the Top button until your device begins to restart. Continue holding the Top button until your device goes into recovery mode.
  • iPhone 8 or later: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then, press and hold the Side button until you see the recovery mode screen.
  • iPhone 7, iPhone 7 Plus, and iPod touch (7th generation): Press and hold the Top (or Side) and Volume Down buttons at the same time. Keep holding them until you see the recovery mode screen.
  • iPad with Home button, iPhone 6s or earlier, and iPod touch (6th generation) or earlier: Press and hold both the Home and the Top (or Side) buttons at the same time. Keep holding them until you see the recovery mode screen.

(source)

How to use the recovery mode

We know of several viable usage scenarios for the recovery mode.

  1. Reinstall iOS (if the iOS device is running the latest version), perform an in-place update or switch from a beta version of iOS to the current release version using the iTunes app. In this scenario, the data is preserved.
  2. Restore the device. This is what you want if you forgot the passcode. The passcode will be removed and USB restrictions disabled, but the data will be already erased by that time. Mind the activation lock.
  3. Perform a (limited) forensic extraction through recovery mode. You’ll need a reasonably up to date version of iOS Forensic Toolkit (EIFT 4.10 or newer).

Information available in recovery mode

When performing a forensic extraction of a device running in the recovery mode, note that only a very limited set of data will be available. The following information is available:

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXX
IMEI: XXXXXXXXXXXXXXX
MODE: Recovery

The Recovery mode may return the following information:

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID (UCID): XXXXXXXXXXXXXXXX. The ECID (Exclusive Chip Identification) or Unique Chip ID is an identifier unique to every unit, or more accurately, to every SoC.
  • Serial number: XXXXXXXXXXX (or N/A)
  • IMEI: XXXXXXXXXXXXXXX (or N/A). Note that we have not seen IMEI information on any of our test devices, with or without a SIM card.
  • Mode: Recovery

How to exit recovery mode

The procedure for leaving the recovery mode is different for different devices. In general, you’ll use the following steps:

  • Unplug the USB cable.
  • Hold down the sleep/wake button or side button depending on device model until the device turns off.
  • Either keep holding the button combination or release and hold it down again until the Apple logo appears.
  • Let go of the buttons and let the device start up.

This is the Apple-recommended procedure for exiting the recovery mode:

  • iPhone 6s and earlier, Touch ID equipped iPads: hold the Home button and the Lock button until the device reboots.
  • iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.
  • iPhone 8 and newer: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.

Forensic implications of iOS recovery mode

The recovery mode has a positive yet limited value for mobile forensic specialists.

  • Enables obtaining device information without a passcode.
  • Allows bypassing the USB restricted mode (albeit accessing limited amounts of information).
  • For newer iOS devices (A12 and newer), returns more information compared to the DFU mode.

Interestingly, when users install the checkra1n jailbreak from the device GUI, the jailbreak first switches the device into recovery (unlike DFU, the recovery mode is available through the API). Only after the device is switched to recovery, the jailbreak prompts for a switch to DFU and displays step-by-step instructions and timings. Alternatively, the jailbreak can be installed from the command line, which will bypass the intermediary recovery mode.

iOS DFU Mode

The undocumented DFU stands for “Device Firmware Upgrade”. Unlike the recovery mode, which is designed with an ordinary user in mind, the DFU mode was never intended for the public. There is no documentation about DFU anywhere in Apple Knowledge Base. Entering the DFU more involves a complicated sequence of pressing, holding and releasing buttons with precise timings. Wrong timings during any of the multiple steps would reboot the device instead of switching it to DFU. Finally, there is no on-screen indication of DFU mode. If the device is successfully switched to DFU, the display remains black. Entering DFU mode can be difficult even for experts.

DFU is part of the bootrom, which is burned into the hardware. On A7 through A11 devices, a vulnerability has been discovered allowing to bypass SecureROM protection and jailbreak the device via DFU mode. More in our blog: BFU Extraction: Forensic Analysis of Locked and Disabled iPhones.

Steps for entering DFU mode differ between devices. Some devices have several different methods to invoke DFU, making it even more confusing. The differences in procedures may be severe between device generations. Since no official instructions are available, we have to rely on third-party sources for information.

Note: the device screen will be completely black while in DFU mode. The iPhone Wiki explains steps required to enter the DFU mode in a dedicated article. According to the article, this is how you enter DFU mode on the different device models. If you are more of a visual learner, check out this link with video tutorials instead: How To Put An iPhone In DFU Mode, The Apple Way

Apple TV

  1. Plug the device into your computer using a USB cable.
  2. Force the device to reboot by holding down the “Menu” and “Down” buttons simultaneously for 6-7 seconds.
  3. Press “Menu” and “Play” simultaneously right after reboot, until a message pops up in iTunes, saying that it has detected an Apple TV in Recovery Mode.

A9 and older devices (iPad other than the ones listed below, iPhone 6s and below, iPhone SE and iPod touch 6 and below)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Home button and Lock button.
  3. After 8 seconds, release the Lock button while continuing to hold down the Home button.
    • If the Apple logo appears, the Lock button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Alternative method 1:

  1. Hold the Lock Button for 3 seconds
  2. Continue holding the Lock button and also hold the Home button (15 seconds)
  3. Release the Lock button while continuing to hold the Home button (10 seconds)
  4. Your device should enter DFU mode

Alternative method 2:

  1. Connect the device to your computer and launch iTunes. Turn the device off.
  2. Hold down the Lock button and Home button together for exactly 10 seconds, then release the Lock button.
  3. Continue holding the Home button until iTunes on your computer displays a message that a device in recovery mode has been detected. The device screen will remain completely black.

A10 devices (iPhone 7 and iPhone 7 Plus, iPad 2018, iPod touch 7)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Side button and Volume Down button.
  3. After 8 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

A11 and newer devices (iPhone 8 and above, including the iPhone Xr, Xs and Xs Max; iPad Pro 2018, iPad Air 2019, iPad Mini 2019)

  1. Connect the device to a computer using a USB cable.
  2. Quick-press the Volume Up button
  3. Quick-press the Volume Down button
  4. Hold down the Side button until the screen goes black, then hold down both the Side button and Volume Down button.
  5. After 5 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  6. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Sources: iphonewiki and other third-party sources

Information available in DFU mode

The DFU mode returns even less information compared to the recovery mode.

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: N/A
IMEI: N/A
MODE: DFU

To obtain this information, use iOS Forensic Toolkit 4.10 or newer.

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID/Unique Chip ID: XXXXXXXXXXXXXXXX
  • Serial number: not available in DFU mode
  • IMEI: not available in DFU mode
  • Mode: DFU
  • Exiting DFU Mode

How to exit DFU mode

The process of exiting DFU mode is also different across devices.

For devices with a physical Home button (up to and including iPhone 6s and iPhone SE): hold the Home button and the Lock button until the device reboots.

For iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.

For iPhone 8 and iPhone 8 Plus, iPhone X: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.

Forensic implications of DFU mode

The DFU mode may have a huge value for mobile forensic specialists depending on the device model. iPhone, iPod Touch and iPad devices based on A5 through A11 generations of Apple processors (iPhone generations from iPhone 4s through iPhone 8, 8 Plus and iPhone X, as well as the corresponding iPad models) have a non-patchable, hardware-based bootrom vulnerability. This vulnerability allows installing a jailbreak on affected devices regardless of the version of iOS that is installed. This also makes it possible to extract a limited but still significant amounts of data through DFU mode without knowing or breaking the passcode.

  • All devices: enables obtaining device information without a passcode
  • All devices: allows bypassing the USB restricted mode (albeit accessing limited amounts of information)
  • Vulnerable iOS devices (A5 through A11 generations): returns significantly more information compared to the recovery mode
  • Criminals exploit the vulnerability to remove Activation Lock from vulnerable devices (A5 through A11 generations) running older versions of iOS. Reportedly, this vulnerability has been fixed by Apple in iOS 13.3; however, considering the nature of the exploit, this functionality may reappear.

The following information is extractable from vulnerable iOS devices:

  • Limited file system extraction: the list of installed applications, some Wallet data, the list of Wi-Fi connections, some media files, notifications (these may contain some chat messages and other useful data), and many location points.
  • Keychain records with kSecAttrAccessibleAlways and kSecAttributeAccessibleAlwaysThisDeviceOnly
  • Oxygen Forensic Detective additionally processes files such as /private/var/wireless/Library/Databases/DataUsage.sqlite (apps’ network activities), /private/var/preferences/ (network interfaces) or /private/var/mobile/Library/Voicemail/ (voicemail messages) to display even more information.

More information in BFU Extraction: Forensic Analysis of Locked and Disabled iPhones and iOS Device Acquisition with checkra1n Jailbreak.

Differences between DFU and recovery modes

While both DFU and recovery are designed to fulfil essentially the same goal of recovering a non-bootable device by flashing known working firmware, they are very different in the way they work.

The recovery mode boots into the bootloader (iBoot), and works by issuing commands through the bootloader. The bootloader is part of the operating system, and can be flashed, updated or patched if there are any vulnerabilities discovered. The recovery mode will only accept signed firmware images, so going back to firmware that is no longer signed by Apple is not possible. While the device is in recovery mode, the user gets a clear visible indication on the device:

DFU or Device Firmware Upgrade, on the other hand, allows restoring devices from any state, including devices with corrupted bootloader. DFU does not operate through a software-upgradeable bootloader. Instead, DFU is burned into the hardware as part SecureROM. DFU cannot be updated, patched or disabled. As a result, the bootrom vulnerability and the corresponding checkm8 exploit cannot be patched by Apple, allowing experts extract certain data from affected devices while bypassing passcode protection and USB restrictions.

DFU will also accept only signed firmware packages. As long as a package is still signed by Apple, the user can upgrade and downgrade firmware at will since there is no downgrade protection in DFU. There is no indication on the device that the device is in DFU mode. During DFU interfacing, the device screen remains black.

The recovery mode was designed for end users and Apple facilities, while the DFU mode was never meant for the end user at all. Entering the recovery mode is easy; any reasonably experienced user can follow the instructions. Entering the DFU mode is not only significantly trickier, but requires precise timings. Hold a button one second too long, and the device simply reboots instead of entering DFU.

The S.O.S. mode

The third and final special mode we’re about to discuss today is the S.O.S. mode. The S.O.S. mode can be manually invoked by the user while the device is running. Apple has a comprehensive description of S.O.S. mode in Use Emergency SOS on your iPhone.

Activating S.O.S. mode

On newer devices without the Home button (as well as the iPhone 8 and 8 Plus), the S.O.S. mode is activated in exactly the same way as the power-off sequence. Users press and hold one of the volume buttons and the side button. The power off/emergency screen appears.

On older devices, the S.O.S. mode is activated by rapidly pressing the side (or top) button five times. The Emergency SOS slider will appear. Users in India only need to press the button three times, after which the iPhone automatically makes an emergency call.

“If you use the Emergency SOS shortcut, you need to enter your passcode to re-enable Touch ID, even if you don’t complete a call to emergency services.” (Source: Use Emergency SOS on your iPhone)

How to exit S.O.S. mode

To exit the S.O.S. mode, users tap on the “Cancel” icon. The device will prompt for the passcode (biometric identification methods are disabled). Alternatively, one can slide the Power off slider to the right to switch off the device.

Forensic implications of S.O.S. mode

Once invoked, the S.O.S. mode has the following forensic implications.

  • All biometric authentication methods (Touch ID and Face ID) are disabled. The device must be unlocked with a passcode.
  • Data transmission on USB port is switched off (USB restricted mode is immediately activated). This makes traditional acquisition efforts fruitless, potentially affecting passcode recovery solutions offered by companies such as Cellebrite and GrayShift.

The Screen Time passcode (known as the Restrictions passcode in previous versions of iOS) is a separate 4-digit passcode designed to secure changes to the device settings and the user’s Apple ID account and to enforce the Content & Privacy Restrictions. You can add the Screen Time passcode when activating Screen Time on a child’s device or if you want to add an extra layer of security to your own device.

The 4-digit Screen Time passcode is separate to the main screen lock passcode you are using to unlock your device. If you configure Screen Time restrictions to your usage scenarios, you’ll hardly ever need to type the Screen Time password on your device.

Using the Screen Time password can be a great idea if you want to ensure that no one can reset your iTunes backup password, disable Find My iPhone or change your Apple ID password even if they steal your device *and* know your device passcode. On a flip side, there is no official way to recover the Screen Time password if you ever forget it other than resetting the device and setting it up from scratch. Compared to the device screen lock passcode, Screen Time passwords are much easier to forget since you rarely need it.

In this article, we’ll show you how to reveal your iOS 12 Screen Time passcode (or the Restrictions passcode if you’re using iOS 7 through 11) using Elcomsoft Phone Viewer. (more…)

We all know how much important data is stored in modern smartphones, making them an excellent source of evidence. However, data preservation and acquisition are not as easy as they sound. There is no silver bullet or “fire and forget” solutions to solve cases or extract evidence on your behalf. In this article, which is loosely based on our three-day training program, we will describe the proper steps in the proper order to retain and extract as much data from the iPhone as theoretically possible.

(more…)

The new generation of jailbreaks has arrived for iPhones and iPads running iOS 12. Rootless jailbreaks offer experts the same low-level access to the file system as classic jailbreaks – but without their drawbacks. We’ve been closely watching the development of rootless jailbreaks, and developed full physical acquisition support (including keychain decryption) for Apple devices running iOS 12.0 through 12.1.2. Learn how to install a rootless jailbreak and how to perform physical extraction with Elcomsoft iOS Forensic Toolkit.

Jailbreaking and File System Extraction

We’ve published numerous articles on iOS jailbreaks and their connection to physical acquisition. Elcomsoft iOS Forensic Toolkit relies on public jailbreaks to gain access to the device’s file system, circumvent iOS security measures and access device secrets allowing us to decrypt the entire content of the keychain including keychain items protected with the highest protection class.

(more…)

The two recent jailbreaks, unc0ver and Electra, have finally enabled file system extraction for Apple devices running iOS 11.4 and 11.4.1. At this time, all versions of iOS 11 can be jailbroken regardless of hardware. Let’s talk about forensic consequences of today’s release: keychain and file system extraction.

(more…)

The release of iOS 11.4.1 back in July 2018 introduced USB Restricted Mode, a feature designed to defer passcode cracking tools such as those developed by Cellerbrite and Grayshift. As a reminder, iOS 11.4.1 automatically switches off data connectivity of the Lightning port after one hour since the device was last unlocked, or one hour since the device has been disconnected from a USB accessory or computer. In addition, users could manually disable the USB port by following the S.O.S. mode routine.

iOS 12 takes USB restrictions one step further. According to the new iOS Security guide published by Apple after the release of iOS 12, USB connections are disabled immediately after the device locks if more than three days have passed since the last USB connection, or if the device is in a state when it requires a passcode.

“In addition, on iOS 12 if it’s been more than three days since a USB connection has been established, the device will disallow new USB connections immediately after it locks. This is to increase protection for users that don’t often make use of such connections. USB connections are also disabled whenever the device is in a state where it requires a passcode to re-enable biometric authentication.”

Source: Apple iOS Security, September 2018 (more…)

With more than 127 million users in multiple countries, Apple Pay is one of the more popular contactless payment systems. Unlike some competing payment technologies, Apple Pay is not only tightly integrated into Apple’s ecosystem but is exclusive to Apple devices.

Apple Pay serves as a digital wallet, digitizing user’s payment cards and completely replacing traditional swipe-and-sign and chip-and-PIN transactions at compatible terminals. However, unlike traditional wallets, Apple Pay also keeps detailed information about the user’s point of sale transactions. Due to the sheer amount of highly sensitive information processed by the system, Apple Pay is among the most securely protected vaults in compatible devices. In this article we’ll show you where and how this information is stored in the file system, how to extract it from the iPhone and how to analyse the data. (more…)

It’s been fast. iOS 11.3.1 and all earlier versions of the system down to iOS 11.2 have been successfully jailbroken. In addition, the jailbreak is compatible with iOS 11.4 beta 1 through 3. We normally wouldn’t post about each new jailbreak release; however, this time things are slightly different. The new Electra jailbreak uses two different exploits and presents two very different installation routines depending on whether or not you have a developer account with Apple. Considering how much more stable the developer-account exploit is compared to the routine available to the general public, this time it pays to be an Apple developer.

We tested the Electra jailbreak and can confirm that iOS Forensic Toolkit 4.0 is fully compatible. File system imaging and keychain extraction work; no OpenSSH installation required as Electra includes an SSH client listening on port 22.

Why Jailbreak?

For the general consumer, jailbreak is one open security vulnerability calling for trouble. Apple warns users against jailbreaking their devices, and there is much truth in their words.

Forensic experts use jailbreaks for much different reasons compared to enthusiast users. A wide-open security vulnerability is exactly what they want to expose the device’s file system, circumvent iOS sandbox protection and access protected data. Jailbreaking extract the largest set of data from the device. During jailbreaking, many software restrictions imposed by iOS are removed through the use of software exploits.

In addition to sandboxed app data (which includes conversation histories and downloaded mail), experts can also extract and decrypt the keychain, a system-wide storage for online passwords, authentication tokens and encryption keys. Unlike keychain items obtained from a password-protected local backup, physical extraction of a jailbroken device gains access to keychain items secured with the highest protection class ThisDeviceOnly (this is how).

The New Electra Jailbreak

Jailbreaking iOS versions past 11.1.2 (for which a Google-discovered vulnerability was published along with a proof-of-concept tool) was particularly challenging but not impossible. At this time, a team of jailbreakers discovered not one but two different vulnerabilities, releasing two versions of Electra jailbreak. Why the two versions?

(more…)

This publication is somewhat unusual. ElcomSoft does not need an introduction as a forensic vendor. We routinely publish information on how to break into the phone, gain access to information and extract as much evidence as theoretically possible using hacks (jailbreaks) or little known but legitimate workarounds. We teach and train forensic experts on how to extract and decrypt information, how to download information from iCloud with or without the password, how to bypass two-factor authentication and how their iPhone falls your complete victim if you know its passcode.

This time around we’ll be playing devil’s advocate. We’ll tell you how to defend your data and your Apple account if they have your iPhone and know your passcode.

iOS Devices Are Secure

We praised the iOS security model on multiple occasions. Speaking of the current pack of iOS versions (including iOS 11.4 release, 11.4.1 public beta and 12.0 first developer beta), we have full-disk encryption with decryption keys derived from the user’s passcode and protected by Secure Enclave. Thanks to the iOS keychain, we enjoy the additional layer of protection for our passwords and other sensitive information. If you protected your iPhone with a 6-digit passcode (which you really should, and which is the default since at least iOS 10), most of your information is securely encrypted until you first unlock your iPhone after it completes the boot sequence. Even if they take the memory chip off, they won’t get anything meaningful due to the encryption. (more…)