Apple iCloud contains massive amounts of data, which may become highly valuable evidence. The oldest and most frequently mentioned are iCloud backups, which ElcomSoft were the first to extract back in 2012. A lot has changed since then. Today, iCloud backups account for a very minor part of the evidence available in iCloud. Learn what types of data are stored in iCloud, how Apple protects the data with end-to-end encryption, and how to access that valuable evidence with the updated Elcomsoft Phone Breaker.

Since iOS 5, Apple allows users to back up their phones and tablets automatically into their iCloud account. Initially, iCloud backups were similar in content to local (iTunes) backups without the password. However, the introduction of iCloud sync has changed the rules of the game. With more types of data synchronized through iCloud as opposed to being backed up, the content of iCloud backups gets slimmed down as synchronized information is excluded from cloud backups (but still present in local backups).

Multi-factor authentication is the new reality. A password alone is no longer considered sufficient. Phishing attacks, frequent leaks of password databases and the ubiquitous issue of reusing passwords make password protection unsafe. Adding “something that you have” to “something that you know” improves the security considerably, having the potential of cutting a chain attack early even in worst case scenarios. However, not all types of two-factor authentication are equally secure. Let’s talk about the most commonly used type of two-factor authentication: the one based on text messages (SMS) delivered to a trusted phone number.

iPhone users have access to literally hundreds of instant messaging apps. These apps range all the way from the built-in iMessage app to the highly secure Signal messengers, with all stops in between. Many of the messaging apps are marketed as ‘secure’ or ‘protected’ messengers, touting end-to-end encryption and zero retention policies. We routinely verify such claims by analyzing the security of various instant messaging apps. It turned out that the degree of protection can vary greatly, having little to do with the developers’ claims. Today we’ll check out Confide, a tool advertising unprecedented level of security.

Extracting the fullest amount of information from the iPhone, which includes a file system image and decrypted keychain records, often requires installing a jailbreak. Even though forensically sound acquisition methods that work without jailbreaking do exist, they may not be available depending on the tools you use. A particular combination of iOS hardware and software may also render those tools ineffective, requiring a fallback to jailbreak. Today, the two most popular and most reliable jailbreaks are checkra1n and unc0ver. How do they fare against each other, and when would you want to use each?

The unc0ver v5 jailbreak has been available for a while now. It supports the newest versions of iOS up to and including iOS 13.5, and this is fantastic news for DFIR community, as it allows extracting the full file system and the keychain when acquiring the newest latest iPhone models such as the iPhone 11 and 11 Pro, and SE 2020. In this article, I’ll talk about the unc0ver jailbreak, the installation and usage for the purpose of file system extraction, and discuss the differences between jailbreak-based and jailbreak-free extraction.

Elcomsoft iOS Forensic Toolkit 6.0 is out, adding direct, forensically sound extraction for Apple devices running some of the latest versions of iOS including iOS 13.3.1, 13.4 and 13.4.1. Supported devices include the entire iPhone 6s, 7, 8, X, Xr/Xs, 11, and 11 Pro (including Plus and Max versions) range, the iPhone SE, and corresponding iPad models. Let’s review the changes and talk about the new acquisition method in general.

Users of iOS Forensic Toolkit who are using jailbreak-based acquisition sometimes have issues connecting to the device. More often than not, the issues are related to SSH. The SSH server may be missing or not installed with a jailbreak (which is particularly common for iOS 9 and 10 devices). A less common issue is a non-default root password. Learn how to identify these issues and how to deal with them.

“We shouldn’t ask our customers to make a tradeoff between privacy and security. We need to offer them the best of both. Ultimately, protecting someone else’s data protects all of us.” Guess who said that? The answer is at the end of the article. In the meantime, we keep talking of iPhone and iOS security, following up the Apple vs. Law Enforcement – iOS 4 through 13.5 article. This time we are about to discuss some other aspects of iOS security.

Today’s smartphones are a forensic goldmine. Your smartphone learns and knows about your daily life more than everything and everyone else. It tracks your location and counts your footsteps, AI’s your pictures and takes care of your payments. With that much data concentrated in a single device, it is reasonable to expect the highest level of protection. In this article, we’ll review the timeline of Apple’s measures to protect their users’ data and the countermeasures used by the law enforcement. This time no cloud, just pure device forensics.