The cloud becomes an ever more important (sometimes exclusive) source of the evidence whether you perform desktop or cloud forensics. Even if you are not in forensics, cloud access may help you access deleted or otherwise inaccessible data.
iOS 13 is on the way. While the new mobile OS is still in beta, so far we have not discovered many revolutionary changes in the security department. At the same time, there are quite a few things forensic specialists will need to know about the new iteration of Apple’s mobile operating system. In this article, we’ll be discussing the changes and their meaning for the mobile forensics.
We live in the era of mobile devices with full-disk encryption, dedicated security co-processors and multiple layers of security designed to prevent device exploitation. The recent generations of Apple mobile devices running iOS 10 and 11 are especially secure, effectively resisting experts’ efforts to extract evidence. Yet, several solutions are known to counter Apple’s security measures even in iOS 11 and even for the last-generation devices. It is not surprising that Apple comes up with counter measures to restrict the effectiveness and usability of such methods, particularly by disabling USB data connection in iOS 11.4 after prolonged inactivity periods (well, in fact it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet, and may be delayed till iOS 12).
Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.
Who am I to tell you to use two-factor authentication on all accounts that support it? This recommendation coming from someone whose business is supplying law enforcement with tools helping them do their job might be taken with a grain of salt by an average consumer. Yet we still strongly believe that, however good a password you have to encrypt your local documents or NAS drives, any remotely popular online service absolutely requires an additional authentication factor.
Two-factor authentication is essential to secure one’s access to online accounts. We studied multiple implementations of two-factor authentication including those offered by Apple, Google and Microsoft. While Google’s implementation offers the largest number of options, we feel that Apple has the most balanced implementation. The closed ecosystem and the resulting deep integration with the core OS makes it easy for Apple to control exactly how it works and on which devices.
Accessing the list of apps installed on an iOS device can give valuable insight into which apps the user had, which social networks they use, and which messaging tools they communicate with. While manually reviewing the apps by examining the device itself is possible by scrolling a potentially long list, we offer a better option. Elcomsoft Phone Viewer can not just display the list of apps installed on a given device, but provide information about the app’s version, date and time of acquisition (first download for free apps and date and time of purchase for paid apps), as well as the Apple ID that was used to acquire the app. While some of that data is part of iOS system backups, data on app’s acquisition time must be obtained separately by making a request to Apple servers. Elcomsoft Phone Viewer automates such requests, seamlessly displaying the most comprehensive information about the apps obtained from multiple sources.
With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release.
iOS 11 is finally here. We already covered some of the issues related to iOS 11 forensics, but that was only part of the story.
Starting with version 7.0, Elcomsoft Phone Breaker has the ability to access, decrypt and display passwords stored in the user’s iCloud Keychain. The requirements and steps differ across Apple accounts, and depend on factors such as whether or not the user has Two-Factor Authentication, and if not, whether or not the user configured an iCloud Security Code. Let’s review the steps one needs to take in order to successfully acquire iCloud Keychain.