ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Posts Tagged ‘EIFT’

iOS Forensic Toolkit 4.0 with Physical Keychain Extraction

Wednesday, June 20th, 2018

We have just released an update to iOS Forensic Toolkit. This is not just a small update. EIFT 4.0 is a milestone, marking the departure from supporting a large number of obsolete devices to focusing on current iOS devices (the iPhone 5s and newer) with and without a jailbreak. Featuring straightforward acquisition workflow, iOS Forensic Toolkit can extract more information from supported devices than ever before.

Feature wise, we are adding iOS keychain extraction via a newly discovered Secure Enclave bypass. With this new release, you’ll be able to extract and decrypt all keychain records (even those secured with the highest protection class, ThisDeviceOnly) from 64-bit iOS devices. The small print? You’ll need a compatible jailbreak. No jailbreak? We have you covered with logical acquisition and another brand new feature: the ability to extract crash logs.

(more…)

The iOS File System: TAR and Aggregated Locations Analysis

Thursday, June 7th, 2018

Finally, TAR support is there! Using Elcomsoft iOS Forensic Toolkit to pull TAR images out of jailbroken iOS devices? You’ll no longer be left on your own with the resulting TAR file! Elcomsoft Phone Viewer 3.70 can now open the TAR images obtained with Elcomsoft iOS Forensic Toolkit or GrayKey and help you analyse evidence in that file. In addition, we added an aggregated view for location data extracted from multiple sources – such as the system logs or geotags found in media files.

What Are These TAR Files Anyway?

While TAR is just an uncompressed file archive used in UNIX-based operating systems, this speaks little of its importance for the mobile forensic specialist.

Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, physical acquisition has never been the same. For all iPhone and iPad devices equipped with Apple’s 64-bit processors, physical acquisition is exclusively available via file system extraction because of full-disk encryption. Even with a jailbreak, you must run the tarball command on the device itself in order to bypass the encryption. Since the file system image is captured and packed by iOS, you’ll get exactly the same TAR file regardless of the tool performing physical acquisition. Whether you use iOS Forensic Toolkit or GrayKey, you’ll receive exactly the same TAR archive containing an image of the device’s file system. (more…)

Demystifying Advanced Logical Acquisition

Tuesday, April 3rd, 2018

We were attending the DFRWS EU forum in beautiful Florence, and held a workshop on iOS forensics. During the workshop, an attendee tweeted a photo of the first slide of our workshop, and the first response was from… one of our competitors. He said “Looking forward to the “Accessing a locked device” slide”. You can follow our conversation on Twitter, it is worth reading.

No, we cannot break the iPhone passcode. Still, sometimes we can get the data out of a locked device. The most important point is: we never keep our methods secret. We always provide full disclosure about what we do, how our software works, what the limitations are, and what exactly you can expect if you use this and that tool. Speaking of Apple iCloud, we even reveal technical information about Apple’s network and authentication protocols, data storage formats and encryption. If we cannot do something, we steer our customers to other companies (including competitors) who could help. Such companies include Oxygen Forensics (the provider of one of the best mobile forensic products) and Passware (the developer of excellent password cracking tools and our direct competitor).

Let’s start with “Logical acquisition”. We posted about it more than once, but it never hurts to go over it again. By “Logical acquisition”, vendors usually mean nothing more than making an iTunes-style backup of the phone, full stop.

Then, there is that “advanced logical” advertised by some forensic companies. There’s that “method 2” acquisition technique and things with similarly cryptic names. What is that all about?

I am not the one to tell you how other software works (not because I don’t know, but because I don’t feel it would be ethical), but I’ll share information on how we do it with our software: the methods we use, the limitations, and the expected outcome.

(more…)

Breaking into iOS 11

Tuesday, February 20th, 2018

In the world of mobile forensics, physical acquisition is still the way to go. Providing significantly more information compared to logical extraction, physical acquisition can return sandboxed app data (even for apps that disabled backups), downloaded mail, Web browser cache, chat histories, comprehensive location history, system logs and much more.

In order to extract all of that from an i-device, you’ll need the extraction tool (iOS Forensic Toolkit) and a working jailbreak. With Apple constantly tightening security of its mobile ecosystem, jailbreaking becomes increasingly more difficult. Without a bug hunter at Google’s Project Zero, who released the “tfp0” proof-of-concept iOS exploit, making a working iOS 11 jailbreak would take the community much longer, or would not be possible.

The vulnerability exploited in tfp0 was present in all versions of iOS 10 on all 32-bit and 64-bit devices. It was also present in early versions of iOS 11. The last vulnerable version was iOS 11.2.1. Based on the tfp0 exploit, various teams have released their own versions of jailbreaks.

(more…)

Get iOS Shared Files without a Jailbreak

Tuesday, February 20th, 2018

iOS is a locked down mobile operating system that does not allow its apps to directly access files in the file system. Unlike every other major mobile OS, iOS does not have a “shared” area in the file system to allow apps keep and share files with other apps. Yet, individual iOS apps are allowed to let the user access their files by using the file sharing mechanism.

While uploading or downloading shared files from an Android or Windows 10 smartphone occurs over a standard MTP connection established over a standard USB cable, you’ll need several hundred megabytes worth of proprietary Apple software (and a proprietary Lightning cable) to transfer files between iOS apps and the computer. But do you really?

While there’s nothing we can do about a Lightning cable, we can at least get rid of iTunes middleware for extracting files exposed by iOS apps. We’ll show you how this works with iOS Forensic Toolkit 3.0.

(more…)

The iPhone is Locked-Down: Dealing with Cold Boot Situations

Thursday, November 9th, 2017

Even today, seizing and storing portable electronic devices is still troublesome. The possibility of remote wipe routinely makes police officers shut down smartphones being seized in an attempt to preserve evidence. While this strategy used to work just a few short years ago, this strategy is counter-productive today with full-disk encryption. In all versions of iOS since iOS 8, this encryption is based on the user’s passcode. Once the iPhone is powered off, the encryption key is lost, and the only way to decrypt the phone’s content is unlocking the device with the user’s original passcode. Or is it?

The Locked iPhone

The use of Faraday bags is still sporadic, and the risk of losing evidence through a remote wipe command is well-known. Even today, many smartphones are delivered to the lab in a powered-off state. Investigating an iPhone after it has been powered off is the most difficult and, unfortunately, the most common situation for a forensic professional. Once the iOS device is powered on after being shut down, or if it simply reboots, the data partition remains encrypted until the moment the user unlocks the device with their passcode. Since encryption keys are based on the passcode, most information remains encrypted until first unlock. Most of it, but not all. (more…)

What can be extracted from locked iPhones with new iOS Forensic Toolkit

Thursday, November 9th, 2017

Tired of reading on lockdown/pairing records? Sorry, we can’t stop. Pairing records are the key to access the content of a locked iPhone. We have recently made a number of findings allowing us to extract even more information from locked devices through the use of lockdown records. It’s not a breakthrough discovery and will never make front page news, but having more possibilities is always great.

Physical acquisition rules if it can be done. Physical works like a charm for ancient devices (up to and including the iPhone 4). For old models such as the iPhone 4s, 5 and 5c, full physical acquisition can still be performed, but  only if the device is already unlocked and a jailbreak can be installed. All reasonably recent models (starting with the iPhone 5s and all the way up to the iPhone 7 – but no 8, 8 Plus or the X) can be acquired as well, but for those devices all you’re getting is a copy of the file system with no partition imaging and no keychain. At this time, no company in the world can perform the full physical acquisition (which would include decrypting the disk image and the keychain) for iPhone 5s and newer.

The only way to unlock the iPhone (5s and newer) is hardware-driven. For iOS 7 and earlier, as well as for some early 8.x releases, the process was relatively easy. With iOS 9 through 11, however, it is a headache. There is still a possibility to enter the device into the special mode when the number of passcode attempts is not limited and one can brute-force the passcode, albeit at a very low rate of up to several minutes per passcode.

The worst about this method is its very low reliability. You can use a cheap Chinese device for trying passcodes at your own risk, or pay a lot of money to somebody else who will do about the same for you. Those guys do have more experience, and the risk is lower, but there still is no warranty of any kind, and you won’t get your money back if they fail.

There are other possibilities as well. We strongly recommend you to try the alternative method described below before taking the risk of “bricking” the device or paying big money for nothing.

(more…)

Accessing iOS Saved Wi-Fi Networks and Hotspot Passwords

Thursday, September 28th, 2017

In this how-to guide, we’ll cover the steps required to access the list of saved wireless networks along with their passwords.

Step 1: Make a password-protected backup

In order to extract the list of Wi-Fi networks from an iOS device, you must first create a password-protected local backup of the iOS device (iPhone, iPad or iPod Touch). While we recommend using Elcomsoft iOS Forensic Toolkit for making the backup (use the “B – Backup” option in the main menu), Apple iTunes can be also used to make the backup. Make sure to configure a backup password if one is not enabled; otherwise you will be unable to access Wi-Fi passwords. (more…)

Elcomsoft Phone Breaker 8, New Apple Devices and iOS 11

Thursday, September 14th, 2017

With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release.

Out previous article touches the issue of iOS 11 forensic implications. In this article we’ll cover what you can and what you cannot do with an iOS 11 device as a forensic expert. We’ll talk about which acquisition methods still works and which don’t, what you can and cannot extract compared to iOS 10, and what you need to know in order to make the job don’t.

(more…)

New Security Measures in iOS 11 and Their Forensic Implications

Thursday, September 7th, 2017

Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have.

Establishing Trust with a PC Now Requires a Passcode

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

(more…)