Posts Tagged ‘EIFT’

Location data is one of the most sensitive pieces of personal information. In today’s world, aggregated location data is as sensitive and as valuable as the user’s passwords. Once this data is transmitted to the OS manufacturer’s cloud service or any of the third-party vendors, the user has the right to know exactly what information is collected; who, when, and how has access to it. In today’s article, we will talk about one of the iOS lesser known features called “Significant locations”.

How can you obtain the highest amount of data from an iPhone, iPad, Apple TV or Apple Watch? This is not as simple as it may seem. Multiple overlapping extraction methods exist, and some of them are limited to specific versions of the OS. Let’s go through them and summarize their availability and benefits.

Originally released in September 2016, iOS 10 was regularly updated for most devices until July 2017. The 64-bit iPhones capable of running iOS 10 range from the iPhone 5s to iPhone 7 and 7 Plus. While one is hardly likely to encounter an iOS 10 in the wild, forensic labs still process devices running the older version of the OS. In this update, we’ve brought support for jailbreak-free extraction back to the roots, adding support for the oldest version of iOS capable of running on the iPhone 7 generation of devices. Let’s see what it takes to extract an older iPhone without a jailbreak. In addition, we have expanded support for the Apple TV devices, now offering keychain decryption in addition to file system extraction for both Apple TV 4 (Apple TV HD) and Apple TV 4K running tvOS 13.4 through 13.4.5.

Is jailbreaking an Apple TV worth it? If you are working in the forensics, it definitely is. When connected to the user’s Apple account with full iCloud access, the Apple TV synchronizes a lot of data. That data may contain important evidence, and sometimes may even help access other iCloud data. I have some great news for the forensic crowd: the Apple TV does not have a passcode. And some bad news: jailbreaking is not as easy and straightforward as we’d like it to be. Let’s have a look at what can be done.

iPhone users have access to literally hundreds of instant messaging apps. These apps range all the way from the built-in iMessage app to the highly secure Signal messengers, with all stops in between. Many of the messaging apps are marketed as ‘secure’ or ‘protected’ messengers, touting end-to-end encryption and zero retention policies. We routinely verify such claims by analyzing the security of various instant messaging apps. It turned out that the degree of protection can vary greatly, having little to do with the developers’ claims. Today we’ll check out Confide, a tool advertising unprecedented level of security.

Extracting the fullest amount of information from the iPhone, which includes a file system image and decrypted keychain records, often requires installing a jailbreak. Even though forensically sound acquisition methods that work without jailbreaking do exist, they may not be available depending on the tools you use. A particular combination of iOS hardware and software may also render those tools ineffective, requiring a fallback to jailbreak. Today, the two most popular and most reliable jailbreaks are checkra1n and unc0ver. How do they fare against each other, and when would you want to use each?

The unc0ver v5 jailbreak has been available for a while now. It supports the newest versions of iOS up to and including iOS 13.5, and this is fantastic news for DFIR community, as it allows extracting the full file system and the keychain when acquiring the newest latest iPhone models such as the iPhone 11 and 11 Pro, and SE 2020. In this article, I’ll talk about the unc0ver jailbreak, the installation and usage for the purpose of file system extraction, and discuss the differences between jailbreak-based and jailbreak-free extraction.

Elcomsoft iOS Forensic Toolkit 6.0 is out, adding direct, forensically sound extraction for Apple devices running some of the latest versions of iOS including iOS 13.3.1, 13.4 and 13.4.1. Supported devices include the entire iPhone 6s, 7, 8, X, Xr/Xs, 11, and 11 Pro (including Plus and Max versions) range, the iPhone SE, and corresponding iPad models. Let’s review the changes and talk about the new acquisition method in general.

The USB restricted mode was introduced in iOS 11.4.1, improved in iOS 12 and further strengthened in iOS 13. The USB restrictions are a real headache for iPhone investigators. We’ve discovered a simple yet effective trick to fool it in some cases, but currently it securely protects the iPhones from passcode cracking and BFU (Before First Unlock) extractions. However, there is a trick allowing you to obtain some information from devices with disabled USB interface. Learn how to use this trick with the recently updated iOS Forensic Toolkit.

The new build of iOS Forensic Toolkit is out. This time around, most of the changes are “internal” and do not add much functionality, but there is a lot going on behind the scenes. In this article, we will describe in details what is new and important, and how it’s going to affect you. We’ll share some tips on how to use the software in the most effective way, making sure that you extract all the data from iOS devices in the most forensically sound possible.