Posts Tagged ‘Elcomsoft iOS Forensic Toolkit’

The release of macOS Catalina brought the usual bunch of security updates. One of those new security features directly affects how you install Elcomsoft iOS Forensic Toolkit on Macs running the new OS. In this guide we’ll provide step by step instructions on installing and running iOS Forensic Toolkit on computers running macOS 10.15 Catalina. Note: on macOS Catalina, you must use iOS Forensic Toolkit 5.11 or newer (older versions may also work but not recommended).

The Issue

In macOS 10.15, Apple made running third-party apps slightly more difficult. The new security measure is designed to prevent users from accidentally running apps downloaded from the Internet by quarantining files obtained from sources that aren’t explicitly whitelisted by Apple.

As Elcomsoft iOS Forensic Toolkit is not distributed through Apple App Store, our tool falls under this restriction and will be quarantined once you install it.

(more…)

When you perform Apple iCloud acquisition, it almost does not matter what platform to use, Windows or macOS (I say almost, because some differences still apply, as macOS has better/native iCloud support). Logical acquisition can be done on any platform as well. But when doing full file system acquisition of jailbroken devices using Elcomsoft iOS Forensic Toolkit, we strongly recommend using macOS. If you are strongly tied to Windows, however, there are some things you should know.

(more…)

The iOS 12.4 jailbreak is out, and so is Elcomsoft iOS Forensic Toolkit. Using the two together, one can image the file system and decrypt the keychain of iPhone and iPad devices running most versions of iOS (except iOS 12.3 and and the latest 12.4.1, but 12.4 is still signed right now).

There is more to this jailbreak situation than meets the eye. There is not one but two different jailbreaks: unc0ver and Chimera. Both jailbreak tools come in several versions; the differences between their versions are severe. There is also a tool that can access the file system (but not the keychain) on some iOS devices without a jailbreak. Finally, we’ve been able to jailbreak the Apple TV running affected versions of tvOS.

In this article I’ll explain the differences between the two jailbreaks and their versions, provide information about the tool one can use to access the file system without jailbreaking, and provide instructions on how to safely jailbreak in offline mode.

(more…)

This post continues the series of articles about Apple companion devices. If you haven’t seen them, you may want to read Apple TV and Apple Watch Forensics 01: Acquisition first. If you are into Apple Watch forensics, have a look at Apple Watch Forensics 02: Analysis as well. Today we’ll have a look at what’s inside of the Apple TV.

A recent market analysis shows that Apple has sold more than 13 million Apple TV devices worldwide since 2016. Since 2007, Apple manufactured 6 different Apple TV models. Like any other Apple device, the model can be easily identified by checking the label on the bottom of the device.

 

The first-generation Apple TV (model A1218) contains a regular hard drive that can be extracted and imaged with a traditional approach. The operating system is a modified version of Mac OS X 10.4 (Tiger). A detailed explanation on how to approach this kind of devices was introduced at DEFCON 2009 by Kevin Estis and Randy Robbins (the presentation is available here while the video is available here).

The Apple TV from second (model A1378) to fourth (A1625) generations have an internal NAND storage varying from 8 GB (A1378 – A1427 – A1469) to 32 or 64 GB (A1625). These models also feature a USB port connection (micro USB or USB-C). The availability of a USB port allows connecting the device to a PC/Mac. Forensic experts can use the port for data extraction. Apple removed USB connectivity in the latest, fifth generation Apple TV (Apple TV 4K, model A1842), making it more difficult to connect and extract data.

(more…)

The Screen Time passcode (known as the Restrictions passcode in previous versions of iOS) is a separate 4-digit passcode designed to secure changes to the device settings and the user’s Apple ID account and to enforce the Content & Privacy Restrictions. You can add the Screen Time passcode when activating Screen Time on a child’s device or if you want to add an extra layer of security to your own device.

The 4-digit Screen Time passcode is separate to the main screen lock passcode you are using to unlock your device. If you configure Screen Time restrictions to your usage scenarios, you’ll hardly ever need to type the Screen Time password on your device.

Using the Screen Time password can be a great idea if you want to ensure that no one can reset your iTunes backup password, disable Find My iPhone or change your Apple ID password even if they steal your device *and* know your device passcode. On a flip side, there is no official way to recover the Screen Time password if you ever forget it other than resetting the device and setting it up from scratch. Compared to the device screen lock passcode, Screen Time passwords are much easier to forget since you rarely need it.

In this article, we’ll show you how to reveal your iOS 12 Screen Time passcode (or the Restrictions passcode if you’re using iOS 7 through 11) using Elcomsoft Phone Viewer. (more…)

By this time, seemingly everyone has published an article or two about Apple re-introducing the vulnerability that was patched in the previous version of iOS. The vulnerability was made into a known exploit, which in turn was used to jailbreak iOS 12.2 (and most previous versions). We’ll look at it from the point of view of a forensic expert.

(more…)

The cloud becomes an ever more important (sometimes exclusive) source of the evidence whether you perform desktop or cloud forensics. Even if you are not in forensics, cloud access may help you access deleted or otherwise inaccessible data.

Similar to smartphones or password-protected desktops, cloud access is a privilege that is supposed to be only available to the rightful account owner. You would need a login and password and possibly the second factor. These aren’t always available to forensic experts. In fact, it won’t be easy to access everything stored in the cloud if you have all the right credentials.

Apple iCloud is one of the most advanced cloud solutions on the market, with lots of services available. These include comprehensive device backups, synchronization services across the entire Apple ecosystem including the Apple TV and Apple Watch devices, file storage, password management, home IoT devices, Health data and more. And it is pretty secure.

Let’s review all the possibilities of accessing Apple iCloud data with or without a password.

(more…)

iOS 13 is on the way. While the new mobile OS is still in beta, so far we have not discovered many revolutionary changes in the security department. At the same time, there are quite a few things forensic specialists will need to know about the new iteration of Apple’s mobile operating system. In this article, we’ll be discussing the changes and their meaning for the mobile forensics.

iCloud backups

We’ve seen several changes to iCloud backups that break third-party tools not designed with iOS 13 in mind. Rest assured we’ve updated our tools to support iOS 13 iCloud backups already. We don’t expect the backup format to change once iOS 13 is officially released, yet we keep an eye on them.

First, Apple has changed the protocol and encryption. There’s nothing major, but those changes were more than enough to effectively block all third-party tools without explicit support for iOS 13.

Second, cloud backups (at least in the current beta) now contain pretty much the same set of info as unencrypted local backups. Particularly missing from iCloud backups made with iOS 13 devices are call logs and Safari history. This information is now stored exclusively as “synchronized data”, which makes it even more important for the investigator to extract synced evidence in addition to backups. Interestingly, nothing was changed about synced data; you can still use the same tools and sign in with either Apple ID/password/2FA or authentication tokens. (more…)

If you are familiar with breaking passwords, you already know that different tools and file formats require a very different amount of efforts to break. Breaking a password protecting a RAR archive can take ten times as long as breaking a password to a ZIP archive with the same content, while breaking a Word document saved in Office 2016 can take ten times as long as breaking an Office 2010 document. With solutions for over 300 file formats and encryption algorithms, we still find iTunes backups amazing, and their passwords to be very different from the rest of the crop in some interesting ways. In this article we tried to gather everything we know about iTunes backup passwords to help you break (or reset) their passwords in the most efficient way.

(more…)

Unless you’re using GrayShift or Cellebrite services for iPhone extraction, jailbreaking is a required pre-requisite for physical acquisition. Physical access offers numerous benefits over other types of extraction; as a result, jailbreaking is in demand among experts and forensic specialists.

The procedure of installing a jailbreak for the purpose of physical extraction is vastly different from jailbreaking for research or other purposes. In particular, forensic experts are struggling to keep devices offline in order to prevent data leaks, unwanted synchronization and issues with remote device management that may remotely block or erase the device. While there is no lack of jailbreaking guides and manuals for “general” jailbreaking, installing a jailbreak for the purpose of physical acquisition has multiple forensic implications and some important precautions.

When performing forensic extraction of an iOS device, we recommend the following procedure.

(more…)