Posts Tagged ‘iOS’

Acquisition of a Locked iPhone with a Lockdown Record

Monday, November 28th, 2016

The previous article was about the theory. In this part we’ll go directly to practice. If you possess a turned on and locked iOS device and have no means of unlocking it with either Touch ID or passcode, you may still be able to obtain a backup via the process called logical acquisition. While logical acquisition may return somewhat less information compared to the more advanced physical acquisition, it must be noted that physical acquisition may not be available at all on a given device.

Important: Starting with iOS 8, obtaining a backup is only possible if the iOS device was unlocked with a passcode at least once after booting. For this reason, if you find an iPhone that is turned on, albeit locked, do not turn it off. Instead, isolate it from wireless networks by placing it into a Faraday bag, and do not allow it to power off or completely discharge by connecting it to a charger (a portable power pack inside a Faraday bag works great until you transfer the device to a lab). This will give you time to searching user’s computers for a lockdown record.

(more…)

Forensic Implications of iOS Lockdown (Pairing) Records

Friday, November 25th, 2016

In recent versions of iOS, successful acquisition of a locked device is no longer a given. Multiple protection layers and Apple’s new policy on handling government requests make forensic experts look elsewhere when investigating Apple smartphones.

In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:

  1. Runs iOS 8.x through 10.x
  2. When seized, the device was powered on but locked with a passcode and/or Touch ID
  3. Device was never powered off or rebooted since it was seized
  4. Does not have a jailbreak installed and may not allow installing a jailbreak
  5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past

While this list may appear extensive and overly detailed, in real life it simply means an iPhone that was seized in a screen-locked state and stored properly in its current state (i.e. not allowed to power down or reboot). If this is the case, we might be able to access information in the device by using a so-called lockdown file, or pairing record. This record may be available on the suspect’s home or work PC that was either used to sync the iOS device with iTunes or simply used for charging if the suspect ever tapped “OK” on the “Trust this PC” pop-up. (more…)

Our First Book is Officially Out

Monday, October 10th, 2016

Today we are super excited: our first book on mobile forensics just got published! The book is called “Mobile Forensics – Advanced Investigative Strategies”, and is about everything you need to successfully acquire evidence from the widest range of mobile devices. Unlike most other books on this subject, we don’t just throw file names or hex dumps at your face. Instead, we discuss the issues of seizing mobile devices and preserving digital evidence before it reaches the lab; talk about acquisition options available in every case, and help you choose the correct acquisition path to extract evidence with least time and minimal risk.

cover

We used our years of expertise in researching and building forensic tools to help our readers better understand the acquisition process. We aimed our book at specialists with beginner to intermediate knowledge of mobile forensics. We did our best to make it a perfect learning and reference tool.
This book is about strategies and tools. We do believe in tools, but we also believe that even the best tool is useless if you don’t have clear understanding on what you are doing, and why. It’s not just about ElcomSoft products: we talk about a wide range of forensic tools covering most mobile devices.

The book is officially out. You are welcome to get your copy by ordering from PACKT Publishing or Amazon.

iCloud Photo Library: All Your Photos Are Belong to Us

Thursday, August 25th, 2016

Releasing a major update of a complex forensic tool is always tough. New data locations and formats, new protocols and APIs require an extensive amount of research. Sometimes, we discover things that surprise us. Researching Apple’s iCloud Photo Library (to be integrated into Elcomsoft Phone Breaker 6.0) led to a particularly big surprise. We discovered that Apple keeps holding on to the photos you stored in iCloud Photo Library and then deleted, keeping “deleted” images for much longer than the advertised 30 days without telling anyone. Elcomsoft Phone Breaker 6.0 becomes the first tool on the market to gain access to deleted images going back past 30 days.

Update September 1, 2016: Apple is fixing this as we speak. Deleted photos still appear, but we see less and less of them in every session. Whatever it was, it seems like Apple is fixing the issue as quick as they can.

(more…)

iOS Logical Acquisition: The Last Hope For Passcode-Locked Devices?

Thursday, August 11th, 2016

For many months, a working jailbreak was not available for current versions of iOS. In the end of July, Pangu released public jailbreak for iOS 9.2-9.3.3. A few days ago, Apple patched the exploit and started seeding iOS 9.3.4. This was the shortest-living jailbreak in history.

With iOS getting more secure with each generation, the chance of successfully jailbreaking a device running a recent version of iOS are becoming slim. While this may not be the end of all for mobile forensic experts, we felt we need to address the issue in our physical acquisition toolkit.

(more…)

Fingerprint Unlock Security: iOS vs. Google Android (Part II)

Monday, June 20th, 2016

Fingerprint Unlock Security: Google Android and Microsoft Hello

Using one’s fingerprint to unlock a mobile device with a touch is fast and convenient. But does it provide sufficient security? More importantly, does biometric unlock provide a level of security comparable to that of the more traditional PIN or passcode? As we found in the first article, Apple has managed to develop a comprehensive fingerprint unlock system that provides just enough security while offering a much greater convenience compared to traditional unlock methods. What’s up with that in the other camp?

01finger

Google Android 4.x through 5.1.1: No Fingerprint API

There is no lack of Android smartphones (but no tablets) that come with integrated fingerprint scanners. Samsung Galaxy S5, S6, S7, Motorola Moto Z, SONY Xperia Z5, LG G5, Huawei Ascend Mate 7 and newer flagships, Meizu Pro 5 and a plethora of other devices are using fingerprint scanners without proper support on the native API level.

(more…)

Fingerprint Unlock Security: iOS vs. Google Android (Part I)

Monday, June 6th, 2016

Biometric approach to unlocking portable electronics has been on the rise since late 2013 when Apple released iPhone 5S. Ever since, manufacturers started adding fingerprint scanners to their devices. In the world of Android, this was frequently done without paying much (if any) attention to actual security. So how do these systems compare?

Apple iOS: Individually Matched Touch ID, Secure Enclave at Work

Apple invented Touch ID to increase the average user security. The idea behind fingerprint unlock is for users who had no passcode at all to use Touch ID. Fingerprint data is stored on the Secure Enclave, and is never transferred to Apple servers or iCloud.

(more…)

A Message to Our Customers, Apple and FBI

Thursday, February 18th, 2016

On Tuesday, a federal judge ordered Apple to assist the authorities in breaking into a locked iPhone 5C used by Syed Farook, who killed 14 in San Bernardino in December. According to the FBI, the phone might contain critical information about connections with Islamic terrorist groups. Apple opposed the motion and published an open letter at https://www.apple.com/customer-letter/ saying that “The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.”

So what is the government asking, does Apple have it, and is it technically possible to achieve what they are asking? Let’s try to find out.

(more…)

Why Do We Need Physical Acquisition?

Thursday, June 25th, 2015

With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?

Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.

  1. Apple’s current privacy policy explicitly denies government information requests if the device in question is running iOS 8. This means that handing over the device to Apple will no longer result in receiving its full image if the device is running iOS 8.x (source: https://www.apple.com/privacy/government-information-requests/)
  2. In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
  3. Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
  4. Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
  5. With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
  6. Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.

(more…)