ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Posts Tagged ‘iOS’

Breaking Deeper Into iPhone Secrets

Wednesday, June 20th, 2018

iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.

This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).

Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.

iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.

But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.

(more…)

iOS Forensic Toolkit 4.0 with Physical Keychain Extraction

Wednesday, June 20th, 2018

We have just released an update to iOS Forensic Toolkit. This is not just a small update. EIFT 4.0 is a milestone, marking the departure from supporting a large number of obsolete devices to focusing on current iOS devices (the iPhone 5s and newer) with and without a jailbreak. Featuring straightforward acquisition workflow, iOS Forensic Toolkit can extract more information from supported devices than ever before.

Feature wise, we are adding iOS keychain extraction via a newly discovered Secure Enclave bypass. With this new release, you’ll be able to extract and decrypt all keychain records (even those secured with the highest protection class, ThisDeviceOnly) from 64-bit iOS devices. The small print? You’ll need a compatible jailbreak. No jailbreak? We have you covered with logical acquisition and another brand new feature: the ability to extract crash logs.

(more…)

How to Obtain iMessages from iCloud

Thursday, June 14th, 2018

iOS 11.4 has finally brought a feature Apple promised almost a year ago: the iMessage sync via iCloud. This feature made its appearance in iOS 11 beta, but was stripped from the final release. It re-appeared and disappeared several times during the iOS 11 development cycle, and has finally made it into iOS 11.4. Let’s have a look at how iMessages are protected and how to download them from iCloud.

iMessages in iCloud

Even before iOS 11 Apple had Continuity (https://support.apple.com/en-us/HT204681), a convenient mechanism for accessing iMessages from multiple Apple devices registered with the same Apple ID. With Continuity, users can effectively send and receive iMessages on their Mac. Speaking of Mac computers, one could access iMessages by simply signing in to the same iCloud account in the Messages app. Without Continuity, one would only receive iMessages with no SMS; with Continuity, both iMessages and SMS messages would be delivered.

However, even with Continuity in place, iMessages were never stored in iCloud or synced with iCloud. Instead, the messages were only stored locally on enrolled devices. This led to a major problem, making it impossible for the user to keep iMessage conversations in sync between their iPhone, iPad and Mac devices. If the user deleted a message in the iPhone app, it would not be deleted on their Mac, and vice versa. Forensic experts knew about this, and made active use of this feature. Multiple cases are known where law enforcement experts were analyzing the user’s Mac in order to gain access to iMessages that were already wiped from their iPhone.

iCloud sync for iMessage introduced in iOS 11.4 takes care of this problem by changing the way iMessage sync is handled. Instead of using the flawed Continuity mechanism, iOS 11.4 now stores iMessages in iCloud. The messages are automatically synchronized across all enrolled devices on the user’s Apple ID. iCloud sync works similar to existing synchronizations such as iCloud Keychain, iCloud Photo Library or iCloud contacts. (more…)

Apple Probably Knows What You Did Last Summer

Tuesday, June 5th, 2018

“Significant Locations” are an important part of the evidence logged on iPhones. Forensic experts doing the acquisition will try accessing Significant Locations. At the same time, many iPhone users are completely unaware of the existence of this feature. What are Significant Locations, where are they stored, and how to extract them, and what value do they serve in investigations?

Privacy Issues

iOS 11 and iOS 12 after it supposedly come with a slew of privacy enhancements. When it comes to Significant Locations, what we see is quite the opposite. There is an unresolved privacy issue instead.

Speaking strictly of “significant locations”, iOS 10 and older versions used to retain this data no longer than 45 days. Older records would be purged from the device. In iOS 11.4, the current release, location data is kept for at least 120 days (or 4 months). Apple does not provide ANY information about how or when it collects your location data; moreover, there is no official statement about how this data is being used. The only article that we were able to discover is “Location Services & Privacy“. Have a look at the following quote:

Significant Locations – Your iPhone will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you. This data is transmitted end-to-end encrypted between your iCloud connected devices and will not be shared without your consent. It will be used to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories.

(more…)

What’s Broken in iOS for iPhone X

Wednesday, March 28th, 2018

Apple’s latest and greatest iPhone, the iPhone X, received mixed reviews and sells slower than expected. While the high price of the new iPhone is a major factor influencing the slow sales, some of the negative points come from the device usability. The combination of design language, hardware and software interactions make using the new iPhone less than intuitive in many situations. In this article, we collected the list of utterly strange design decisions affecting the daily use of the iPhone X.

The Return of Slide to Unlock

In iOS 10, Apple has finally rid of the infamous “slide to unlock” prompt, replacing it with the prompt to that asks iPhone users (as well as users of Touch ID equipped iPads) to press the home button to gain access to the home screen. This means that, by default, users could no longer simply rest their finger on the home button to unlock their device with their fingerprint.

A workaround was discovered quickly. Apparently, it was possible to alter the “Rest Finger to Open” option in General > Accessibility > Home Button to make iPhones capable of “raise-to-wake” unlock without pressing down on the home button.

This option is still present in iOS 11, and still works on all devices equipped with Touch ID – but not Face ID. The iPhone X is the only device in Apple’s stable that cannot be automatically unlocked when picked up. Users must still reach for the very bottom of the device’s screen and… yes: swipe up to unlock. This feels like a huge step back to pre-iOS 10 days, and annoys many users.

(more…)

Breaking into iOS 11

Tuesday, February 20th, 2018

In the world of mobile forensics, physical acquisition is still the way to go. Providing significantly more information compared to logical extraction, physical acquisition can return sandboxed app data (even for apps that disabled backups), downloaded mail, Web browser cache, chat histories, comprehensive location history, system logs and much more.

In order to extract all of that from an i-device, you’ll need the extraction tool (iOS Forensic Toolkit) and a working jailbreak. With Apple constantly tightening security of its mobile ecosystem, jailbreaking becomes increasingly more difficult. Without a bug hunter at Google’s Project Zero, who released the “tfp0” proof-of-concept iOS exploit, making a working iOS 11 jailbreak would take the community much longer, or would not be possible.

The vulnerability exploited in tfp0 was present in all versions of iOS 10 on all 32-bit and 64-bit devices. It was also present in early versions of iOS 11. The last vulnerable version was iOS 11.2.1. Based on the tfp0 exploit, various teams have released their own versions of jailbreaks.

(more…)

Get iOS Shared Files without a Jailbreak

Tuesday, February 20th, 2018

iOS is a locked down mobile operating system that does not allow its apps to directly access files in the file system. Unlike every other major mobile OS, iOS does not have a “shared” area in the file system to allow apps keep and share files with other apps. Yet, individual iOS apps are allowed to let the user access their files by using the file sharing mechanism.

While uploading or downloading shared files from an Android or Windows 10 smartphone occurs over a standard MTP connection established over a standard USB cable, you’ll need several hundred megabytes worth of proprietary Apple software (and a proprietary Lightning cable) to transfer files between iOS apps and the computer. But do you really?

While there’s nothing we can do about a Lightning cable, we can at least get rid of iTunes middleware for extracting files exposed by iOS apps. We’ll show you how this works with iOS Forensic Toolkit 3.0.

(more…)

iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records

Thursday, January 25th, 2018

Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.

Despite that, pairing records have been immensely handy for mobile forensic specialists as they allowed accessing the data in the device without unlocking it with a passcode, fingerprint or trusted face. Specifically, until very recently, lockdown records had never expired. One could use a year-old lockdown file to access the content of an iPhone without a trouble.

Good things seem to end. In iOS 11.3 (beta) Release Notes, Apple mentioned they’re adding an expiry date to lockdown records.

To improve security, for a locked iOS device to communicate with USB accessories you must either connect an accessory via lightning connector to the device while unlocked or enter your device passcode while connected, at least once a week.

If you use iAP USB accessories over the Lightning connector (including assistive devices and wired CarPlay) or connect to a Mac/PC, you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.

As a result, mobile forensic experts can no longer expect lockdown records to survive for periods longer than one week. In order to clearly understand the consequences of this seemingly minor change, let us first look at the pairing records themselves.

Pairing in iOS

In order to enable communications (e.g. file transfers) between the user’s iOS device (iPhone, iPad) and their computer, a trust relationship (or pairing) must be first established. Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this computer?” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.

(more…)

Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile

Monday, January 15th, 2018

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device. (more…)

How to Extract Media Files from iOS Devices

Tuesday, January 9th, 2018

Media files (Camera Roll, pictures and videos, books etc.) are an important part of the content of mobile devices. The ability to quickly extract media files can be essential for an investigation, especially with geotags (location data) saved in EXIF metadata. Pulling pictures and videos from an Android smartphone can be easier than obtaining the rest of the data. At the same time, media extraction from iOS devices, while not impossible, is not the easiest nor the most obvious process. Let’s have a look at tools and techniques you can use to extract media files from unlocked and locked iOS devices.

Ways to Extract Media Files

There is more than one way you could use to extract media files. (more…)