Posts Tagged ‘iOS’

Every other day, Apple makes the work of forensic specialists harder. Speaking of iCloud, we partially covered this topic in Apple vs. Law Enforcement: Cloud Forensics and Apple vs Law Enforcement: Cloudy Times, but there is more to it today. The recent iOS (13.4) and macOS (10.15.4) releases brought some nasty surprises. Let’s talk about them.

iOS 13

It is difficult to say when it actually happened, but iOS stopped syncing call logs, and does not sync them for the time being. We covered call log sync some three years ago:

We even tried to bring the matter to Apple, but the only response was we take privacy very seriously (I am not surprised). Anyway; call logs are no longer synchronized (com’on, Apple, did you forget about Continuity? 😊)

But there is more. Do you use Apple Maps? Its data, surprisingly, has been moved to an encrypted container, similar to other protected data such as the iCloud keychain, iCloud Messages, Health and Screen Time data. It’s a strange move, as Maps data is not all that sensitive compared to other bits stored in secured containers. While we can still obtain that data from the cloud, the procedure now relies on the process for extracting other end-to-end encrypted data, which means you have to use the password/passcode of one of the user’s devices.

Just in case: if you are curious about Screen Time, we are currently able to extract only part of the data from iCloud. This includes the passcode, family information, restrictions etc. The most interesting data such as app usage statistics seems to sync directly across devices, but it is not stored in the way that would allow us to extract it from the cloud. If you have more than one device and use the Share across devices option, just compare the statistics you see on the device it’s been collected from and how it appears on other devices on the account. The results are different. Moreover, some stats are not available at all, while there is some mysterious data from devices that have been disconnected from the account a long time ago. A lot of iPhone users reported similar problems:

This can mean that such ‘direct’ syncing simply does not work correctly. It is difficult to say whether it is an iOS 12/13 or iCloud bug, but we decided not to waste our time trying to obtain this data from iCloud. And btw, in iOS 13 the data related to Screen Time is also protected better than most of other data — it is not enough just to have root privileges to access it.

Oh by the way, iOS 13.4.5 beta (what a strange version number after 13.4) is out yesterday, we are going to have a look at it soon.

macOS

Lockdown (pairing) records had always allowed to access passcode-protected devices. However, with the latest update, lockdown records are no longer accessible.

Starting with maCOS 10.12, you had to to run the following command:

sudo chmod 755 /private/var/db/lockdown

With macOS 10.15.4, it does not work anymore:Is there a workaround? Yes. Just disable SIP (System Integrity Protection) by booting into Recovery mode (+R on system startup), then start Terminal and run the following command:

csrutil disable

Then reboot, and access lockdown folder as you did before, e.g. to perform advanced logical acquisition of a locked iPhone using iOS Forensic Toolkit.

iCloud

iCloud authentication has changed again. Looks like Apple have a dedicated team of software engineers that do nothing but make meaningless changes to authentication protocols just to block our software. This does not really improve the security and privacy but makes Apple’s top management happy.

I am not going to describe all the changes in details, but give you some tips on how this affects the usage of authentication tokens in Elcomsoft Phone Breaker. You can start reading from Accessing iCloud With and Without a Password in 2019; and here is how it works now.

On Windows systems, tokens extracted from iCloud  for Windows version 7.0 and later work only for accounts without two-factor authentication. With these tokens, you won’t be able to access the entire set of iCloud data. The following categories are still accessible: iCloud Photos and certain synced categories (including contacts, calendars, notes, Safari browsing history etc. except end-to-end encrypted data such as the Keychain, iCloud Messages or Health data). As for iCloud backups, you can only retrieve ones created by iOS versions older than iOS 11.2.

On macOS, the situation is slightly better. On macOS from 10.13 to 10.15, we can get the token for non-2FA accounts only; and for ones that have 2FA enabled, the token is, well, ‘tethered’ to the device it is obtained from, so you can authenticate with this token in Elcomsoft Phone Breaker only on the same Mac. The scope of the data that can be downlooaded from the iCloud (regardless the account and token type) is the same as above: limited number of categories of synced data (without end-to-end encryption), and iCloud backups of devices with iOS up to 11.2. Fully ‘untethered’ tokens for 2FA accounts are only available in macOS 10.12 and older. In fact we recently used a kind of vulnerability in iCloud protocol that allowed us to get such tokens even for 2FA accounts, but not anymore, sorry.

Sounds confusing? I know. Here it is once again:

  • We can always get a token for non-2FA accounts
  • For 2FA accounts, tokens from most (modern) Windows systems are completely useless, while tokens from modern macOS versions can be used on the same system only
  • Tokens can be used to access only a limited amount of data from iCloud

One more thing: some changes have been made even for accounts without 2FA. Due to these changes, Apple can now lock accounts after a single incorrect password attempt.

Conclusion

To obtain all the data from the user’s iCloud account, you will need the Apple ID, the password, the second authentication factor, and the device passcode. If you have all of those, you can obtain virtually everything, including some of the data that is not available on the device itself. Do not underestimate this method, and remember that Elcomsoft Phone Breaker is the only product on the market that extracts all the data from iCloud including end-to-end encrypted categories.

In our recent article iPhone Acquisition Without a Jailbreak I mentioned that agent-based extraction requires the use of an Apple ID that has been registered in Apple’s Developer Program. Participation is not free and comes with a number of limitations. Why do you need to become a “developer”, what are the limitations, and is there a workaround? Read along to find out.

Sideloading IPA Packages onto iOS Devices

Elcomsoft iOS Forensic Toolkit now supporting agent-based extraction without a jailbreak also brings a new requirement. Agent-based extraction is a newer, forensically sound alternative to traditional acquisition methods requiring a jailbreak. Based on direct access to the file system, agent-based extraction does not require jailbreaking the device. Using agent-based extraction, you can can image the full file system and decrypt the keychain without the risks and footprint associated with third-party jailbreaks.

The new acquisition method utilizes an extraction agent, which in turn is an app we’ve developed for the iOS platform. Once installed, the agent will talk to your computer, delivering significantly better speed and reliability compared to jailbreak-based extraction. In addition, agent-based extraction is safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering performance that is as close to forensically sound extraction as at all possible (only a few log entries are left behind after the agent is removed).

Interestingly, most jailbreaks (with the exception of checkra1n, which uses a bootrom exploit) also require a developer account in order to be installed. Before you begin using agent-based extraction (or install a jailbreak), you must have your Apple ID enrolled in Apple’s Developer Program. This is required in order to sideload the agent onto the iOS device being acquired. You can enroll at developer.apple.com/programs/enroll/; the process is fast and easy if you do it as a private person.

Why this requirement? Before I go into technical details, let me briefly explain what happens when you command iOS Forensic Toolkit to install an agent.

The extraction agent is deployed on iOS devices in the form of an IPA package. An IPA (iOS App Store Package) file is an iOS application archive file which stores an iOS app. Technically speaking, an IPA file is a ZIP archive that contains a binary for the ARM architecture that can be installed on an iOS device.

Each IPA file must be signed before you can install it onto an iOS device. While any Android phone can install any APK signed with a valid certificate, Apple makes sideloading apps significantly more difficult. An IPA package can be signed in one of the following ways.

Signed with a regular Apple ID

The digital signature is tied to each iOS device. An IPA signed with a certain Apple ID for a certain device can only be installed on that particular device; it cannot be distributed. If an IPA package was signed with a regular Apple ID, iOS will need to validate the digital signature by connecting to an Apple server, which means that the device you’re pushing the app to must go online in order to install the IPA. For the purposes of mobile forensics, we don’t want the device to go online to mitigate the risks of receiving a remote lock, remote erase or Find My commands, as well as syncing the device with the iCloud (many 3rd party applications may also sync, of course, as well as the system itself).

Signed with an Enterprise account

Apple enables companies distribute in-house apps to their employees bypassing Apple checks for compliance with App Store policies. These apps can be signed with a so-called enterprise certificate. Enterprise certificates must be also validated by the iOS device; the device must go online and connect to Apple servers in order to validate the certificate. These certificates are meant to be used by each company to distribute apps among its own employees. If a company attempts using their enterprise certificate to sign apps and distribute them globally, Apple revokes their certificate. However, unless revoked, enterprise certificates do not limit the number of devices that can install a signed IPA package. For this reason, leaked enterprise certificates are frequently used by third-party app stores and Web stores such as ignition.fun to sideload IPA packages.

Signed with a Developer account

Developer accounts are unique in that verification occurs on Apple servers and not on the iOS device. In order to use a developer certificate to sign an IPA package, developers must first register the iOS device (iPhone, iPad etc.) in their Apple Developer Account by adding it to the Developer Profile. Once this is done, one can sign the IPA package with their developer certificate and sideload the IPA onto the iOS device. Importantly, the iOS device will not need to go online in order to validate the certificate as its UUID is already provisioned. For this reason, developer certificates are (and have always been) the most forensically sound method of pushing jailbreaks (and now the extraction agent) onto iOS devices.

What Has Changed

For years, Cydia Impactor and similar tools have been able to sideload packages onto iOS devices using disposable Apple ID’s. Apple imposed several limitations to discourage users from treating sideloading as a replacement for Apple’s own App Store. Sideloaded apps signed with a non-developer Apple ID would expire after a mere 7 days, requiring to re-sideload and re-sign the app. Since iOS 10, one could not have more than 3 sideloaded apps on the device, and you couldn’t use the same Apple ID to sideload more than 10 apps per week. There were also other limitations in place, but at very least users could temporarily install apps that were not approved by Apple.

Something had changed in November, 2019.

About two weeks ago, Apple made a change to their provisioning service to require a different authentication scheme for “free” Apple accounts (they return an error that mentions upgrading to “Xcode 7.3”); this broke Cydia Impactor for users without a paid Apple Developer account.

https://twitter.com/saurik/status/1196888477830221824

Elcomsoft iOS Forensic Toolkit uses a similar IPA sideloading mechanism, meaning that, for the time being, the users are forced to use a paid Apple Developer account to sideload the extraction agent IPA.

We are currently working on a solution allowing our users to sideload the extraction agent using disposable (free) Apple accounts for Mac users. Windows users will likely have to wait longer.

Developer Account Limitations

Apple would not be Apple if it didn’t have some roadblocks in place.

The first roadblock has to do with two-factor authentication. An Apple ID enrolled in Apple’s Developer Program must have two-factor authentication enabled. Elcomsoft iOS Forensic Toolkit requires a login and password. As a result, you’ll have to take an extra step in setting up an Application-specific password in your Apple account. You’ll have to use that app-specific password instead of your regular Apple ID password when installing the extraction agent in iOS Forensic Toolkit.

The second limitation is about the number of devices that can be enrolled. As an Apple developer, you can only add up to 100 devices of each kind (e.g. 100 iPhones, 100 iPads etc.) per year. The number of available registration slots will only reset once a year even if you delete the device afterwards.

It is also worth noting that once you add a new device to your Developer Profile, the provisioning profile that is used to sign the extraction agent will list all previously registered device ID’s (UDID) unless you manually remove them from the Developer Profile prior to extraction (which, again, won’t reset the limit). The good news is that you won’t have to manually add the device to the developer profile if you use Elcomsoft iOS Forensic Toolkit; all you need is just command it to install an agent, and type in your developer Apple ID and that application-specific password we’ve talked about earlier.

Enrolling your Apple ID into the Developer Program can be especially tricky for corporate developers. For this reason, we recommend registering as a private person for $99 a year.

Workarounds

There are multiple apps and services positioning themselves as “App Store alternatives”. AltServer, AppStore.io, AppEven, ignition.fun, Tutuapp, Pandahelper, App Valley, Desde tu iPhone, Tweakbox and numerous other “alternative app stores” utilize a mix of paid and stolen developer accounts and leaked enterprise certificates to sign and sideload apps onto the iPhone. Some of these stores are known to overwhelmingly modify the content of the devices they sideload apps to, so neither of them can be recommended for the purpose of mobile forensics.

A Word On checkra1n & checkm8

This is slightly outside the scope of this article, but you may ask why you even need that acquisition method if there are such things as checkm8 exploit and checkra1n jailbreak that do not require a developer account to install unlike most other jailbreaks.

First, the compatibility. We have about fifty test devices (iPhones and iPads) in our lab, and most of them are checkm8-compatible, at least theoretically. If checkra1n installs, then we can make full file system acquisition and keychain extraction without an agent, minor issues with iOS 13 aside (iOS Device Acquisition with checkra1n Jailbreak). This jailbreak makes it possible to perform a limited BFU (“before first unlock”) extraction for devices with an unknown passcode, even if they are disabled or locked. But checkra1n is only compatible with iOS 12.3 and up. And of course, the hardware support is limited to the iPhone 5s through 8/8 Plus/iPhone X, so forget about iPhone Xr, Xs and 11 extraction.

Second, the reliability and speed. Not just the checkra1n itself, but even some implementations of checkm8-based extraction leave much to be desired. checkra1n fails to install on many devices for no obvious reason. In our experience, as many as 30% of devices may be problematic. The situation is even worse for direct implementations of checkm8 based extraction. Just one example; I will not name the vendor for ethical reasons:

We are currently doing our office’s first Checkm8 extraction on an iPhone 8 plus 64GB w/13.3. It’s been running two days now and the estimated time to completion keeps going up, from 8 days yesterday to now 15 days today. At first things looked pretty normal but the estimated time just keeps going up. Any ideas on what could be the problem? Another odd thing is it says 8GB of 88 GB extracted, which of course makes no sense being a 64GB device.

And one of the responses:

I also encountered a lot of iPhone devices that extracted “full file system” with no success, lasting for weeks.

Finally, the “forensically sound” issue. There is no agreement among the forensic vendor about the meaning of this term. Moreover, speaking of the iPhone extraction, it is not possible to prove that the device content has not been modified during the extraction, regardless of the method you use (whether it’s good old logical acquisition, checkm8 or agent-based extraction). All extraction methods leave some traces, making some changes to the device data.

Is agent-based solution we have implemented a silver bullet? Of course not. It also has limited compatibility with device models and iOS versions (we are working hard on that, an Elcomsoft iOS Forensic Toolkit update is coming with support for iOS 13.0-13.3 on all devices), and it also has some reliability issues. The acquisition speed is always higher; we’ve been able to get up to 40 MB/s. There are many hardware/iOS combinations that only the agent works for. You just need the Developer Account, that’s it.

Conclusion

The $99 a year for Developer Account is a great, cost-efficient investment because it’s the only type of accounts offering safe, forensic-friendly extraction. Developer accounts are the only type of accounts whose provisioning profiles do not require the device being acquired connecting to Apple servers. The entire sideloading and extraction process can be performed safely while the device is in the Airplane mode.

Just days ago, we have reviewed the data stored in iCloud, and studied its encryption mechanisms. We also discussed the discrepancies between the data that is stored in the cloud and the data that’s provided to the law enforcement. In case you missed it, make sure to check out Apple vs. Law Enforcement: Cloud Forensics. Today, the differences are great; Apple is using point-to-point encryption to protect certain types of data. However, it has not always been that way. Apple security model changed year after year. This article reviews the timeline of Apple security changes over time.

We’ll list the security measures and discuss whether the real purpose of these changes were the customers’ security and privacy, or throwing a monkey wrench into the work of the law enforcement. We will also try to understand where iCloud security stands today, and how safe your data is against hackers and the law enforcement. Are you a forensic professional? I think you’ll find this article handy.

Apple iCloud: the beginning

Apple has introduced iCloud in October 2011, replacing the aging MobileMe service. At that time, Apple iCloud services were based solely on Amazon and Microsoft Azure servers (new platforms have been added a few years later). Using iCloud on the iPhone required installing iOS 5.

Apple iCloud today provides a range of services including synchronization of data across devices connected to the account, iCloud backups for iOS and iPadOS devices, iCloud Drive (just the storage), as well as the Find My service.

iCloud security

While you can always refer to the source in iCloud security overview, I can give you a shorter and simpler description.

First, all iCloud data (including backups) is stored on third-party servers. These servers are owned by Amazon, Google, Microsoft, or the Chinese government in the case of Chinese users. We also witnessed some mysterious AT&T data centers in the past.

Second, all that data is always encrypted.

Third, the encryption keys for most of that data are also retained by Apple. However, the keys are not stored on the same physical servers; instead, Apple keeps them in Apple-owned data centers under the company’s full control. Interestingly, this seems to be the case even for data stored in China (where iCloud data itself is located on Chinese servers only).

Careful readers noticed the “most” part. The “most” part does not mean that the data is not encrypted; it’s rather the opposite. More on that in “end to end encryption” below.

Do the same rules apply to iCloud backups? Yes, they do. A couple years ago, Apple war rumored to have plans to encrypt iCloud backups in a more secure way (potentially with end-to-end encryption). Those plans have been but finally rejected it, probably under FBI pressure, but only Apple knows the actual reasons.

Two-factor authentication: 2SV, 2FA and iCloud backups

Today, it is hard to believe that an online account that holds your personal data may not support two-factor authentication. Online threats and phishing are the main risks, and if you re-use your passwords, the situation is even worse.

In the first two years, iCloud did not have any kind of two-factor authentication. One was only added in 2013, but the half-baked solution only protected access to the account itself, and not to iCloud backups. We wrote about that in Apple Two-Factor Authentication and iCloud.

You probably remember what happened next. Celebgate. Only after that, Apple applied second-factor protection to backups.

It is important to note that Apple’s initial implementation (called Two-Step Verification, 2SV) was not perfect. It was a rushed afterthought. The current implementation of two-factor authentication (2FA) was introduced with iOS 9 in 2015, and it offers good protection.

We covered this subject many times:

It’s all about the tokens

In 2014 (the year when Apple added 2SV to iCloud backups), we got a bright idea. If you set up your computer to access iCloud account*, you won’t be prompted for your password or prompted for a one-time code every time you access the cloud. This means that the authentication token could be saved somewhere. Could we use that token to bypass password-based authentication?

* iCloud access is a built-in feature on a Mac, while “iCloud Control Panel” is required on Windows; its current name is iCloud for WIndows.

It worked; see Breaking Into iCloud: No Password Required. Having the token obtained, we were able to download iCloud backups (and later implemented the same technique to download other/synced data from iCloud).

Did our work introduce a new security risk for iCloud account owners? Probably not (or just a little), as extraction and decryption of the tokens requires physical access to the computer, as well as administrative privileges (and if you have both, there are much more serious risks involved).

However, Apple took it seriously, and since then, implemented additional security measures related to tokens, in particular:

  • Limited lifetime. The token worked perfectly for synced data. When accessing iCloud backups, its lifetime was limited first to 24 hours, and then to just one hour.
  • Limited use. Currently, the token stored on the device is only good for a limited number of categories including iCloud Photo Library and most synced data and excluding end-to-end encrypted data. Tokens cannot be used for accessing iCloud backups.
  • Pin to device. That was the biggest surprise. After some changes Apple did last year, the token could be used (even for accessing a limited set of data) on the same computer only. On macOS, we have recently found a way to obtain an “unpinned” token that can be used on other computers, but there is no way to do that for Windows.

Still, it is theoretically possible to obtain full-featured “unpinned” tokens that allow obtaining almost everything from iCloud from a trusted macOS computer. We are working hard in this direction; watch our blog for updates. Still no access to backups though. Apple did everything to get iCloud backups extremely hard, even if you know the password and have the second authentication factor.

End-to-end encryption (they call it so)

C’mon, Apple, please do not call it “end-to-end”, that term is reserved for the case when some data can be only decrypted at the end point, because it is the only place that holds the decryption key. Yes, trusted iPhones do have the key, but we can get one even from the outside and without access to the device. This isn’t exactly end-to-end, is it?

What does Apple protect with this “end-to-end” encryption? This encryption covers data that belongs to the following categories: iCloud keychain, Health data, messages in iCloud, Home data, and (surprisingly!) some Apple Maps data, even though Apple does not mention that.

All that data is stored in iCloud and synchronized across “trusted devices”. In case if you did not know, the key to decrypt that data is also stored in iCloud (even if Apple wants you – and the law enforcement – to believe otherwise). That key, however, has stronger protection than the general iCloud encryption keys (that could be probably called “snake oil”) and can only be accessed by devices that are part of the “trusted circle”.

Can someone enter into the trusted circle? Of course, but not easily so.

Notifications, account locks, GSA and other changes

There are a couple extra security measures related to iCloud backups we have not mentioned.

First, you probably noticed that once the backup restoration process is completed, the notification is being sent to the account owner (by email).

Second, Apple does its best to detect whether download process is initiated by the actual device or by third-part software like ours.

We did our best to ‘mimic’ the device, but suppress the ‘restore’ notification. Currently, it works, but it looks like Apple has a dedicated team of security specialists working against our software.

On a regular basis, Apple changes everything they can: protocols, encryption, and data storage formats. Some of these changes are reasonable, while the other (solid!) part of these changes is intended only as a countermeasure against forensic tools, while adding little to no extra security to iCloud.

Have I mentioned GSA (Grand Slam Authentication) and “anisette data”? I was not going to dive deep into technical details, but you can search for my presentations on this subject; they are publically available.

The dark side of the cloud

Are you sure that you know all of the following?

  • What information is synced between your device and iCloud (or just uploaded to iCloud)
  • If Apple really deletes your data from iCloud when you delete it from the device
  • What information Apple provides to the law enforcement once they are served with a legal request

Nobody knows, and I have some surprises for you.

First, Apple syncs more data with iCloud than it publically admits. A good example is the call log (the list of incoming and outgoing calls); there is no option on the iPhone that disables syncing.

Second, there is some extra data in iCloud such as iCloud access logs, stored for 28 days. It includes your IP address (it can be used to get physical location) and the time stamp.

Next, it is not clear what really happens when you delete the data. In the past, we found some of the data to remain on Apple’s server past the advertised retention time, including media files (photos and videos), Web history and notes. Moreover, we have found a way to extract it. At this time, our method does not work anymore, but we never know whether it is still saved somewhere, and if it is, whether it is provided to law enforcement agencies (maybe just the select few).

Bonus track: Google and Microsoft

This is definitely outside the scope of this article, but you might be curious how Apple iCloud security compares to Google and Microsoft, the other two major cloud vendors.

Neither of these companies offer detailed descriptions on how they store and encrypt the user’s data. Still, it is not too hard to guess, based on what we know.

Google saves enormous amounts of data. It sources the data from all the devices running their software or using their services, and not just from Android. As opposed to Apple, even though Google provides granular control to what data is stored or synced, it is not easy to disable or enable data syncing from the device(s). The data stored by Google usually includes detailed location history, a comprehensive history of the user’s search queries, all of the user’s purchases (not just with Google), and a lot more.

Microsoft syncs or may sync less data than Apple and Google, but the company still has some. This includes Web history and Bing searches, contacts, Cortana commands, Skype conversations and more, including BitLocker recovery keys. Microsoft does not make it very clear what data is saved in the account.

Cloud acquisition

If you want to get the maximum amount of data from Apple iCloud, you have no choice but use Elcomsoft Phone Breaker. iCloud backups, files from iCloud Drive, iCloud Photos, FileVailt2 recovery token, iCloud keychain and all end-to-end encrypted data such as messages, Health, Screen Time and more, you can obtain all of that. This product can also extract the data from Microsoft accounts, from contacts to Skype conversations.

For Google accounts, use Elcomsoft Cloud eXplorer. The only thing we cannot get is Android device backups as they are securely encrypted (we continue our research).

When it comes to other cloud data, Oxygen Forensic Suite leaves no place for competitors. The number of cloud sources it supports is impressive (close to one hundred), including Telegram, Samsung cloud, Xiaomi Mi Cloud, Huawei Cloud and dozens others, including third-party apps that sync enormous amount of data (and so the evidence). All that stuff is continuously improved and perfectly supported according to the vendors’ changes, contrary to similar products from other vendors, even those that are more expensive and pretend to be “number one”. Seriously, do not waste your time trying the others: you will get a result that is not even close. Do not trust vendors’ claims, but verify yourself.

Protecting your data

Do you want to make your iCloud account secure? Don’t use it this way! Just kidding; the iPhone without iCloud is quite a Samsung.

The very first thing I would recommend is requesting a copy of your data from Apple’s Data & Pricacy Portal and analyzing it carefully. About the same amount of data (plus backups) will be provided to the law enforcement if requested.

A more effective way is using Elcomsoft Phone Breaker to get everything including “end-to-end encrypted data”.

If you decide to keep using iCloud, here is what we can recommend (simple and probably well-known, but still often overlooked):

  • Use a secure iCloud password, long and complex enough.
  • Make sure that password does not look similar to any other passwords you use. Of course, it must not be identical to any other password you have.
  • Don’t cache that password in your Web browser, ever.
  • Don’t ever store that password in your Google Account.
  • Don’t store that password in the keychain (iOS, iPadOS or macOS).
  • Use two-factor authentication (I know some people who don’t).
  • Use strong passcode/password on your iOS device(s) and desktop(s).
  • Physically secure all your devices and never leave them unattended (even locked).
  • Did I mention you should never re-use your passwords and passcodes?
  • Keep all your devices updated to the latest system (iOS/iPadOS/Windows/macOS), and do not forget about your Apple TV and Apple Watch.
  • If you are using an old Android (more than one year old), don’t count on updates to arrive. Just buy the current flagship.
  • For Windows, follow our recommendations listed here; the macOS guide will follow.
  • Be aware of checkm8 exploit if you are using an old device. Make sure you know that some data can be extracted even from locked and disabled devices.
  • Remember how to enable the SOS mode.
  • Know how to use Find My

If you work for law enforcement

Speaking of iCloud, you have several options. First, read our recent Apple vs. Law Enforcement: Cloud Forensics for better understanding what is stored in iCloud, how it is encrypted and protected, and what your options are. In general, you need to analyze all devices the suspect regularly used, and probably even those that’ve been used at least once. You might be able to get lockdown records, leading you to locked device access; or extract passwords saved in the browser. Better yet, attend one of the ElcomSoft trainings to understand how to obtain as much data as possible from every available source. We don’t just tell you how to use our software. Instead, we’re offering the complete workflow, talk about the typical mistakes and share our knowledge and expertise.

Conclusion

So what about iCloud security today? I would say, it is generally OK. More information here:

Still, we have two conflicting thoughts. First, Apple saves a lot of data in iCloud, and we don’t know all the details. The fact that others are (much) worse in this respect doesn’t change much. Second, Apple makes the work of forensic experts unnecessarily more complicated without making any real security improvements, all the time. Apple, it’s hard to wear two hats.

What can possibly go wrong with that iPhone? I’ll have a look (oh, it’s locked!), then switch it off, eject the SIM card and pass it on to the expert. Well, you’ve just made three of the five most common mistakes making subsequent unlock and extraction attempts significantly more difficult. Learn about the most common mistakes and their consequences.

Power off

The first and probably the most important step (or at least one of) is data preservation, to make sure that the device content does not change, device will not discharge, will not be remotely locked or wiped etc. We made some introduction to the process in our The Art of iPhone Acquisition article, but you know what many forensic “experts” (sorry for the quotes) do first, instead of turning the airplane mode on or placing the device into Faraday bag?

They turn it off.

Granted, a powered-off device won’t make an accidental connection or self-discharge rapidly. However, if the device is powered off, you’re making the device switch from the forensic-friendly AFU* mode into the locked-down BFU* mode. As a result, several things happen.

  • The encryption keys are wiped from the device RAM (no instant AFU extraction possible)
  • Passcode recovery attack falls to BFU speeds (much slower than AFU attacks)
  • Biometric authentication becomes impossible
  • Lockdown records become useless; logical acquisition impossible
  • Extremely limited BFU extraction

AFU: After First Unlock; the condition in which the device has been unlocked with a passcode at least once after being powered on or rebooted.

BFU: Before First Unlock; the condition in which the device rebooted or powered on and has never been unlocked.

Ejecting SIM card

What’s the next most common mistake in mobile forensics? It’s removing the SIM card, usually just to make sure that device does not make an accidental connection to a mobile network. I would not say it is fatal, but here is what happens, at least when the device is running iOS 11, 12 or 13:

  • The phone locks immediately
  • Biometric unlock disabled (until unlocked with the passcode)
  • USB restricted mode activated

More on biometric authentication: Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12; on USB restricted mode: USB Restricted Mode Inside Out (updates: iOS 12 Enhances USB Restricted Mode and USB Restricted Mode in iOS 13: Apple vs. GrayKey, Round Two).

I believe no further explanation is needed. In short, you may completely lose an opportunity to unlock or further analyze the device.

“Don’t hold it that way”

Steve Jobs was never wrong. If you hold a modern iPhone equipped with Face ID, you’re likely to waste one or more attempts to unlock the device by pointing it towards the suspect. Why? This YouTube clip shows what happened during the iPhone X announcement.

As to the iPhones with Touch ID, make sure to never touch the fingerprint sensor. Otherwise you’ll just lose one of the five biometric unlock attempts.

Resetting backup password

In most cases (unless the device can be jailbroken or vulnerable to the checkm8 exploit), an iTunes backup is the main source of data. iPhone backups, however, are really special (see

The Most Unusual Things about iPhone Backups for details).

If the backup is password-protected, it could be a problem. Starting with iOS 10.1, brute-force password recovery is virtually impossible (though we can try, and have the software for that). However, as you know, iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password.

The problem is that all passwords in Apple ecosystem are connected to each other (Four and a Half Apple Passwords). And if you reset the backup password (as it was done recently by FTI Consulting when investigating the hack of Jeff Bezos’ Phone, see the report), then the iPhone passcode is also reset. And that has bad, really bad consequences. First, you are going to lose the saved Wi-Fi passwords, Apple Pay transaction history, downloaded Exchange mail and some other data. Second (and this is critical), you lose all the things you could do with the passcode. Like what things? See iOS 11 Horror Story: the Rise and Fall of iOS Security and Protecting Your Data and Apple Account If They Know Your iPhone Passcode. This includes (but not limited to) access to end-to-end encrypted data in iCloud including the iCloud keychain, synced messages, Health data etc.

iOS logical acquisition

In fact, logical acquisition is not as simple as it sounds. Just create iTunes-styles backup and that’s it, right? Not quite. Several things can go wrong.

Creating a backup with iTunes. This is acceptable in general; all forensic packages create exactly the same backups as iTunes. In fact, backups are made by the service running on the iPhone itself, and not by desktop software. However, if you forget to disable iTunes sync in advance (before connecting the iPhone to the computer), the content on the device may change.

Making a passwordless backup. A backup without a password is easier to analyze, right? Yes, it is, but the devil is in the details. Backups without a password contain less data than password-protected backups. You will not get the keychain, Health data, Safari browsing history and call logs (at least).

Miss something. Well, actually a lot. Proper logical acquisition is not limited to backups. In fact, backups are just the beginning. You can also obtain media files (and not just files but also a metadata, sometimes even on deleted files), app shared data (including but not limited to media players, office packages and even some password managers), crash and diagnostic logs (the ultimate source of data that could really help building the timeline). All of that regardless of whether or not the user has a backup password. This, by the way, can be done for Apple Watch and Apple TV devices, thanks to Elcomsoft iOS Forensic Toolkit.

Conclusion

I just listed the most common mistakes made by the law enforcement and forensic experts. We’ve seen many more of those, albeit less frequently. Strictly following the correct workflow, documenting your every step, ensuring that your steps are repeatable and results verifiable, cross-matching the results and proper reporting are essential. Just using a “tool” is not nearly enough, even if it’s the best tool on the market. The environment is always changing, and you either keep up, or fall behind. Taking a training course is one of the better ways to keep up with the ever changing mobile forensic and computer forensic environment.

What is DFU, and how is it different from the recovery mode? How do you switch the device to recovery, DFU or SOS mode, what can you do while in these modes and what do they mean in the context of digital forensics? Can you use DFU to jailbreak the device and perform the extraction if you don’t know the passcode? Read along to find out.

iOS Recovery Mode

The recovery mode is the easiest to explain. According to Apple, you can put your iOS or iPadOS device in recovery mode to restore it using your computer.

The recovery mode comes handy if one of the following situations occurs:

  • Your iOS or iPadOS device is locked after multiple unsuccessful unlock attempts and displays the infamous “Connect to iTunes” message. In many cases, connecting the device to iTunes will be unsuccessful because the data connection of the device is blocked with USB restricted mode. If this is the case, you must switch the device to recovery mode and connect to iTunes to restore.
  • You forgot the screen lock passcode and want to reset the device to factory settings. Activation lock: following the reset, you’ll have to provide the Apple ID/iCloud password of the device’s Apple ID account.
  • The device cannot fully boot; the display is stuck on the Apple logo for several minutes with no progress bar. I have personally seen this multiple times after unsuccessful iOS updates (the latest case being the almost-full iPhone 7 updated from iOS 9 straight to the latest iOS 13.3).
  • Your computer doesn’t recognize your device or says it’s in recovery mode, or you see the recovery mode screen.

How to switch the device into recovery mode

The recovery mode is well-documented in “If you can’t update or restore your iPhone, iPad, or iPod touch” (link). Connect the device to a computer with iTunes installed. Perform a force restart of the device by following instructions laid out in “If your screen is black or frozen” (link):

If your screen is black or frozen

If your screen is black or frozen, you might need to force-restart your device. A force-restart won’t erase the content on your device. You can force-restart your device even if the screen is black or the buttons aren’t responding. Follow these steps:

  • iPad models with Face ID: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then press and hold the Power button until the device restarts.
  • iPhone 8 or later: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then press and hold the Side button until you see the Apple logo.
  • iPhone 7, iPhone 7 Plus and iPod touch (7th generation): Press and hold both the Top (or Side) button and the Volume Down buttons until you see the Apple logo.
  • iPad with Home button, iPhone 6s or earlier and iPod touch (6th generation) or earlier: Press and hold both the Home and the Top (or Side) buttons until you see the Apple logo.

After following the force-restart instructions, do not release the buttons when you see the Apple logo, wait until the recovery mode screen appears:

  • iPad models with Face ID: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Press and hold the Top button until your device begins to restart. Continue holding the Top button until your device goes into recovery mode.
  • iPhone 8 or later: Press and quickly release the Volume Up button. Press and quickly release the Volume Down button. Then, press and hold the Side button until you see the recovery mode screen.
  • iPhone 7, iPhone 7 Plus, and iPod touch (7th generation): Press and hold the Top (or Side) and Volume Down buttons at the same time. Keep holding them until you see the recovery mode screen.
  • iPad with Home button, iPhone 6s or earlier, and iPod touch (6th generation) or earlier: Press and hold both the Home and the Top (or Side) buttons at the same time. Keep holding them until you see the recovery mode screen.

(source)

How to use the recovery mode

We know of several viable usage scenarios for the recovery mode.

  1. Reinstall iOS (if the iOS device is running the latest version), perform an in-place update or switch from a beta version of iOS to the current release version using the iTunes app. In this scenario, the data is preserved.
  2. Restore the device. This is what you want if you forgot the passcode. The passcode will be removed and USB restrictions disabled, but the data will be already erased by that time. Mind the activation lock.
  3. Perform a (limited) forensic extraction through recovery mode. You’ll need a reasonably up to date version of iOS Forensic Toolkit (EIFT 4.10 or newer).

Information available in recovery mode

When performing a forensic extraction of a device running in the recovery mode, note that only a very limited set of data will be available. The following information is available:

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXX
IMEI: XXXXXXXXXXXXXXX
MODE: Recovery

The Recovery mode may return the following information:

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID (UCID): XXXXXXXXXXXXXXXX. The ECID (Exclusive Chip Identification) or Unique Chip ID is an identifier unique to every unit, or more accurately, to every SoC.
  • Serial number: XXXXXXXXXXX (or N/A)
  • IMEI: XXXXXXXXXXXXXXX (or N/A). Note that we have not seen IMEI information on any of our test devices, with or without a SIM card.
  • Mode: Recovery

How to exit recovery mode

The procedure for leaving the recovery mode is different for different devices. In general, you’ll use the following steps:

  • Unplug the USB cable.
  • Hold down the sleep/wake button or side button depending on device model until the device turns off.
  • Either keep holding the button combination or release and hold it down again until the Apple logo appears.
  • Let go of the buttons and let the device start up.

This is the Apple-recommended procedure for exiting the recovery mode:

  • iPhone 6s and earlier, Touch ID equipped iPads: hold the Home button and the Lock button until the device reboots.
  • iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.
  • iPhone 8 and newer: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.

Forensic implications of iOS recovery mode

The recovery mode has a positive yet limited value for mobile forensic specialists.

  • Enables obtaining device information without a passcode.
  • Allows bypassing the USB restricted mode (albeit accessing limited amounts of information).
  • For newer iOS devices (A12 and newer), returns more information compared to the DFU mode.

Interestingly, when users install the checkra1n jailbreak from the device GUI, the jailbreak first switches the device into recovery (unlike DFU, the recovery mode is available through the API). Only after the device is switched to recovery, the jailbreak prompts for a switch to DFU and displays step-by-step instructions and timings. Alternatively, the jailbreak can be installed from the command line, which will bypass the intermediary recovery mode.

iOS DFU Mode

The undocumented DFU stands for “Device Firmware Upgrade”. Unlike the recovery mode, which is designed with an ordinary user in mind, the DFU mode was never intended for the public. There is no documentation about DFU anywhere in Apple Knowledge Base. Entering the DFU more involves a complicated sequence of pressing, holding and releasing buttons with precise timings. Wrong timings during any of the multiple steps would reboot the device instead of switching it to DFU. Finally, there is no on-screen indication of DFU mode. If the device is successfully switched to DFU, the display remains black. Entering DFU mode can be difficult even for experts.

DFU is part of the bootrom, which is burned into the hardware. On A7 through A11 devices, a vulnerability has been discovered allowing to bypass SecureROM protection and jailbreak the device via DFU mode. More in our blog: BFU Extraction: Forensic Analysis of Locked and Disabled iPhones.

Steps for entering DFU mode differ between devices. Some devices have several different methods to invoke DFU, making it even more confusing. The differences in procedures may be severe between device generations. Since no official instructions are available, we have to rely on third-party sources for information.

Note: the device screen will be completely black while in DFU mode. The iPhone Wiki explains steps required to enter the DFU mode in a dedicated article. According to the article, this is how you enter DFU mode on the different device models. If you are more of a visual learner, check out this link with video tutorials instead: How To Put An iPhone In DFU Mode, The Apple Way

Apple TV

  1. Plug the device into your computer using a USB cable.
  2. Force the device to reboot by holding down the “Menu” and “Down” buttons simultaneously for 6-7 seconds.
  3. Press “Menu” and “Play” simultaneously right after reboot, until a message pops up in iTunes, saying that it has detected an Apple TV in Recovery Mode.

A9 and older devices (iPad other than the ones listed below, iPhone 6s and below, iPhone SE and iPod touch 6 and below)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Home button and Lock button.
  3. After 8 seconds, release the Lock button while continuing to hold down the Home button.
    • If the Apple logo appears, the Lock button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Alternative method 1:

  1. Hold the Lock Button for 3 seconds
  2. Continue holding the Lock button and also hold the Home button (15 seconds)
  3. Release the Lock button while continuing to hold the Home button (10 seconds)
  4. Your device should enter DFU mode

Alternative method 2:

  1. Connect the device to your computer and launch iTunes. Turn the device off.
  2. Hold down the Lock button and Home button together for exactly 10 seconds, then release the Lock button.
  3. Continue holding the Home button until iTunes on your computer displays a message that a device in recovery mode has been detected. The device screen will remain completely black.

A10 devices (iPhone 7 and iPhone 7 Plus, iPad 2018, iPod touch 7)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Side button and Volume Down button.
  3. After 8 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

A11 and newer devices (iPhone 8 and above, including the iPhone Xr, Xs and Xs Max; iPad Pro 2018, iPad Air 2019, iPad Mini 2019)

  1. Connect the device to a computer using a USB cable.
  2. Quick-press the Volume Up button
  3. Quick-press the Volume Down button
  4. Hold down the Side button until the screen goes black, then hold down both the Side button and Volume Down button.
  5. After 5 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  6. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Sources: iphonewiki and other third-party sources

Information available in DFU mode

The DFU mode returns even less information compared to the recovery mode.

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: N/A
IMEI: N/A
MODE: DFU

To obtain this information, use iOS Forensic Toolkit 4.10 or newer.

  • Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc.
  • ECID/Unique Chip ID: XXXXXXXXXXXXXXXX
  • Serial number: not available in DFU mode
  • IMEI: not available in DFU mode
  • Mode: DFU
  • Exiting DFU Mode

How to exit DFU mode

The process of exiting DFU mode is also different across devices.

For devices with a physical Home button (up to and including iPhone 6s and iPhone SE): hold the Home button and the Lock button until the device reboots.

For iPhone 7 and iPhone 7 Plus: hold down the Side button and Volume Down button until the device reboots.

For iPhone 8 and iPhone 8 Plus, iPhone X: click the Volume Up button, then click the Volume Down button, then hold down the Side button until the device reboots.

Forensic implications of DFU mode

The DFU mode may have a huge value for mobile forensic specialists depending on the device model. iPhone, iPod Touch and iPad devices based on A5 through A11 generations of Apple processors (iPhone generations from iPhone 4s through iPhone 8, 8 Plus and iPhone X, as well as the corresponding iPad models) have a non-patchable, hardware-based bootrom vulnerability. This vulnerability allows installing a jailbreak on affected devices regardless of the version of iOS that is installed. This also makes it possible to extract a limited but still significant amounts of data through DFU mode without knowing or breaking the passcode.

  • All devices: enables obtaining device information without a passcode
  • All devices: allows bypassing the USB restricted mode (albeit accessing limited amounts of information)
  • Vulnerable iOS devices (A5 through A11 generations): returns significantly more information compared to the recovery mode
  • Criminals exploit the vulnerability to remove Activation Lock from vulnerable devices (A5 through A11 generations) running older versions of iOS. Reportedly, this vulnerability has been fixed by Apple in iOS 13.3; however, considering the nature of the exploit, this functionality may reappear.

The following information is extractable from vulnerable iOS devices:

  • Limited file system extraction: the list of installed applications, some Wallet data, the list of Wi-Fi connections, some media files, notifications (these may contain some chat messages and other useful data), and many location points.
  • Keychain records with kSecAttrAccessibleAlways and kSecAttributeAccessibleAlwaysThisDeviceOnly
  • Oxygen Forensic Detective additionally processes files such as /private/var/wireless/Library/Databases/DataUsage.sqlite (apps’ network activities), /private/var/preferences/ (network interfaces) or /private/var/mobile/Library/Voicemail/ (voicemail messages) to display even more information.

More information in BFU Extraction: Forensic Analysis of Locked and Disabled iPhones and iOS Device Acquisition with checkra1n Jailbreak.

Differences between DFU and recovery modes

While both DFU and recovery are designed to fulfil essentially the same goal of recovering a non-bootable device by flashing known working firmware, they are very different in the way they work.

The recovery mode boots into the bootloader (iBoot), and works by issuing commands through the bootloader. The bootloader is part of the operating system, and can be flashed, updated or patched if there are any vulnerabilities discovered. The recovery mode will only accept signed firmware images, so going back to firmware that is no longer signed by Apple is not possible. While the device is in recovery mode, the user gets a clear visible indication on the device:

DFU or Device Firmware Upgrade, on the other hand, allows restoring devices from any state, including devices with corrupted bootloader. DFU does not operate through a software-upgradeable bootloader. Instead, DFU is burned into the hardware as part SecureROM. DFU cannot be updated, patched or disabled. As a result, the bootrom vulnerability and the corresponding checkm8 exploit cannot be patched by Apple, allowing experts extract certain data from affected devices while bypassing passcode protection and USB restrictions.

DFU will also accept only signed firmware packages. As long as a package is still signed by Apple, the user can upgrade and downgrade firmware at will since there is no downgrade protection in DFU. There is no indication on the device that the device is in DFU mode. During DFU interfacing, the device screen remains black.

The recovery mode was designed for end users and Apple facilities, while the DFU mode was never meant for the end user at all. Entering the recovery mode is easy; any reasonably experienced user can follow the instructions. Entering the DFU mode is not only significantly trickier, but requires precise timings. Hold a button one second too long, and the device simply reboots instead of entering DFU.

The S.O.S. mode

The third and final special mode we’re about to discuss today is the S.O.S. mode. The S.O.S. mode can be manually invoked by the user while the device is running. Apple has a comprehensive description of S.O.S. mode in Use Emergency SOS on your iPhone.

Activating S.O.S. mode

On newer devices without the Home button (as well as the iPhone 8 and 8 Plus), the S.O.S. mode is activated in exactly the same way as the power-off sequence. Users press and hold one of the volume buttons and the side button. The power off/emergency screen appears.

On older devices, the S.O.S. mode is activated by rapidly pressing the side (or top) button five times. The Emergency SOS slider will appear. Users in India only need to press the button three times, after which the iPhone automatically makes an emergency call.

“If you use the Emergency SOS shortcut, you need to enter your passcode to re-enable Touch ID, even if you don’t complete a call to emergency services.” (Source: Use Emergency SOS on your iPhone)

How to exit S.O.S. mode

To exit the S.O.S. mode, users tap on the “Cancel” icon. The device will prompt for the passcode (biometric identification methods are disabled). Alternatively, one can slide the Power off slider to the right to switch off the device.

Forensic implications of S.O.S. mode

Once invoked, the S.O.S. mode has the following forensic implications.

  • All biometric authentication methods (Touch ID and Face ID) are disabled. The device must be unlocked with a passcode.
  • Data transmission on USB port is switched off (USB restricted mode is immediately activated). This makes traditional acquisition efforts fruitless, potentially affecting passcode recovery solutions offered by companies such as Cellebrite and GrayShift.

For us, this year has been extremely replete with all sorts of developments in desktop, mobile and cloud forensics. We are proud with our achievements and want to share with you. Let’s have a quick look at what we’ve achieved in the year 2019.

Mobile Forensics: iOS File System Imaging

We started this year by updating Elcomsoft iOS Forensic Toolkit, and by a twist of a fate it became our most developed tool in 2019. The developments went through a number of iterations. The release of unc0ver and Electra jailbreaks enabled Elcomsoft iOS Forensic Toolkit to support physical acquisition for iOS 11.4 and 11.4.1 devices, allowing it to produce file system extraction via jailbreak.

In the meanwhile, we updated Elcomsoft Phone Viewer with support for file system images produced by GrayKey, a popular forensic solution for iOS physical extraction. Analysing GrayKey output with Elcomsoft Phone Viewer became faster and more convenient.

Later in February, Elcomsoft iOS Forensic Toolkit received a major update, adding support for physical acquisition of Apple devices running iOS 12. The tool became capable of extracting the content of the file system and decrypting passwords and authentication credentials stored in the iOS keychain. For the first time, iOS Forensic Toolkit made use of a rootless jailbreak with significantly smaller footprint compared to traditional jailbreaks.

Not long ago, Elcomsoft iOS Forensic Toolkit 5.20 was updated with file system extraction support for select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Making use of the new future-proof bootrom exploit built into the checkra1n jailbreak, EIFT is able to extract the full file system image, decrypt passwords and authentication credentials stored in the iOS keychain. And finally, the sensational version 5.21 raised a storm of headlines talking about iOS Forensic Toolkit as the ‘New Apple iOS 13.3 Security Threat’. Why? We made the tool support the extraction of iOS keychain from locked and disabled devices in the BPU-mode (Before-first-unlock). The extraction is available on Apple devices built with A7 through A11 generation SoC via the checkra1n jailbreak.

Mobile Forensics: Logical Acquisition

Later on, Elcomsoft Phone Viewer was further updated to recover and display Restrictions and Screen Time passwords when analysing iOS local backups. In addition, version 4.60 became capable of decrypting and displaying conversation histories in Signal, one of the world’s most secure messaging apps. Experts became able to decrypt and analyse Signal communication histories when analysing the results of iOS file system acquisition.

Desktop Forensics and Trainings

In 2019 we’ve also updated Advanced PDF Password Recovery with a new Device Manager, and added support for NVIDIA CUDA 10 and OpenCL graphic cards to Advanced Office Password Recovery. Advanced Intuit Password Recovery added support for Quicken and QuickBooks 2018-2019 covering the changes in data formats and encryption of newest Intuit applications. In addition, the tool enabled GPU acceleration on the latest generation of NVIDIA boards via CUDA 10.

We are proud to say that the many changes we implemented in Elcomsoft Distributed Password Recovery are based on the users’ feedback we received by email and in person, during and after the training sessions. We had several trainings this year in the UK, Northern Ireland and Canada. “Fantastic. Time well spent on the training and on software that will be very useful on cases in the future”, commented Computer Forensic Examiner.

Cloud Forensics

We learned how to extract and decrypt Apple Health data from the cloud – something that Apple won’t provide to the law enforcement when serving legal requests. Health data can serve as essential evidence during investigations. The updated Elcomsoft Phone Viewer can show Apple Health data extracted with Elcomsoft Phone Breaker or available in iOS local backups and file system images.

Very soon Elcomsoft Phone Breaker 9.20 expanded the list of supported data categories, adding iOS Screen Time and Voice Memos. Screen Time passwords and some additional information can be extracted from iCloud along with other synchronized data, while Voice Memos can be extracted from local and cloud backups and iCloud synchronized data.

Skype anyone? In December, Elcomsoft Phone Viewer and Elcomsoft Phone Breaker were updated to extract and display Skype conversation histories.

Desktop Forensics: Disk Encryption

Elcomsoft System Recovery received a major update with enhanced full-disk encryption support. The update made it easy to process full-disk encryption by simply booting from a flash drive. The tool automatically detects full-disk encryption, extracting and saving information required to brute-force passwords to encrypted volumes. In addition, the tool became capable of saving the system’s hibernation file to the flash drive for subsequent extraction of decryption keys for accessing encrypted volumes.

Cloud Forensics: iOS 13 & Authentication Tokens

Elcomsoft Phone Breaker 9.15 added the ability to download iCloud backups created with iPhone and iPad devices running iOS 13 and iPadOS. In addition, the tool became able to extract fully-featured iCloud authentication tokens from macOS computers.

Following this, Elcomsoft Phone Breaker 9.30 delivered a new iCloud downloading engine and low-level access to iCloud Drive data. Thanks to the new iCloud engine, the tool became capable of downloading backups produced by devices running all versions of iOS up to iOS 13.2. While advanced iCloud Drive structure analysis allows users to enable deep, low-level analysis of iCloud Drive secure containers.

Cloud Forensics: Google

Elcomsoft Cloud Explorer 2.20 boosted the number of data types available for acquisition, allowing experts to additionally download a bunch of new types of data. This includes data sources in the Visited tree, Web pages opened on Android devices, requests to Google Assistant in Voice search, Google Lens in Search history, Google Play Books and Google Play Movies & TV.

Challenges in Computer and Mobile Forensics: What to Expect in 2020

The past two years introduced a number of challenges forensic experts have never faced before. In 2018, Apple made it more difficult for the police to safely transport a seized iPhone to the lab by locking the USB port with USB restricted mode, making data preservation a challenge. The release of the A12 platform, also in 2018, made it difficult to unlock iOS devices protected with an unknown password, while this year’s release of iOS 13 rendered unlock boxes useless on iPhones based on the two most recent platforms.

On desktop and especially laptop computers, the widespread use of SSD drives made it impossible to access deleted data due to trim and garbage collection mechanisms. The users’ vastly increased reliance on cloud services and mass migration off the forensically transparent SMS platform towards the use of end-to-end encrypted messaging apps made communications more difficult to intercept and analyze.

Sheer amounts of data are greater than ever, making users rely more on external (attached) storage compared to using internal hard drives. Many attached storage devices are using secure encryption, some of them without even prompting the user. Extracting data from such devices becomes a challenge, while analyzing the huge amounts of information now requires significantly more time and effort.

The number of online accounts used by an average consumer grows steadily year over year. While password reuse and the use of cloud services to store and synchronize passwords makes experts’ jobs easier, the spread of secure, encrypted password management services is turning into a new challenge.

Knowing everyday challenges in desktop and mobile forensics, we can now peek into the future. (more…)

Passwords are probably the oldest authentication method. Despite their age, passwords remain the most popular authentication method in today’s digital age. Compared to other authentication mechanisms, they have many tangible benefits. They can be as complex or as easy to remember as needed; they can be easy to use and secure at the same time (if used properly).

The number of passwords an average person has to remember is growing exponentially. Back in 2017, an average home user had to cope with nearly 20 passwords (presumably they would be unique passwords). An average business employee had to cope with 191 passwords. Passwords are everywhere. Even your phone has more than one password. Speaking of Apple iPhone, the thing may require as many as four (and a half) passwords to get you going. To make things even more complicated, the four and a half passwords are seriously related to each other. Let’s list them:

  • Screen lock password (this is your iPhone passcode)
  • iCloud password (this is your Apple Account password)
  • iTunes backup password (protects backups made on your computer)
  • Screen Time password (secures your device and account, can protect changes to above passwords)
  • One-time codes (the “half-password” if your account uses Two-Factor Authentication)

In this article, we will provide an overview on how these passwords are used and how they are related to each other; what are the default settings and how they affect your privacy and security. We’ll tell you how to use one password to reset another. We will also cover the password policies and describe what happens if you attempt to brute force the forgotten password.

(more…)

The Screen Time passcode is an optional feature of iOS 12 and 13 that can be used to secure the Content & Privacy Restrictions. Once the password is set, iOS will prompt for the Screen Time passcode if an expert attempts to reset the device backup password (iTunes backup password) in addition to the screen lock passcode. As a result, experts will require two passcodes in order to reset the backup password: the device screen lock passcode and the Screen Time passcode. Since the 4-digit Screen Time passcode is separate to the device lock passcode (the one that is used when locking and unlocking the device), it becomes an extra security layer effectively blocking logical acquisition attempts.

Since users don’t have to enter Screen Time passcodes as often as they are required to enter their screen lock passcode, it is easy to genuinely forget that password. Apple does not offer an official routine for resetting or recovering Screen Time passcodes other than resetting the device to factory settings and setting it up as a new device (as opposed to restoring it from the backup). For this reason, the official route is inacceptable during the course of device acquisition.

Unofficially, users can recover their Screen Time passcode by making a fresh local backup of the device and inspecting its content with a third-party tool. In iOS 12, the Screen Time passcode can be only recovered from password-protected backups; in iOS 13, the passcode cannot be obtained even from the local backup. If local backups are protected with a password not known to the expert, the situation becomes a deadlock: one cannot reset an unknown backup password without a Screen Time passcode, and one cannot access the Screen Time passcode without decrypting the backup.

Elcomsoft Phone Breaker 9.20 offers an effective solution to the deadlock by obtaining Screen Time passcodes from the user’s iCloud account. The tool supports all versions of iOS 12 and 13.

(more…)

With over half a million users, Signal is an incredibly secure cross-platform instant messaging app. With emphasis on security, there is no wonder that Signal is frequently picked as a communication tool by those who have something to hide. Elcomsoft Phone Viewer can now decrypt Signal databases extracted from the iPhone via physical (well, file system) acquisition, and that was a tough nut to crack.

What exactly makes Signal so difficult to crack? Let us first look at how one can gain access to users’ communications occurring in other instant messengers.

Interception: the MITM attack

The first method is interception. One can attempt to intercept conversations in transit. This in turn is very difficult as everyone is touting point-to-point encryption. While technically the traffic can be intercepted, decrypting it will require a malicious app installed on the end-user device (such as the infamous NSO Group spyware). Without direct government intervention or proposed encryption backdoors one can hardly ever intercept messaging with a MITM attack. It is very important to understand that even if your iPhone is secure, the other party’s device running the iOS, Android or desktop app (which is much easier to break) might be compromised. If the other party is compromised, all your communications with that party will be compromised as well.

Signal implements special protection measures against MITM attacks, making certificate spoofing useless and complicating malware-based attacks. (more…)