Posts Tagged ‘iPhone’

What can possibly go wrong with that iPhone? I’ll have a look (oh, it’s locked!), then switch it off, eject the SIM card and pass it on to the expert. Well, you’ve just made three of the five most common mistakes making subsequent unlock and extraction attempts significantly more difficult. Learn about the most common mistakes and their consequences.

Power off

The first and probably the most important step (or at least one of) is data preservation, to make sure that the device content does not change, device will not discharge, will not be remotely locked or wiped etc. We made some introduction to the process in our The Art of iPhone Acquisition article, but you know what many forensic “experts” (sorry for the quotes) do first, instead of turning the airplane mode on or placing the device into Faraday bag?

They turn it off.

Granted, a powered-off device won’t make an accidental connection or self-discharge rapidly. However, if the device is powered off, you’re making the device switch from the forensic-friendly AFU* mode into the locked-down BFU* mode. As a result, several things happen.

  • The encryption keys are wiped from the device RAM (no instant AFU extraction possible)
  • Passcode recovery attack falls to BFU speeds (much slower than AFU attacks)
  • Biometric authentication becomes impossible
  • Lockdown records become useless; logical acquisition impossible
  • Extremely limited BFU extraction

AFU: After First Unlock; the condition in which the device has been unlocked with a passcode at least once after being powered on or rebooted.

BFU: Before First Unlock; the condition in which the device rebooted or powered on and has never been unlocked.

Ejecting SIM card

What’s the next most common mistake in mobile forensics? It’s removing the SIM card, usually just to make sure that device does not make an accidental connection to a mobile network. I would not say it is fatal, but here is what happens, at least when the device is running iOS 11, 12 or 13:

  • The phone locks immediately
  • Biometric unlock disabled (until unlocked with the passcode)
  • USB restricted mode activated

More on biometric authentication: Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12; on USB restricted mode: USB Restricted Mode Inside Out (updates: iOS 12 Enhances USB Restricted Mode and USB Restricted Mode in iOS 13: Apple vs. GrayKey, Round Two).

I believe no further explanation is needed. In short, you may completely lose an opportunity to unlock or further analyze the device.

“Don’t hold it that way”

Steve Jobs was never wrong. If you hold a modern iPhone equipped with Face ID, you’re likely to waste one or more attempts to unlock the device by pointing it towards the suspect. Why? This YouTube clip shows what happened during the iPhone X announcement.

As to the iPhones with Touch ID, make sure to never touch the fingerprint sensor. Otherwise you’ll just lose one of the five biometric unlock attempts.

Resetting backup password

In most cases (unless the device can be jailbroken or vulnerable to the checkm8 exploit), an iTunes backup is the main source of data. iPhone backups, however, are really special (see

The Most Unusual Things about iPhone Backups for details).

If the backup is password-protected, it could be a problem. Starting with iOS 10.1, brute-force password recovery is virtually impossible (though we can try, and have the software for that). However, as you know, iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password.

The problem is that all passwords in Apple ecosystem are connected to each other (Four and a Half Apple Passwords). And if you reset the backup password (as it was done recently by FTI Consulting when investigating the hack of Jeff Bezos’ Phone, see the report), then the iPhone passcode is also reset. And that has bad, really bad consequences. First, you are going to lose the saved Wi-Fi passwords, Apple Pay transaction history, downloaded Exchange mail and some other data. Second (and this is critical), you lose all the things you could do with the passcode. Like what things? See iOS 11 Horror Story: the Rise and Fall of iOS Security and Protecting Your Data and Apple Account If They Know Your iPhone Passcode. This includes (but not limited to) access to end-to-end encrypted data in iCloud including the iCloud keychain, synced messages, Health data etc.

iOS logical acquisition

In fact, logical acquisition is not as simple as it sounds. Just create iTunes-styles backup and that’s it, right? Not quite. Several things can go wrong.

Creating a backup with iTunes. This is acceptable in general; all forensic packages create exactly the same backups as iTunes. In fact, backups are made by the service running on the iPhone itself, and not by desktop software. However, if you forget to disable iTunes sync in advance (before connecting the iPhone to the computer), the content on the device may change.

Making a passwordless backup. A backup without a password is easier to analyze, right? Yes, it is, but the devil is in the details. Backups without a password contain less data than password-protected backups. You will not get the keychain, Health data, Safari browsing history and call logs (at least).

Miss something. Well, actually a lot. Proper logical acquisition is not limited to backups. In fact, backups are just the beginning. You can also obtain media files (and not just files but also a metadata, sometimes even on deleted files), app shared data (including but not limited to media players, office packages and even some password managers), crash and diagnostic logs (the ultimate source of data that could really help building the timeline). All of that regardless of whether or not the user has a backup password. This, by the way, can be done for Apple Watch and Apple TV devices, thanks to Elcomsoft iOS Forensic Toolkit.

Conclusion

I just listed the most common mistakes made by the law enforcement and forensic experts. We’ve seen many more of those, albeit less frequently. Strictly following the correct workflow, documenting your every step, ensuring that your steps are repeatable and results verifiable, cross-matching the results and proper reporting are essential. Just using a “tool” is not nearly enough, even if it’s the best tool on the market. The environment is always changing, and you either keep up, or fall behind. Taking a training course is one of the better ways to keep up with the ever changing mobile forensic and computer forensic environment.

Challenges in Computer and Mobile Forensics: What to Expect in 2020

The past two years introduced a number of challenges forensic experts have never faced before. In 2018, Apple made it more difficult for the police to safely transport a seized iPhone to the lab by locking the USB port with USB restricted mode, making data preservation a challenge. The release of the A12 platform, also in 2018, made it difficult to unlock iOS devices protected with an unknown password, while this year’s release of iOS 13 rendered unlock boxes useless on iPhones based on the two most recent platforms.

On desktop and especially laptop computers, the widespread use of SSD drives made it impossible to access deleted data due to trim and garbage collection mechanisms. The users’ vastly increased reliance on cloud services and mass migration off the forensically transparent SMS platform towards the use of end-to-end encrypted messaging apps made communications more difficult to intercept and analyze.

Sheer amounts of data are greater than ever, making users rely more on external (attached) storage compared to using internal hard drives. Many attached storage devices are using secure encryption, some of them without even prompting the user. Extracting data from such devices becomes a challenge, while analyzing the huge amounts of information now requires significantly more time and effort.

The number of online accounts used by an average consumer grows steadily year over year. While password reuse and the use of cloud services to store and synchronize passwords makes experts’ jobs easier, the spread of secure, encrypted password management services is turning into a new challenge.

Knowing everyday challenges in desktop and mobile forensics, we can now peek into the future. (more…)

Just like the previous generation of OLED-equipped iPhones, the iPhone 11 Pro and Pro Max both employ OLED panels that are prone to flickering that is particularly visible to those with sensitive eyes. The flickering is caused by PWM (Pulse Width Modulation), a technology used by OLED manufacturers to control display brightness. While both panels feature higher peak brightness compared to the OLED panel Apple used in the previous generations of iPhones, they are still prone to the same flickering at brightness levels lower than 50%. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users.

Google has equipped its new-generation Pixel 4 and Pixel 4 XL devices with innovative OLED panels offering smooth 90 Hz refresh rates. While these OLED panels look great on paper, they have two major issues. First, the 90 Hz refresh rate is only enabled by Google at brightness levels of 75% or higher. Second, the displays flicker at brightness levels below 75%.

In this article, we’ll describe methods to get rid of OLED flickering on the last generations of Apple and Google smartphones without rooting or jailbreaking. (more…)

The Screen Time passcode (known as the Restrictions passcode in previous versions of iOS) is a separate 4-digit passcode designed to secure changes to the device settings and the user’s Apple ID account and to enforce the Content & Privacy Restrictions. You can add the Screen Time passcode when activating Screen Time on a child’s device or if you want to add an extra layer of security to your own device.

The 4-digit Screen Time passcode is separate to the main screen lock passcode you are using to unlock your device. If you configure Screen Time restrictions to your usage scenarios, you’ll hardly ever need to type the Screen Time password on your device.

Using the Screen Time password can be a great idea if you want to ensure that no one can reset your iTunes backup password, disable Find My iPhone or change your Apple ID password even if they steal your device *and* know your device passcode. On a flip side, there is no official way to recover the Screen Time password if you ever forget it other than resetting the device and setting it up from scratch. Compared to the device screen lock passcode, Screen Time passwords are much easier to forget since you rarely need it.

In this article, we’ll show you how to reveal your iOS 12 Screen Time passcode (or the Restrictions passcode if you’re using iOS 7 through 11) using Elcomsoft Phone Viewer. (more…)

We all know how much important data is stored in modern smartphones, making them an excellent source of evidence. However, data preservation and acquisition are not as easy as they sound. There is no silver bullet or “fire and forget” solutions to solve cases or extract evidence on your behalf. In this article, which is loosely based on our three-day training program, we will describe the proper steps in the proper order to retain and extract as much data from the iPhone as theoretically possible.

(more…)

The new generation of jailbreaks has arrived for iPhones and iPads running iOS 12. Rootless jailbreaks offer experts the same low-level access to the file system as classic jailbreaks – but without their drawbacks. We’ve been closely watching the development of rootless jailbreaks, and developed full physical acquisition support (including keychain decryption) for Apple devices running iOS 12.0 through 12.1.2. Learn how to install a rootless jailbreak and how to perform physical extraction with Elcomsoft iOS Forensic Toolkit.

Jailbreaking and File System Extraction

We’ve published numerous articles on iOS jailbreaks and their connection to physical acquisition. Elcomsoft iOS Forensic Toolkit relies on public jailbreaks to gain access to the device’s file system, circumvent iOS security measures and access device secrets allowing us to decrypt the entire content of the keychain including keychain items protected with the highest protection class.

(more…)

The two recent jailbreaks, unc0ver and Electra, have finally enabled file system extraction for Apple devices running iOS 11.4 and 11.4.1. At this time, all versions of iOS 11 can be jailbroken regardless of hardware. Let’s talk about forensic consequences of today’s release: keychain and file system extraction.

(more…)

The release of iOS 11.4.1 back in July 2018 introduced USB Restricted Mode, a feature designed to defer passcode cracking tools such as those developed by Cellerbrite and Grayshift. As a reminder, iOS 11.4.1 automatically switches off data connectivity of the Lightning port after one hour since the device was last unlocked, or one hour since the device has been disconnected from a USB accessory or computer. In addition, users could manually disable the USB port by following the S.O.S. mode routine.

iOS 12 takes USB restrictions one step further. According to the new iOS Security guide published by Apple after the release of iOS 12, USB connections are disabled immediately after the device locks if more than three days have passed since the last USB connection, or if the device is in a state when it requires a passcode.

“In addition, on iOS 12 if it’s been more than three days since a USB connection has been established, the device will disallow new USB connections immediately after it locks. This is to increase protection for users that don’t often make use of such connections. USB connections are also disabled whenever the device is in a state where it requires a passcode to re-enable biometric authentication.”

Source: Apple iOS Security, September 2018 (more…)

With more than 127 million users in multiple countries, Apple Pay is one of the more popular contactless payment systems. Unlike some competing payment technologies, Apple Pay is not only tightly integrated into Apple’s ecosystem but is exclusive to Apple devices.

Apple Pay serves as a digital wallet, digitizing user’s payment cards and completely replacing traditional swipe-and-sign and chip-and-PIN transactions at compatible terminals. However, unlike traditional wallets, Apple Pay also keeps detailed information about the user’s point of sale transactions. Due to the sheer amount of highly sensitive information processed by the system, Apple Pay is among the most securely protected vaults in compatible devices. In this article we’ll show you where and how this information is stored in the file system, how to extract it from the iPhone and how to analyse the data. (more…)

It’s been fast. iOS 11.3.1 and all earlier versions of the system down to iOS 11.2 have been successfully jailbroken. In addition, the jailbreak is compatible with iOS 11.4 beta 1 through 3. We normally wouldn’t post about each new jailbreak release; however, this time things are slightly different. The new Electra jailbreak uses two different exploits and presents two very different installation routines depending on whether or not you have a developer account with Apple. Considering how much more stable the developer-account exploit is compared to the routine available to the general public, this time it pays to be an Apple developer.

We tested the Electra jailbreak and can confirm that iOS Forensic Toolkit 4.0 is fully compatible. File system imaging and keychain extraction work; no OpenSSH installation required as Electra includes an SSH client listening on port 22.

Why Jailbreak?

For the general consumer, jailbreak is one open security vulnerability calling for trouble. Apple warns users against jailbreaking their devices, and there is much truth in their words.

Forensic experts use jailbreaks for much different reasons compared to enthusiast users. A wide-open security vulnerability is exactly what they want to expose the device’s file system, circumvent iOS sandbox protection and access protected data. Jailbreaking extract the largest set of data from the device. During jailbreaking, many software restrictions imposed by iOS are removed through the use of software exploits.

In addition to sandboxed app data (which includes conversation histories and downloaded mail), experts can also extract and decrypt the keychain, a system-wide storage for online passwords, authentication tokens and encryption keys. Unlike keychain items obtained from a password-protected local backup, physical extraction of a jailbroken device gains access to keychain items secured with the highest protection class ThisDeviceOnly (this is how).

The New Electra Jailbreak

Jailbreaking iOS versions past 11.1.2 (for which a Google-discovered vulnerability was published along with a proof-of-concept tool) was particularly challenging but not impossible. At this time, a team of jailbreakers discovered not one but two different vulnerabilities, releasing two versions of Electra jailbreak. Why the two versions?

(more…)