Posts Tagged ‘jailbreak’

We recently introduced a new acquisition method for iPhone and iPad devices. The fast, simple and safe extraction agent requires no jailbreak, and delivers the full file system image and the keychain. The latest release of Elcomsoft iOS Forensic Toolkit expanded this method to iOS 13 and filled the gaps in some versions of iOS 12 that were missing support (such as iOS 12.3 and 12.4.1). Finally, we now officially support the latest generation of iPhone devices including the iPhone 11, iPhone 11 and iPhone 11 Pro. The new compatibility matrix becomes significantly more diverse with this release, so bear with us to learn which iOS devices can be extracted without a jailbreak.

Compatibility

The extraction agent is supported on the following models and iOS versions:

  • iPhone 6s to iPhone X, iPad 5th and 6th gen, iPad Pro 1st and 2nd gen: iOS/iPadOS 11.0 – 13.3
  • iPhone Xr, Xs, Xs Max, iPad Mini 5, iPad Air 3rd gen, iPad Pro 3rd gen, iPod Touch 7th gen: iOS/iPadOS 12.0 – 13.3
  • iPhone 11, 11 Pro, 11 Pro Max: iOS 13.0 – 13.3

For some older models, compatibility remains unchanged. The following models are supported if running iOS 11-12.2 and iOS 12.4:

  • iPhone 5s, 6, 6 Plus
  • iPad Mini 2 and 3
  • iPad Air (1st gen)

There are two ‘iffy’ models: the iPad Mini 4 and iPad Air 2. While the agent-based extraction method will sure work on these models running iOS 11 through 12.2, we have not tested them with iOS 12.3, 12.4.1 or any version of iOS 13.

Requirements

Make sure that your device model and OS version are compatible, and register an Apple Developer account (here is why). Of course, you will need the latest version of iOS Forensic Toolkit, too. The software is really simple to use, but we still recommend to attend our trainings.

General advantages

The main advantage of this method is its wide compatibility with multiple iPhone and iPad models. In the future, we may add support for older iOS versions (to avoid all the troubles with jailbreaking, see below), and of course will do our best to add compatibility with newer versions (iOS 13.3.1 and up).

Next, the extraction agent is safe and reliable. Nothing wrong may happen; the worst is just a reboot of the device, or our method may simply not work on your device. See the Trobleshooting section below for some tips; sometimes it takes several tries (though usually it works from the first try).

Forensically sound? It depends on what you mean by that. Here is a good definition:

Digital evidence is said to be forensically sound if it was collected, analyzed, handled and stored in a manner that is acceptable by the law, and there is reasonable evidence to prove so. Forensic soundness gives reasonable assurance that digital evidence was not corrupted or destroyed during investigative processes whether on purpose or by accident.

(another good source: When is Digital Evidence Forensically Sound?)

For 64-bit iPhones (starting with the iPhone 5s), there is NO method of data acquisition that does not make ANY changes to the system, despite what other vendors say. Some traces are always left, like records in some system logs.

Next, the extraction speed. Instead of re-using ssh, we transfer the data directly over the USB. This method is more reliable and significantly faster; on modern iPhone models, the speed is about 2.5 GB/min.

Finally, the simplicity. No, it is still far from the proverbial “one button” solution, which simply does not exist in the area. Still, we did our best to make acquisition as simple and straightforward as possible, and we are still improving it. Just follow the software manual carefully, and make sure you read the articles published in our blog.

Last but not least. The agent extracts not only the full file system but also the complete keychain. While you can also extract the keychain from iTunes-style-backups, it won’t be complete as a lot of records cannot be decrypted. Use Elcomsoft Phone Breaker to view all the keychain records:

Advantages over jailbreaking

One can also perform full file system acquisition even for latest iPhone models with iOS 13 through jailbreaking. But there are some things you should know.

Jailbreaking is not completely safe. It may brick the device or put it into a boot loop, and it also makes multiple changes to the device file system, even with the rootless jailbreak.

Are there any disadvantages of agent-based extraction? Not a single one, at least for iOS 11.0 to 13.3. Except checkra1n (see below).

One more thing. With iOS 13, some files and folders have improved security attributes and are not accessible by tar over ssh. There is no such problem with agent-based acquisition.

We even made our method compatible with intermediate beta versions of iOS (in the 11-13.3 range) where jailbreaks do not work at all.

Advantages over checkm8 extraction

checkm8-based acquisition is pretty nice, but the devil is in the detail.

First, checkm8 is compatible with a limited number of devices and iOS versions: iPhone 5s to iPhone X, and iOS from 12.3. So forget about the iPhone Xr, Xs, 11 and 11 Pro (as well as many iPads); they are not vulnerable to this exploit. Also, despite the fact that the exploit is hardware-based, the checkra1n jailbreak (and all current checkm8-based acquisition processes) are NOT compatible with iOS 12.2 and below.

Second, the checkra1n jailbreak is not 100% reliable. There are so many compatible devices it does not work on, and the same about direct checkm8 implementation. If there is an error, you’re stuck with it; moreover, you can even ‘brick’ the device with it (it really happened to couple of our test devices). How about the speed? Amazingly low, thanks to ssh and some other things. Some extractions cannot complete in a week, we have no idea why.

The only two real advantages of checkra1n/checkm8 are: they do not require an Apple Developer account, and they allow BFU (Before First Unlock) extractions for devices with an unknown passcode. Also, checkra1n supports iOS 13.3.1 (the latest version at the time of writing this article, though 13.4 is expected very soon). You can use still checkra1n with our iOS Forensic Toolkit to get partial file system and keychain extraction of locked and even desiabled devices.

Usage & troubleshooting

Make sure you have read the iOS Forensic Toolkit manual first, as well as the following two articles:

We described all the steps at iPhone Acquisition Without a Jailbreak (iOS 11 and 12):

  • Put the device into airplane mode (this is mandatory!) and connect it to the computer with EIFT. Make sure that Wi-Fi and Bluetooth are disabled from iOS settings (and not from from the Control Centre)
  • Establish trust relationship (otherwise you will get the “ERROR: Could not connect to lockdownd, error code -2” message in the EIFT)
  • Install the extraction agent though EIFT. You will need to enter Apple ID and app-specific password of the developer’s account, followed by the TeamID; please note that signing the agent requires an internet connection on your computer (but NOT on the iOS device, which should remain offline at all times).
  • Once the agent is installed, it is recommended to disable all Internet connections on the computer you perform the acquisition on.
  • Tun the Agent on the device and leave it running in the foreground.
  • Acquire the keychain and capture the file system; during keychain acquisition, you will have to enter the passcode on the device (sometimes twice), or unlock using Touch ID or Face ID (for devices with Face ID, you will first receive the prompt whether you allow Agent to use it for keychain access)
  • Uninstall the agent.

If something goes wrong when you run the extraction agent on the device (e.g. “Can’t connect to device on specified port” message in EIFT), you may need to reboot the device; make sure to wait for at least one minute after rebooting before starting an agent.


Quick tip: if you do not want to enter Apple ID, password and Team ID when installing the Agent on every new device, you can set them up right in the EIFT script (Windows: Toolkit.cmd, lines 20-22; macOS: macosx/Toolkit.sh, lines 42-44):

AGENT_ID=john.doe@gmail.com
AGENT_PASSWORD=abcd-efgh-ijkl-mnop
AGENT_TEAMID=XXXXXXXXXX

Where AGENT_ID is the Apple ID enrolled into Apple Developer Program; AGENT_PASSWORD is app-specific password you should generate on your account, and AGENT_TEAMID is the Team ID (you can easily find it by logging in to Apple’s Developer Center, under Membership Information in Account | Membership).

In our recent article iPhone Acquisition Without a Jailbreak I mentioned that agent-based extraction requires the use of an Apple ID that has been registered in Apple’s Developer Program. Participation is not free and comes with a number of limitations. Why do you need to become a “developer”, what are the limitations, and is there a workaround? Read along to find out.

Sideloading IPA Packages onto iOS Devices

Elcomsoft iOS Forensic Toolkit now supporting agent-based extraction without a jailbreak also brings a new requirement. Agent-based extraction is a newer, forensically sound alternative to traditional acquisition methods requiring a jailbreak. Based on direct access to the file system, agent-based extraction does not require jailbreaking the device. Using agent-based extraction, you can can image the full file system and decrypt the keychain without the risks and footprint associated with third-party jailbreaks.

The new acquisition method utilizes an extraction agent, which in turn is an app we’ve developed for the iOS platform. Once installed, the agent will talk to your computer, delivering significantly better speed and reliability compared to jailbreak-based extraction. In addition, agent-based extraction is safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering performance that is as close to forensically sound extraction as at all possible (only a few log entries are left behind after the agent is removed).

Interestingly, most jailbreaks (with the exception of checkra1n, which uses a bootrom exploit) also require a developer account in order to be installed. Before you begin using agent-based extraction (or install a jailbreak), you must have your Apple ID enrolled in Apple’s Developer Program. This is required in order to sideload the agent onto the iOS device being acquired. You can enroll at developer.apple.com/programs/enroll/; the process is fast and easy if you do it as a private person.

Why this requirement? Before I go into technical details, let me briefly explain what happens when you command iOS Forensic Toolkit to install an agent.

The extraction agent is deployed on iOS devices in the form of an IPA package. An IPA (iOS App Store Package) file is an iOS application archive file which stores an iOS app. Technically speaking, an IPA file is a ZIP archive that contains a binary for the ARM architecture that can be installed on an iOS device.

Each IPA file must be signed before you can install it onto an iOS device. While any Android phone can install any APK signed with a valid certificate, Apple makes sideloading apps significantly more difficult. An IPA package can be signed in one of the following ways.

Signed with a regular Apple ID

The digital signature is tied to each iOS device. An IPA signed with a certain Apple ID for a certain device can only be installed on that particular device; it cannot be distributed. If an IPA package was signed with a regular Apple ID, iOS will need to validate the digital signature by connecting to an Apple server, which means that the device you’re pushing the app to must go online in order to install the IPA. For the purposes of mobile forensics, we don’t want the device to go online to mitigate the risks of receiving a remote lock, remote erase or Find My commands, as well as syncing the device with the iCloud (many 3rd party applications may also sync, of course, as well as the system itself).

Signed with an Enterprise account

Apple enables companies distribute in-house apps to their employees bypassing Apple checks for compliance with App Store policies. These apps can be signed with a so-called enterprise certificate. Enterprise certificates must be also validated by the iOS device; the device must go online and connect to Apple servers in order to validate the certificate. These certificates are meant to be used by each company to distribute apps among its own employees. If a company attempts using their enterprise certificate to sign apps and distribute them globally, Apple revokes their certificate. However, unless revoked, enterprise certificates do not limit the number of devices that can install a signed IPA package. For this reason, leaked enterprise certificates are frequently used by third-party app stores and Web stores such as ignition.fun to sideload IPA packages.

Signed with a Developer account

Developer accounts are unique in that verification occurs on Apple servers and not on the iOS device. In order to use a developer certificate to sign an IPA package, developers must first register the iOS device (iPhone, iPad etc.) in their Apple Developer Account by adding it to the Developer Profile. Once this is done, one can sign the IPA package with their developer certificate and sideload the IPA onto the iOS device. Importantly, the iOS device will not need to go online in order to validate the certificate as its UUID is already provisioned. For this reason, developer certificates are (and have always been) the most forensically sound method of pushing jailbreaks (and now the extraction agent) onto iOS devices.

What Has Changed

For years, Cydia Impactor and similar tools have been able to sideload packages onto iOS devices using disposable Apple ID’s. Apple imposed several limitations to discourage users from treating sideloading as a replacement for Apple’s own App Store. Sideloaded apps signed with a non-developer Apple ID would expire after a mere 7 days, requiring to re-sideload and re-sign the app. Since iOS 10, one could not have more than 3 sideloaded apps on the device, and you couldn’t use the same Apple ID to sideload more than 10 apps per week. There were also other limitations in place, but at very least users could temporarily install apps that were not approved by Apple.

Something had changed in November, 2019.

About two weeks ago, Apple made a change to their provisioning service to require a different authentication scheme for “free” Apple accounts (they return an error that mentions upgrading to “Xcode 7.3”); this broke Cydia Impactor for users without a paid Apple Developer account.

https://twitter.com/saurik/status/1196888477830221824

Elcomsoft iOS Forensic Toolkit uses a similar IPA sideloading mechanism, meaning that, for the time being, the users are forced to use a paid Apple Developer account to sideload the extraction agent IPA.

We are currently working on a solution allowing our users to sideload the extraction agent using disposable (free) Apple accounts for Mac users. Windows users will likely have to wait longer.

Developer Account Limitations

Apple would not be Apple if it didn’t have some roadblocks in place.

The first roadblock has to do with two-factor authentication. An Apple ID enrolled in Apple’s Developer Program must have two-factor authentication enabled. Elcomsoft iOS Forensic Toolkit requires a login and password. As a result, you’ll have to take an extra step in setting up an Application-specific password in your Apple account. You’ll have to use that app-specific password instead of your regular Apple ID password when installing the extraction agent in iOS Forensic Toolkit.

The second limitation is about the number of devices that can be enrolled. As an Apple developer, you can only add up to 100 devices of each kind (e.g. 100 iPhones, 100 iPads etc.) per year. The number of available registration slots will only reset once a year even if you delete the device afterwards.

It is also worth noting that once you add a new device to your Developer Profile, the provisioning profile that is used to sign the extraction agent will list all previously registered device ID’s (UDID) unless you manually remove them from the Developer Profile prior to extraction (which, again, won’t reset the limit). The good news is that you won’t have to manually add the device to the developer profile if you use Elcomsoft iOS Forensic Toolkit; all you need is just command it to install an agent, and type in your developer Apple ID and that application-specific password we’ve talked about earlier.

Enrolling your Apple ID into the Developer Program can be especially tricky for corporate developers. For this reason, we recommend registering as a private person for $99 a year.

Workarounds

There are multiple apps and services positioning themselves as “App Store alternatives”. AltServer, AppStore.io, AppEven, ignition.fun, Tutuapp, Pandahelper, App Valley, Desde tu iPhone, Tweakbox and numerous other “alternative app stores” utilize a mix of paid and stolen developer accounts and leaked enterprise certificates to sign and sideload apps onto the iPhone. Some of these stores are known to overwhelmingly modify the content of the devices they sideload apps to, so neither of them can be recommended for the purpose of mobile forensics.

A Word On checkra1n & checkm8

This is slightly outside the scope of this article, but you may ask why you even need that acquisition method if there are such things as checkm8 exploit and checkra1n jailbreak that do not require a developer account to install unlike most other jailbreaks.

First, the compatibility. We have about fifty test devices (iPhones and iPads) in our lab, and most of them are checkm8-compatible, at least theoretically. If checkra1n installs, then we can make full file system acquisition and keychain extraction without an agent, minor issues with iOS 13 aside (iOS Device Acquisition with checkra1n Jailbreak). This jailbreak makes it possible to perform a limited BFU (“before first unlock”) extraction for devices with an unknown passcode, even if they are disabled or locked. But checkra1n is only compatible with iOS 12.3 and up. And of course, the hardware support is limited to the iPhone 5s through 8/8 Plus/iPhone X, so forget about iPhone Xr, Xs and 11 extraction.

Second, the reliability and speed. Not just the checkra1n itself, but even some implementations of checkm8-based extraction leave much to be desired. checkra1n fails to install on many devices for no obvious reason. In our experience, as many as 30% of devices may be problematic. The situation is even worse for direct implementations of checkm8 based extraction. Just one example; I will not name the vendor for ethical reasons:

We are currently doing our office’s first Checkm8 extraction on an iPhone 8 plus 64GB w/13.3. It’s been running two days now and the estimated time to completion keeps going up, from 8 days yesterday to now 15 days today. At first things looked pretty normal but the estimated time just keeps going up. Any ideas on what could be the problem? Another odd thing is it says 8GB of 88 GB extracted, which of course makes no sense being a 64GB device.

And one of the responses:

I also encountered a lot of iPhone devices that extracted “full file system” with no success, lasting for weeks.

Finally, the “forensically sound” issue. There is no agreement among the forensic vendor about the meaning of this term. Moreover, speaking of the iPhone extraction, it is not possible to prove that the device content has not been modified during the extraction, regardless of the method you use (whether it’s good old logical acquisition, checkm8 or agent-based extraction). All extraction methods leave some traces, making some changes to the device data.

Is agent-based solution we have implemented a silver bullet? Of course not. It also has limited compatibility with device models and iOS versions (we are working hard on that, an Elcomsoft iOS Forensic Toolkit update is coming with support for iOS 13.0-13.3 on all devices), and it also has some reliability issues. The acquisition speed is always higher; we’ve been able to get up to 40 MB/s. There are many hardware/iOS combinations that only the agent works for. You just need the Developer Account, that’s it.

Conclusion

The $99 a year for Developer Account is a great, cost-efficient investment because it’s the only type of accounts offering safe, forensic-friendly extraction. Developer accounts are the only type of accounts whose provisioning profiles do not require the device being acquired connecting to Apple servers. The entire sideloading and extraction process can be performed safely while the device is in the Airplane mode.

The popular unc0ver jailbreak has been updated to v4, and this is quite a big deal. The newest update advertises support for the latest A12 and A13 devices running iOS 13 through 13.3. The current version of iOS is 13.3.1. None of the older versions (including iOS 13.3) are signed, but still there are a lot of A12/A12X/A13 devices floating around. Until now, file system and keychain extraction was a big problem. The newest unc0ver jailbreak makes it possible.

The new build is based on an exploit that is quite reliable by itself. However, jailbreaking is more than just a single exploit; a lot of things (that are outside the scope of this article) have to be done. So the new version of a jailbreak is not a silver bullet, and may still fail on many devices; we have tested a few and received mixed results. Still, if the given device can be jailbroken with unc0ver, it means that we can pull all the data from it, down to the last bit.

ICYMI: iPhones and iPads based on A12/A12X/A13 SoC are not vulnerable to checkm8 exploit, and there is no room for BFU acquisition (if the passcode is not known). That means that jailbreaking them using iOS (not bootrom) exploits is the only way to get all the data, at least for now.

Installing the jailbreak

The jailbreak (curren version: 4.0.2) is available as an IPA file (iOS/iPadOS package). There are several methods of installing it, but they usually require signing the IPA using a third-party certificate, which is not very safe and requires approving the certificate on the device, which in turn means that you have allow the device make an Internet connection. This in turn means that the device can be remotely locked or wiped (and even if Find My is disabled, it may sync and modify the data. The only workaround is to set up the network so that that it can only access the Apple’s servers that take care of certificate approval, but this is not not as easy as it sounds.

The better and safer way is to sign the jailbreak IPA with a developer’s certificate using Cydia Impactor. You will need a developer’s account to do that. If you have one, create an Application-specific password first as Cydia Impactor does not natively support 2FA.

Once the IPA is installed, just run it and press [Jailbreak]. That simple.

Well, not quite. First, you have to press [Settings] in the top-right corner and enable the following options:

  • Re(Install) OpenSSH
  • SSH Only
  • Read-Only RootFS

What is it all about? Install OpenSSH (which is not installed by default); do not install Cydia (not only you won’t need it for the purpose of file system extraction, but removing Cydia after you’re done is a separate headache); do not remount the system partition, making the jailbreak rootless, safer, and with a minimum impact. I would not say “forensically sound”. But very close to that.

Note that the new build of unc0ver is not very reliable yet. If it fails, here is what the jailbreak developers recommend:

To everyone having reliability issues. You must follow those conditions carefully to have the best success:
– reboot
– airplane mode
– lock device
– wait 30 seconds (don’t do anything)
– jailbreak

A better exploitation method is required to avoid this. We’ll try our best.

Data acquisition

iOS Forensic Toolkit is all you need. First, do not miss some basic usage tips:

Ready to go? Extract the keychain and the file system first. Just note that with the keychain extraction, you may get error/warning messages like the following:

[+] memory_size: 3962028032
[-] no offsets for iPad8,1 17C54
[e] error reading kernel @0x0
[-] no kernel_call addresses for iPad8,1 17C54 [e] error reading kernel @0x0 Injecting to trust cache...
Actually injecting 1 keys
1 new hashes to inject
Successfully injected [1/1] to trust cache.
[e] error writing kernel @0x0

Just ignore them for now, we will take care on them later; they don’t seem to affect the keychain acquisition.

As for the file system, please note that if you forget to set the appropriate unc0ver options and install OpenSSH later from Cydia, acquisition will probably fail. The OpenSSH client installed alongside with the jailbreak works fine.

Anything else? Almost everything matters. Including whether you connect the iPhone directly or through a USB hub; the type of the cable (USB-A or USB-C to Lightning); and even the brand of the cable (original or not). Do not ask us why, ask Apple. To our experience, you get the best results when using an original Apple USB-A to Lightning cable connected directly (with no hubs); also, it works better on Macs. Yes, even that matters.

Data analysis

For “quick and dirty” analysis, use Elcomsoft Phone Viewer to browse the data acquired by iOS Forensic Toolkit. Do not underestimate this little tool; it does not parse all the data categories, but you will be surprised by the amount of data it can extract from media files (including deleted ones), locations, Apple Pay, Wallet etc. All the most-critical evidence is there.

Need more, including system databases, building the complete Timeline, defining social links between device contacts and extractions in Social Graph, getting comprehensive data analysis with facial recognition and image categorization, advanced data search and detailed reports? Get Oxygen Forensic Detective.

Did you extract the keychain? That’s a gold mine. Not just all the passwords and tokens (for dozens web sites, social networks, mail accounts and more), but also the encryption keys that will allow you to decrypt WhatsApp and Signal conversations. Use Elcomsoft Phone Breaker to browse it in a very convenient way (well, three ways); there you will be also able to export passwords to a wordlist, allowing you to break other files, documents and systems almost instantly.

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

Are you excited about the new checkm8 exploit? If you haven’t heard of this major development in the world of iOS jailbreaks, I would recommend to read the Technical analysis of the checkm8 exploit aricle, as well as Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer. The good news is that a jailbreak based on this exploit is already available, look at the checkra1n web site.

The jailbreak based on checkm8 supports iPhone devices based on Apple’s 64-bit platform ranging from the iPhone 5s all the way up to the iPhone 8 and iPhone X. Unlike previous jailbreaks, this one supports most iOS versions, up to and including iOS 13.2.2 at the time of  this writing. Support for future versions of iOS is also possible due to the nature of this exploit. Most iPads are also supported. Currently, there is no support for the Apple Watch, though theoretically it is possible for Series 1, 2 and 3. The Apple TV series 4 and 4K are supported by the exploit, and a jailbreak for series 4 is already available.

What does that mean for the forensic crowd? Most importantly, the jailbreak can be installed even on locked devices, as it works through DFU mode. That does not mean that you will be able to break the passcode. While you can extract some data from a locked device / unknown passcode, it won’t be much. From the other side, the jailbreak allows to dump the complete image of the file system if the passcode is known. This works for all devices from the iPhone 5s to X, many iPads, and Apple TV 4.

In this article, we will briefly describe how to install the jailbreak on Apple TV and what you can expect out of it.

(more…)

When you perform Apple iCloud acquisition, it almost does not matter what platform to use, Windows or macOS (I say almost, because some differences still apply, as macOS has better/native iCloud support). Logical acquisition can be done on any platform as well. But when doing full file system acquisition of jailbroken devices using Elcomsoft iOS Forensic Toolkit, we strongly recommend using macOS. If you are strongly tied to Windows, however, there are some things you should know.

(more…)

The iOS 12.4 jailbreak is out, and so is Elcomsoft iOS Forensic Toolkit. Using the two together, one can image the file system and decrypt the keychain of iPhone and iPad devices running most versions of iOS (except iOS 12.3 and and the latest 12.4.1, but 12.4 is still signed right now).

There is more to this jailbreak situation than meets the eye. There is not one but two different jailbreaks: unc0ver and Chimera. Both jailbreak tools come in several versions; the differences between their versions are severe. There is also a tool that can access the file system (but not the keychain) on some iOS devices without a jailbreak. Finally, we’ve been able to jailbreak the Apple TV running affected versions of tvOS.

In this article I’ll explain the differences between the two jailbreaks and their versions, provide information about the tool one can use to access the file system without jailbreaking, and provide instructions on how to safely jailbreak in offline mode.

(more…)

This post continues the series of articles about Apple companion devices. If you haven’t seen them, you may want to read Apple TV and Apple Watch Forensics 01: Acquisition first. If you are into Apple Watch forensics, have a look at Apple Watch Forensics 02: Analysis as well. Today we’ll have a look at what’s inside of the Apple TV.

A recent market analysis shows that Apple has sold more than 13 million Apple TV devices worldwide since 2016. Since 2007, Apple manufactured 6 different Apple TV models. Like any other Apple device, the model can be easily identified by checking the label on the bottom of the device.

 

The first-generation Apple TV (model A1218) contains a regular hard drive that can be extracted and imaged with a traditional approach. The operating system is a modified version of Mac OS X 10.4 (Tiger). A detailed explanation on how to approach this kind of devices was introduced at DEFCON 2009 by Kevin Estis and Randy Robbins (the presentation is available here while the video is available here).

The Apple TV from second (model A1378) to fourth (A1625) generations have an internal NAND storage varying from 8 GB (A1378 – A1427 – A1469) to 32 or 64 GB (A1625). These models also feature a USB port connection (micro USB or USB-C). The availability of a USB port allows connecting the device to a PC/Mac. Forensic experts can use the port for data extraction. Apple removed USB connectivity in the latest, fifth generation Apple TV (Apple TV 4K, model A1842), making it more difficult to connect and extract data.

(more…)

By this time, seemingly everyone has published an article or two about Apple re-introducing the vulnerability that was patched in the previous version of iOS. The vulnerability was made into a known exploit, which in turn was used to jailbreak iOS 12.2 (and most previous versions). We’ll look at it from the point of view of a forensic expert.

(more…)

What can and what cannot be done with an iOS device using Touch ID/Face ID authentication as opposed to knowing the passcode? The differences are huge. For the sake of simplicity, we’ll only cover iOS 12 and 13. If you just want a quick summary, scroll down to the end of the article for a table.

BFU and AFU

Let’s get it out of the way: everything that’s listed below applies exclusively to AFU (After First Unlock) devices. You cannot use biometrics to unlock an iOS device that’s been restarted or powered on; such devices are in the state known as BFU (Before First Unlock).

BFU, Before First Unlock: The iOS device was restarted or powered off; you powered it on but cannot unlock it because it’s protected with an unknown passcode.

AFU, After First Unlock: The iOS device was unlocked (with a passcode) at least once after it’s been last rebooted or powered on.

Screen Lock: Unlocking the Device

Touch ID or Face ID can be only used to unlock AFU devices. In order to unlock a BFU device, you’ll have to use the passcode. Even if you manage to bypass the lock screen (via an exploit), you won’t be able to access most device data as it will be encrypted. The decryption key is generated when the user first unlocks the device; the key is based on the passcode.

(more…)