Posts Tagged ‘jailbreak’

The number of iOS 14 users is on the raise, and we will see it running on most Apple devices pretty soon. Apple had already stopped signing the last version of iOS 13 on all but legacy hardware. Soon, we will only see it running on the iPhone 5s and iPhone 6 which didn’t get the update, and on a small fraction of newer devices. If you are working in the forensic field, what do you need to do to make yourself ready for iOS 14? Our software may help.

The iOS backup system is truly unrivalled. The highly comprehensive, versatile and secure backups can be created with Apple iTunes. For the user, local backups are a convenient and easy way to transfer data to a new device or restore an existing one after a factory reset. For forensic experts, iOS backups are an equally convenient, versatile and easy way to obtain a copy of the user’s data without attempting to break into the device. In malicious hands, the backup becomes a dangerous weapon. Logins and passwords from the Keychain allow hackers accessing the user’s social accounts, messages, and financial information. A backup password can be set to protect local backups, but it can be removed just as easily shall the hacker have access to the physical iPhone and know its passcode. In this article, we’ll discuss how the Screen Time password can be used to further strengthen the protection of local backups.

How can you obtain the highest amount of data from an iPhone, iPad, Apple TV or Apple Watch? This is not as simple as it may seem. Multiple overlapping extraction methods exist, and some of them are limited to specific versions of the OS. Let’s go through them and summarize their availability and benefits.

Originally released in September 2016, iOS 10 was regularly updated for most devices until July 2017. The 64-bit iPhones capable of running iOS 10 range from the iPhone 5s to iPhone 7 and 7 Plus. While one is hardly likely to encounter an iOS 10 in the wild, forensic labs still process devices running the older version of the OS. In this update, we’ve brought support for jailbreak-free extraction back to the roots, adding support for the oldest version of iOS capable of running on the iPhone 7 generation of devices. Let’s see what it takes to extract an older iPhone without a jailbreak. In addition, we have expanded support for the Apple TV devices, now offering keychain decryption in addition to file system extraction for both Apple TV 4 (Apple TV HD) and Apple TV 4K running tvOS 13.4 through 13.4.5.

Is jailbreaking an Apple TV worth it? If you are working in the forensics, it definitely is. When connected to the user’s Apple account with full iCloud access, the Apple TV synchronizes a lot of data. That data may contain important evidence, and sometimes may even help access other iCloud data. I have some great news for the forensic crowd: the Apple TV does not have a passcode. And some bad news: jailbreaking is not as easy and straightforward as we’d like it to be. Let’s have a look at what can be done.

Extracting the fullest amount of information from the iPhone, which includes a file system image and decrypted keychain records, often requires installing a jailbreak. Even though forensically sound acquisition methods that work without jailbreaking do exist, they may not be available depending on the tools you use. A particular combination of iOS hardware and software may also render those tools ineffective, requiring a fallback to jailbreak. Today, the two most popular and most reliable jailbreaks are checkra1n and unc0ver. How do they fare against each other, and when would you want to use each?

Elcomsoft iOS Forensic Toolkit 6.0 is out, adding direct, forensically sound extraction for Apple devices running some of the latest versions of iOS including iOS 13.3.1, 13.4 and 13.4.1. Supported devices include the entire iPhone 6s, 7, 8, X, Xr/Xs, 11, and 11 Pro (including Plus and Max versions) range, the iPhone SE, and corresponding iPad models. Let’s review the changes and talk about the new acquisition method in general.

Users of iOS Forensic Toolkit who are using jailbreak-based acquisition sometimes have issues connecting to the device. More often than not, the issues are related to SSH. The SSH server may be missing or not installed with a jailbreak (which is particularly common for iOS 9 and 10 devices). A less common issue is a non-default root password. Learn how to identify these issues and how to deal with them.

We recently introduced a new acquisition method for iPhone and iPad devices. The fast, simple and safe extraction agent requires no jailbreak, and delivers the full file system image and the keychain. The latest release of Elcomsoft iOS Forensic Toolkit expanded this method to iOS 13 and filled the gaps in some versions of iOS 12 that were missing support (such as iOS 12.3 and 12.4.1). Finally, we now officially support the latest generation of iPhone devices including the iPhone 11, iPhone 11 and iPhone 11 Pro. The new compatibility matrix becomes significantly more diverse with this release, so bear with us to learn which iOS devices can be extracted without a jailbreak.

In our recent article iPhone Acquisition Without a Jailbreak I mentioned that agent-based extraction requires the use of an Apple ID that has been registered in Apple’s Developer Program. Participation is not free and comes with a number of limitations. Why do you need to become a “developer”, what are the limitations, and is there a workaround? Read along to find out.