Posts Tagged ‘keychain’

We recently introduced a new acquisition method for iPhone and iPad devices. The fast, simple and safe extraction agent requires no jailbreak, and delivers the full file system image and the keychain. The latest release of Elcomsoft iOS Forensic Toolkit expanded this method to iOS 13 and filled the gaps in some versions of iOS 12 that were missing support (such as iOS 12.3 and 12.4.1). Finally, we now officially support the latest generation of iPhone devices including the iPhone 11, iPhone 11 and iPhone 11 Pro. The new compatibility matrix becomes significantly more diverse with this release, so bear with us to learn which iOS devices can be extracted without a jailbreak.

Compatibility

The extraction agent is supported on the following models and iOS versions:

  • iPhone 6s to iPhone X, iPad 5th and 6th gen, iPad Pro 1st and 2nd gen: iOS/iPadOS 11.0 – 13.3
  • iPhone Xr, Xs, Xs Max, iPad Mini 5, iPad Air 3rd gen, iPad Pro 3rd gen, iPod Touch 7th gen: iOS/iPadOS 12.0 – 13.3
  • iPhone 11, 11 Pro, 11 Pro Max: iOS 13.0 – 13.3

For some older models, compatibility remains unchanged. The following models are supported if running iOS 11-12.2 and iOS 12.4:

  • iPhone 5s, 6, 6 Plus
  • iPad Mini 2 and 3
  • iPad Air (1st gen)

There are two ‘iffy’ models: the iPad Mini 4 and iPad Air 2. While the agent-based extraction method will sure work on these models running iOS 11 through 12.2, we have not tested them with iOS 12.3, 12.4.1 or any version of iOS 13.

Requirements

Make sure that your device model and OS version are compatible, and register an Apple Developer account (here is why). Of course, you will need the latest version of iOS Forensic Toolkit, too. The software is really simple to use, but we still recommend to attend our trainings.

General advantages

The main advantage of this method is its wide compatibility with multiple iPhone and iPad models. In the future, we may add support for older iOS versions (to avoid all the troubles with jailbreaking, see below), and of course will do our best to add compatibility with newer versions (iOS 13.3.1 and up).

Next, the extraction agent is safe and reliable. Nothing wrong may happen; the worst is just a reboot of the device, or our method may simply not work on your device. See the Trobleshooting section below for some tips; sometimes it takes several tries (though usually it works from the first try).

Forensically sound? It depends on what you mean by that. Here is a good definition:

Digital evidence is said to be forensically sound if it was collected, analyzed, handled and stored in a manner that is acceptable by the law, and there is reasonable evidence to prove so. Forensic soundness gives reasonable assurance that digital evidence was not corrupted or destroyed during investigative processes whether on purpose or by accident.

(another good source: When is Digital Evidence Forensically Sound?)

For 64-bit iPhones (starting with the iPhone 5s), there is NO method of data acquisition that does not make ANY changes to the system, despite what other vendors say. Some traces are always left, like records in some system logs.

Next, the extraction speed. Instead of re-using ssh, we transfer the data directly over the USB. This method is more reliable and significantly faster; on modern iPhone models, the speed is about 2.5 GB/min.

Finally, the simplicity. No, it is still far from the proverbial “one button” solution, which simply does not exist in the area. Still, we did our best to make acquisition as simple and straightforward as possible, and we are still improving it. Just follow the software manual carefully, and make sure you read the articles published in our blog.

Last but not least. The agent extracts not only the full file system but also the complete keychain. While you can also extract the keychain from iTunes-style-backups, it won’t be complete as a lot of records cannot be decrypted. Use Elcomsoft Phone Breaker to view all the keychain records:

Advantages over jailbreaking

One can also perform full file system acquisition even for latest iPhone models with iOS 13 through jailbreaking. But there are some things you should know.

Jailbreaking is not completely safe. It may brick the device or put it into a boot loop, and it also makes multiple changes to the device file system, even with the rootless jailbreak.

Are there any disadvantages of agent-based extraction? Not a single one, at least for iOS 11.0 to 13.3. Except checkra1n (see below).

One more thing. With iOS 13, some files and folders have improved security attributes and are not accessible by tar over ssh. There is no such problem with agent-based acquisition.

We even made our method compatible with intermediate beta versions of iOS (in the 11-13.3 range) where jailbreaks do not work at all.

Advantages over checkm8 extraction

checkm8-based acquisition is pretty nice, but the devil is in the detail.

First, checkm8 is compatible with a limited number of devices and iOS versions: iPhone 5s to iPhone X, and iOS from 12.3. So forget about the iPhone Xr, Xs, 11 and 11 Pro (as well as many iPads); they are not vulnerable to this exploit. Also, despite the fact that the exploit is hardware-based, the checkra1n jailbreak (and all current checkm8-based acquisition processes) are NOT compatible with iOS 12.2 and below.

Second, the checkra1n jailbreak is not 100% reliable. There are so many compatible devices it does not work on, and the same about direct checkm8 implementation. If there is an error, you’re stuck with it; moreover, you can even ‘brick’ the device with it (it really happened to couple of our test devices). How about the speed? Amazingly low, thanks to ssh and some other things. Some extractions cannot complete in a week, we have no idea why.

The only two real advantages of checkra1n/checkm8 are: they do not require an Apple Developer account, and they allow BFU (Before First Unlock) extractions for devices with an unknown passcode. Also, checkra1n supports iOS 13.3.1 (the latest version at the time of writing this article, though 13.4 is expected very soon). You can use still checkra1n with our iOS Forensic Toolkit to get partial file system and keychain extraction of locked and even desiabled devices.

Usage & troubleshooting

Make sure you have read the iOS Forensic Toolkit manual first, as well as the following two articles:

We described all the steps at iPhone Acquisition Without a Jailbreak (iOS 11 and 12):

  • Put the device into airplane mode (this is mandatory!) and connect it to the computer with EIFT. Make sure that Wi-Fi and Bluetooth are disabled from iOS settings (and not from from the Control Centre)
  • Establish trust relationship (otherwise you will get the “ERROR: Could not connect to lockdownd, error code -2” message in the EIFT)
  • Install the extraction agent though EIFT. You will need to enter Apple ID and app-specific password of the developer’s account, followed by the TeamID; please note that signing the agent requires an internet connection on your computer (but NOT on the iOS device, which should remain offline at all times).
  • Once the agent is installed, it is recommended to disable all Internet connections on the computer you perform the acquisition on.
  • Tun the Agent on the device and leave it running in the foreground.
  • Acquire the keychain and capture the file system; during keychain acquisition, you will have to enter the passcode on the device (sometimes twice), or unlock using Touch ID or Face ID (for devices with Face ID, you will first receive the prompt whether you allow Agent to use it for keychain access)
  • Uninstall the agent.

If something goes wrong when you run the extraction agent on the device (e.g. “Can’t connect to device on specified port” message in EIFT), you may need to reboot the device; make sure to wait for at least one minute after rebooting before starting an agent.


Quick tip: if you do not want to enter Apple ID, password and Team ID when installing the Agent on every new device, you can set them up right in the EIFT script (Windows: Toolkit.cmd, lines 20-22; macOS: macosx/Toolkit.sh, lines 42-44):

AGENT_ID=john.doe@gmail.com
AGENT_PASSWORD=abcd-efgh-ijkl-mnop
AGENT_TEAMID=XXXXXXXXXX

Where AGENT_ID is the Apple ID enrolled into Apple Developer Program; AGENT_PASSWORD is app-specific password you should generate on your account, and AGENT_TEAMID is the Team ID (you can easily find it by logging in to Apple’s Developer Center, under Membership Information in Account | Membership).

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

The cloud becomes an ever more important (sometimes exclusive) source of the evidence whether you perform desktop or cloud forensics. Even if you are not in forensics, cloud access may help you access deleted or otherwise inaccessible data.

Similar to smartphones or password-protected desktops, cloud access is a privilege that is supposed to be only available to the rightful account owner. You would need a login and password and possibly the second factor. These aren’t always available to forensic experts. In fact, it won’t be easy to access everything stored in the cloud if you have all the right credentials.

Apple iCloud is one of the most advanced cloud solutions on the market, with lots of services available. These include comprehensive device backups, synchronization services across the entire Apple ecosystem including the Apple TV and Apple Watch devices, file storage, password management, home IoT devices, Health data and more. And it is pretty secure.

Let’s review all the possibilities of accessing Apple iCloud data with or without a password.

(more…)

If you are familiar with breaking passwords, you already know that different tools and file formats require a very different amount of efforts to break. Breaking a password protecting a RAR archive can take ten times as long as breaking a password to a ZIP archive with the same content, while breaking a Word document saved in Office 2016 can take ten times as long as breaking an Office 2010 document. With solutions for over 300 file formats and encryption algorithms, we still find iTunes backups amazing, and their passwords to be very different from the rest of the crop in some interesting ways. In this article we tried to gather everything we know about iTunes backup passwords to help you break (or reset) their passwords in the most efficient way.

(more…)

Jailbreaking is used by the forensic community to access the file system of iOS devices, perform physical extraction and decrypt device secrets. Jailbreaking the device is one of the most straightforward ways to gain low-level access to many types of evidence not available with any other extraction methods.

On the negative side, jailbreaking is a process that carries risks and other implications. Depending on various factors such as the jailbreak tool, installation method and the ability to understand and follow the procedure will affect the risks and consequences of installing a jailbreak. In this article we’ll talk about the risks and consequences of using various jailbreak tools and installation methods.

(more…)

There has been a lot of noise regarding GrayKey news recently. GrayKey is an excellent appliance for iOS data extraction, and yes, it can help access more evidence. As always, the devil is in the detail.

A couple of quotes first, coming from the company who now partners with GrayShift to bundle their mobile forensic software (one of the best on the market, I would say) with GrayKey. They do support GrayKey-extracted data as well, and here is what they say:

“From the first iPhone extraction from GrayKey we were blown away with the amount of data they recovered”

“we’re seeing data we haven’t seen in years”

Actually, this is not exactly the case. Speaking of full file system acquisition, it’s been us who were the first on the market some 3 years ago, see Physical Acquisition for 64-bit Devices, iOS 9 Support.

Since then, we’ve been actively developing and updating iOS Forensic Toolkit, adding support for newer versions of iOS. We published a number of articles in our blog describing the benefits of file system extraction and what you can get: location data, cached mail, app-specific data, CPU and network usage data and much more.

Yes, we use the different approach, that requires jailbreaking (more on that later).

(more…)

In Apple’s world, the keychain is one of the core and most secure components of macOS, iOS and its derivatives such as watchOS and tvOS. The keychain is intended to keep the user’s most valuable secrets securely protected. This includes protection for authentication tokens, encryption keys, credit card data and a lot more. End users are mostly familiar with one particular feature of the keychain: the ability to store all kinds of passwords. This includes passwords to Web sites (Safari and third-party Web browsers), mail accounts, social networks, instant messengers, bank accounts and just about everything else. Some records (such as Wi-Fi passwords) are “system-wide”, while other records can be only accessed by their respective apps. iOS 12 further develops password auto-fill, allowing users to utilize passwords they stored in Safari in many third-party apps.

If one can access information saved in the keychain, one can then gain the keys to everything managed by the device owner from their online accounts to banking data, online shopping, social life and much more.

Apple offers comprehensive documentation for developers on keychain services, and provides additional information in iOS Security Guide.

In this article we assembled information about all existing methods for accessing and decrypting the keychain secrets.

(more…)

iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.

This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).

Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.

iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.

But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.

(more…)

We have just released an update to iOS Forensic Toolkit. This is not just a small update. EIFT 4.0 is a milestone, marking the departure from supporting a large number of obsolete devices to focusing on current iOS devices (the iPhone 5s and newer) with and without a jailbreak. Featuring straightforward acquisition workflow, iOS Forensic Toolkit can extract more information from supported devices than ever before.

Feature wise, we are adding iOS keychain extraction via a newly discovered Secure Enclave bypass. With this new release, you’ll be able to extract and decrypt all keychain records (even those secured with the highest protection class, ThisDeviceOnly) from 64-bit iOS devices. The small print? You’ll need a compatible jailbreak. No jailbreak? We have you covered with logical acquisition and another brand new feature: the ability to extract crash logs.

(more…)

Who needs access to iCloud Keychain, and why? The newly released Elcomsoft Phone Breaker 7.0 adds a single major feature that allows experts extracting, decrypting and viewing information stored in Apple’s protected storage. There are so many ifs and buts such as needing the user’s Apple ID and password, accessing their i-device or knowing a secret security code that one may legitimately wonder: what is it all about? Let’s find out about iCloud Keychain, why it’s so difficult to crack, and why it can be important for the expert.

What is iCloud Keychain

iCloud Keychain is Apple’s best protected vault. Since iCloud Keychain keeps the user’s most sensitive information, it’s protected in every way possible. By breaking in to the user’s iCloud Keychain, an intruder could immediately take control over the user’s online and social network accounts, profiles and identities, access their chats and conversations, and even obtain copies of personal identity numbers and credit card data. All that information is securely safeguarded.

Why It Can Be Important

Forensic access to iOS keychain is difficult due to several layers of encryption. Due to encryption, direct physical access to a locally stored keychain is normally impossible; the only possible acquisition options are through a local password-protected backup or iCloud Keychain. (more…)