ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Posts Tagged ‘Lockdown’

Accessing Lockdown Files on macOS

Thursday, July 12th, 2018

Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, forensic specialists can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Logical acquisition helps obtain information stored in system backups, access shared and media files, and even extract device crash logs. However, lockdown records may be tricky to access and difficult to extract. macOS protects lockdown files with access permissions. Let’s find out how to access the lockdown files on a live macOS system.

What Are Lockdown Records, Technically?

A down to the Earth explanation of a lockdown records is it’s simply a file stored on the user’s computer. More technically, lockdown files keep cryptographic keys that are used to allow iOS devices communicate with computers they are paired to. Such pairing records are created the first time the user connects their iOS device to a Mac or PC that has iTunes installed. Lockdown records help the iPhone talk to the computer even if the iPhone in question is locked, so that the user does not have to unlock the device every time it’s connected to the PC. This means that experts may be able to perform logical acquisition of locked iOS devices if they can obtain a valid, non-expired lockdown record. There are some “ifs and buts” though. Namely, lockdown records expire after a while. And you can only use lockdown records if the iPhone in question was unlocked (with its passcode) at least once after it was powered on or rebooted. Otherwise, the data partition remains encrypted, and you can access very little information (yet you can still get some info about the device).

macOS Protects Access to Lockdown Files

In macOS, lockdown records are stored at /private/var/db/lockdown. Starting with macOS High Sierra, Apple restricts access to this folder. If you are analyzing a live system, you’ll need to manually grant access rights to this folder. This is how.

(more…)

iOS Forensic Toolkit 4.0 with Physical Keychain Extraction

Wednesday, June 20th, 2018

We have just released an update to iOS Forensic Toolkit. This is not just a small update. EIFT 4.0 is a milestone, marking the departure from supporting a large number of obsolete devices to focusing on current iOS devices (the iPhone 5s and newer) with and without a jailbreak. Featuring straightforward acquisition workflow, iOS Forensic Toolkit can extract more information from supported devices than ever before.

Feature wise, we are adding iOS keychain extraction via a newly discovered Secure Enclave bypass. With this new release, you’ll be able to extract and decrypt all keychain records (even those secured with the highest protection class, ThisDeviceOnly) from 64-bit iOS devices. The small print? You’ll need a compatible jailbreak. No jailbreak? We have you covered with logical acquisition and another brand new feature: the ability to extract crash logs.

(more…)

iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records

Thursday, January 25th, 2018

Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.

Despite that, pairing records have been immensely handy for mobile forensic specialists as they allowed accessing the data in the device without unlocking it with a passcode, fingerprint or trusted face. Specifically, until very recently, lockdown records had never expired. One could use a year-old lockdown file to access the content of an iPhone without a trouble.

Good things seem to end. In iOS 11.3 (beta) Release Notes, Apple mentioned they’re adding an expiry date to lockdown records.

To improve security, for a locked iOS device to communicate with USB accessories you must either connect an accessory via lightning connector to the device while unlocked or enter your device passcode while connected, at least once a week.

If you use iAP USB accessories over the Lightning connector (including assistive devices and wired CarPlay) or connect to a Mac/PC, you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.

As a result, mobile forensic experts can no longer expect lockdown records to survive for periods longer than one week. In order to clearly understand the consequences of this seemingly minor change, let us first look at the pairing records themselves.

Pairing in iOS

In order to enable communications (e.g. file transfers) between the user’s iOS device (iPhone, iPad) and their computer, a trust relationship (or pairing) must be first established. Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this computer?” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.

(more…)

The iPhone is Locked-Down: Dealing with Cold Boot Situations

Thursday, November 9th, 2017

Even today, seizing and storing portable electronic devices is still troublesome. The possibility of remote wipe routinely makes police officers shut down smartphones being seized in an attempt to preserve evidence. While this strategy used to work just a few short years ago, this strategy is counter-productive today with full-disk encryption. In all versions of iOS since iOS 8, this encryption is based on the user’s passcode. Once the iPhone is powered off, the encryption key is lost, and the only way to decrypt the phone’s content is unlocking the device with the user’s original passcode. Or is it?

The Locked iPhone

The use of Faraday bags is still sporadic, and the risk of losing evidence through a remote wipe command is well-known. Even today, many smartphones are delivered to the lab in a powered-off state. Investigating an iPhone after it has been powered off is the most difficult and, unfortunately, the most common situation for a forensic professional. Once the iOS device is powered on after being shut down, or if it simply reboots, the data partition remains encrypted until the moment the user unlocks the device with their passcode. Since encryption keys are based on the passcode, most information remains encrypted until first unlock. Most of it, but not all. (more…)

Acquisition of a Locked iPhone with a Lockdown Record

Monday, November 28th, 2016

The previous article was about the theory. In this part we’ll go directly to practice. If you possess a turned on and locked iOS device and have no means of unlocking it with either Touch ID or passcode, you may still be able to obtain a backup via the process called logical acquisition. While logical acquisition may return somewhat less information compared to the more advanced physical acquisition, it must be noted that physical acquisition may not be available at all on a given device.

Important: Starting with iOS 8, obtaining a backup is only possible if the iOS device was unlocked with a passcode at least once after booting. For this reason, if you find an iPhone that is turned on, albeit locked, do not turn it off. Instead, isolate it from wireless networks by placing it into a Faraday bag, and do not allow it to power off or completely discharge by connecting it to a charger (a portable power pack inside a Faraday bag works great until you transfer the device to a lab). This will give you time to searching user’s computers for a lockdown record.

(more…)

Forensic Implications of iOS Lockdown (Pairing) Records

Friday, November 25th, 2016

In recent versions of iOS, successful acquisition of a locked device is no longer a given. Multiple protection layers and Apple’s new policy on handling government requests make forensic experts look elsewhere when investigating Apple smartphones.

In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:

  1. Runs iOS 8.x through 10.x
  2. When seized, the device was powered on but locked with a passcode and/or Touch ID
  3. Device was never powered off or rebooted since it was seized
  4. Does not have a jailbreak installed and may not allow installing a jailbreak
  5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past

While this list may appear extensive and overly detailed, in real life it simply means an iPhone that was seized in a screen-locked state and stored properly in its current state (i.e. not allowed to power down or reboot). If this is the case, we might be able to access information in the device by using a so-called lockdown file, or pairing record. This record may be available on the suspect’s home or work PC that was either used to sync the iOS device with iTunes or simply used for charging if the suspect ever tapped “OK” on the “Trust this PC” pop-up. (more…)