ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Posts Tagged ‘logical acquisition’

Accessing Lockdown Files on macOS

Thursday, July 12th, 2018

Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, forensic specialists can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Logical acquisition helps obtain information stored in system backups, access shared and media files, and even extract device crash logs. However, lockdown records may be tricky to access and difficult to extract. macOS protects lockdown files with access permissions. Let’s find out how to access the lockdown files on a live macOS system.

What Are Lockdown Records, Technically?

A down to the Earth explanation of a lockdown records is it’s simply a file stored on the user’s computer. More technically, lockdown files keep cryptographic keys that are used to allow iOS devices communicate with computers they are paired to. Such pairing records are created the first time the user connects their iOS device to a Mac or PC that has iTunes installed. Lockdown records help the iPhone talk to the computer even if the iPhone in question is locked, so that the user does not have to unlock the device every time it’s connected to the PC. This means that experts may be able to perform logical acquisition of locked iOS devices if they can obtain a valid, non-expired lockdown record. There are some “ifs and buts” though. Namely, lockdown records expire after a while. And you can only use lockdown records if the iPhone in question was unlocked (with its passcode) at least once after it was powered on or rebooted. Otherwise, the data partition remains encrypted, and you can access very little information (yet you can still get some info about the device).

macOS Protects Access to Lockdown Files

In macOS, lockdown records are stored at /private/var/db/lockdown. Starting with macOS High Sierra, Apple restricts access to this folder. If you are analyzing a live system, you’ll need to manually grant access rights to this folder. This is how.

(more…)

Breaking Deeper Into iPhone Secrets

Wednesday, June 20th, 2018

iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.

This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).

Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.

iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.

But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.

(more…)

Protecting Your Data and Apple Account If They Know Your iPhone Passcode

Tuesday, June 12th, 2018

This publication is somewhat unusual. ElcomSoft does not need an introduction as a forensic vendor. We routinely publish information on how to break into the phone, gain access to information and extract as much evidence as theoretically possible using hacks (jailbreaks) or little known but legitimate workarounds. We teach and train forensic experts on how to extract and decrypt information, how to download information from iCloud with or without the password, how to bypass two-factor authentication and how their iPhone falls your complete victim if you know its passcode.

This time around we’ll be playing devil’s advocate. We’ll tell you how to defend your data and your Apple account if they have your iPhone and know your passcode.

iOS Devices Are Secure

We praised the iOS security model on multiple occasions. Speaking of the current pack of iOS versions (including iOS 11.4 release, 11.4.1 public beta and 12.0 first developer beta), we have full-disk encryption with decryption keys derived from the user’s passcode and protected by Secure Enclave. Thanks to the iOS keychain, we enjoy the additional layer of protection for our passwords and other sensitive information. If you protected your iPhone with a 6-digit passcode (which you really should, and which is the default since at least iOS 10), most of your information is securely encrypted until you first unlock your iPhone after it completes the boot sequence. Even if they take the memory chip off, they won’t get anything meaningful due to the encryption. (more…)

Demystifying Android Physical Acquisition

Tuesday, May 29th, 2018

Numerous vendors advertise many types of solutions for extracting evidence from Android devices. The companies claim to support tens of thousands of models, creating the impression that most (if not all) Android devices can be successfully acquired using one method or another.

On the other side of this coin is encryption. Each Google-certified Android device released with Android 6.0 or later must be fully encrypted by the time the user completes the initial setup. There is no user-accessible option to decrypt the device or to otherwise skip the encryption. While this Google’s policy initially caused concerns among the users and OEM’s, today the strategy paid out with the majority of Android handsets being already encrypted.

So how do the suppliers of forensic software overcome encryption, and can they actually extract anything from an encrypted Android smartphone locked with an unknown passcode? We did our own research. Bear with us to find out!

Many thanks to Oleg Davydov from Oxygen Forensics for his invaluable help and advise.

(more…)

iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics

Tuesday, May 8th, 2018

UPDATE June 2, 2018: USB Restricted Mode did not make it into iOS 11.4. However, in iOS 11.4.1 Beta USB Restricted Mode Has Arrived

A new iOS update is about to roll out in the next few weeks or even days. Reading Apple documentation and researching developer betas, we discovered a major new security feature that is about to be released with iOS 11.4. The update will disable the Lightning port after 7 days since the device has been last unlocked. What is the meaning of this security measure, what reasons are behind, and what can be done about it? Let’s have a closer look.

USB Restricted Mode in iOS 11.4

In the iOS 11.4 Beta, Apple introduced a new called USB Restricted Mode. In fact, the feature made its first appearance in the iOS 11.3 Beta, but was later removed from the final release. This is how it works:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

The functionality of USB Restricted Mode is actually very simple. Once the iPhone or iPad is updated to the latest version of iOS supporting the feature, the device will disable the USB data connection over the Lightning port one week after the device has been last unlocked. (more…)

Demystifying Advanced Logical Acquisition

Tuesday, April 3rd, 2018

We were attending the DFRWS EU forum in beautiful Florence, and held a workshop on iOS forensics. During the workshop, an attendee tweeted a photo of the first slide of our workshop, and the first response was from… one of our competitors. He said “Looking forward to the “Accessing a locked device” slide”. You can follow our conversation on Twitter, it is worth reading.

No, we cannot break the iPhone passcode. Still, sometimes we can get the data out of a locked device. The most important point is: we never keep our methods secret. We always provide full disclosure about what we do, how our software works, what the limitations are, and what exactly you can expect if you use this and that tool. Speaking of Apple iCloud, we even reveal technical information about Apple’s network and authentication protocols, data storage formats and encryption. If we cannot do something, we steer our customers to other companies (including competitors) who could help. Such companies include Oxygen Forensics (the provider of one of the best mobile forensic products) and Passware (the developer of excellent password cracking tools and our direct competitor).

Let’s start with “Logical acquisition”. We posted about it more than once, but it never hurts to go over it again. By “Logical acquisition”, vendors usually mean nothing more than making an iTunes-style backup of the phone, full stop.

Then, there is that “advanced logical” advertised by some forensic companies. There’s that “method 2” acquisition technique and things with similarly cryptic names. What is that all about?

I am not the one to tell you how other software works (not because I don’t know, but because I don’t feel it would be ethical), but I’ll share information on how we do it with our software: the methods we use, the limitations, and the expected outcome.

(more…)

Get iOS Shared Files without a Jailbreak

Tuesday, February 20th, 2018

iOS is a locked down mobile operating system that does not allow its apps to directly access files in the file system. Unlike every other major mobile OS, iOS does not have a “shared” area in the file system to allow apps keep and share files with other apps. Yet, individual iOS apps are allowed to let the user access their files by using the file sharing mechanism.

While uploading or downloading shared files from an Android or Windows 10 smartphone occurs over a standard MTP connection established over a standard USB cable, you’ll need several hundred megabytes worth of proprietary Apple software (and a proprietary Lightning cable) to transfer files between iOS apps and the computer. But do you really?

While there’s nothing we can do about a Lightning cable, we can at least get rid of iTunes middleware for extracting files exposed by iOS apps. We’ll show you how this works with iOS Forensic Toolkit 3.0.

(more…)

Meet iOS 11.3: Apple to Make It Harder for Law Enforcement to Extract iPhone Data

Thursday, January 25th, 2018

Forget battery issues. Yes, Apple issued an apology for slowing down the iPhone and promised to add better battery management in future versions of iOS, but that’s not the point in iOS 11.3. Neither are ARKit improvements or AirPlay 2 support. There is something much more important, and it is gong to affect everyone.

Apple iOS is (and always was) the most secure mobile OS. FBI forensic expert called Apple “evil genius” because of that. Full disk encryption (since iOS 4), very reliable factory reset protection, Secure Enclave, convenient two-factor authentication are just a few things to mention. Starting with iOS 8, Apple itself cannot break into the locked iPhone. While in theory they are technically capable of creating (and signing, as they hold the keys) a special firmware image to boot the device, its encryption is not based on a hardware-specific key alone (as was the case for iOS 7 and older, and still the case for most Androids). Instead, the encryption key is also based on the user’s passcode, which is now 6 digits by default. Cracking of the passcode is not possible at all, thanks to Secure Enclave. Still, in come cases, Apple may help law enforcement personnel, and they at least provide some trainings to FBI and local police.

(more…)

How to Extract Media Files from iOS Devices

Tuesday, January 9th, 2018

Media files (Camera Roll, pictures and videos, books etc.) are an important part of the content of mobile devices. The ability to quickly extract media files can be essential for an investigation, especially with geotags (location data) saved in EXIF metadata. Pulling pictures and videos from an Android smartphone can be easier than obtaining the rest of the data. At the same time, media extraction from iOS devices, while not impossible, is not the easiest nor the most obvious process. Let’s have a look at tools and techniques you can use to extract media files from unlocked and locked iOS devices.

Ways to Extract Media Files

There is more than one way you could use to extract media files. (more…)

iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password

Thursday, November 9th, 2017

Since early days of iOS, iTunes-style system backups could be protected with a password. The password was always the property of the device; if the backup was protected with a password, it would come out encrypted. It didn’t matter whether one made a backup with iTunes, iOS Forensic Toolkit or other forensic software during the course of logical acquisition; if a backup password was enabled, all you’d get would be a stream of encrypted data.

Password protection of iOS system backups was always a hallmark of iOS data protection. We praised Apple for making it tougher for unauthorized persons to pair an iPhone to the computer in iOS 11. Today we discovered something that works in reverse, making it possible for anyone who can unlock an iPhone to simply reset the backup password. Is this so big of a deal? Prior to this discovery, forensic specialists would have to use high-end hardware to try recovering the original backup password at a rate of just several passwords per second, meaning that even the simplest password would require years to break. Today, it just takes a few taps to get rid of that password completely. If you know the passcode, logical acquisition now becomes a trivial and guaranteed endeavor.

(more…)