ios acquisition methods compared 2016...encrypt iphone backup option is activated and you don’t...
TRANSCRIPT
1
iOS Acquisition Methods Compared: extracting data via physical, logical, or cloud acquisition
Vladimir Katalov, ElcomSoft Co.Ltd.
2
• Contacts
• Call logs and text messages
• Emails and chats
• Account passwords
• Web, application and Wi-Fi passwords
• Documents, settings and databases
• Web browsing and history
• Pictures and videos
• Geolocation history, routes and places
• 3rd party app data
• Cached internet data
• System and application logs
• Social network activities How To Extract It?
What’s Inside?
3
Preserving evidence
Seizing and storing the device
Common mistakes and their consequences
Vectors of attack
Cloud and Over-the-Air Acquisition
Offline Backups
Physical Acquisition
Common mistakes and consequences
iOS Forensics
4
Some acquisition methods common on other platforms are not available for iOS
JTAG: there is no test access port
Chip-off: full-disk encryption makes offline attacks completely useless
Bypassing screen lock: encryption key derived from passcode
iOS Forensics Acquisition Methods That Don’t Work
5
If it’s on, don’t switch it off Some data is available even if device is locked
If switched off, no Wi-Fi connection until unlocked with passcode
If switched off, unlocking with fingerprint reader not possible (must enter passcode)
If unlocked, don’t let it lock Settings – General – Auto Lock – Never
Much easier acquisition
Will be able to produce offline backup
iOS Forensics Seizing and Preserving Evidence
6
Use Faraday bag; Connect to a charger
Isolates from wireless networks
Otherwise, remote wipe easily possible
What can happen:
▫ BBC News: Cambridgeshire, Derbyshire, Nottingham, and Durham police "don't know how people wiped them.“ (9.Oct.14)
▫ Darvel Walker, Morristown wiped his iPhone remotely, charged with tampering with evidence (7.Apr.15)
Seizing and Preserving Evidence
iOS Forensics
7
• 64-bit Apple devices equipped with fingerprint reader: iPhone 5S to 7, iPad Mini 3/4, iPad Air 2, iPad Pro
• Touch ID expires in 48 hours, or if passcode not used for 6 days AND not unlocked with Touch ID for 8 hours
• Unavailable after cold boot (device must be unlocked with passcode at least once to use Touch ID)
• You only have 3 attempts (when checking device lock status, DO HOT PUSH THE HOME BUTTON (or you lose one of the 3 attempts); use Power button instead
• Touch ID cannot be used to jailbreak the device
• Touch ID can be used to:
• establish trust with a desktop
• make local backup
• force cloud backup
iOS Forensics Touch ID
8
Logical Acquisition (Backups)
Backup can be encrypted with unknown password
Recovery timeframe unpredictable, result not guaranteed
Physical Acquisition
On recent devices, must unlock/know the passcode
Jailbreak required, multiple issues arise
Apple won’t help breaking into devices running iOS 8 and newer
▫ Pairing records survive until first reboot
Over-the-Air (Cloud) Extraction
Apple ID/password or binary authentication token
Can be obtained from Apple with court order
iOS Forensics Vectors of Attack
9
Depends on what you have and what you know
Case-by-case basis
One or more methods may be available
Each method has pros and contras
No straightforward solution
iOS Forensics Choosing Acquisition Method
10
The ability to unlock the device is crucial for many acquisition approaches
Knowing the passcode is enormous help
Full-disk encryption tied to the passcode
Bypassing is pointless. Passcode must be known
Passcode recovery boxes
Some claim to bypass “Erase data after 10 failed passcode attempts”
Claimed recovery time: 17 hours to fully enumerate 4-digit passcodes
Reality: about 10% success rate; sometimes, devices are erased after 10 failed attempts contrary to manufacturer’s claims
iOS Forensics Passcode Lock
11
Request cloud backups from Apple Need to follow Legal Process Guidelines
Long response time
Not convenient data format
Fresh backup may not be available
▫ San-Bernardino case: last backup several months old
First Things First
iOS Forensics
12
Is the device locked?
Was it unlocked at least once after boot?
• Is fingerprint unlock available?
Do you know the passcode?
Is it jailbroken?
• Can it be jailbroken?
What version of iOS is it running?
iOS Forensics What Is Available?
Do you have access to synced desktop?
• Lockdown records available?
Local backups available?
• Password-protected or not?
iCloud for Windows installed?
• Mac OS X Lion v10.7.5 has iCloud
iCloud authentication token available?
Do you know Apple ID & password?
13
If device is unlocked or can be unlocked, several acquisition options are available
Option 1: produce local backup with iTunes or iOS Forensic Toolkit
Option 2: attempt jailbreak, perform physical acquisition
Option 3: force cloud backup (via Settings – iCloud – Backups)
iOS Forensics Device Is Unlocked
14
Acquisition steps:
Make the device produce a backup or
Access information stored in existing backup
Limitations:
Device must be unlocked (with passcode, Touch ID, iTunes or lockdown file)
May produce encrypted backup Must break password (no guaranteed timeframe, no guarantee of success)
Limited amount of information
iOS Forensics Make a Local Backup
15
Connect to iTunes
Unlock (with passcode or via iTunes)
Check if Encrypt iPhone backup is activated
If not set, select that option and specify your own backup password (otherwise, keychain items will be encrypted with a hardware key and cannot be decrypted)
Choose This Computer, then Backup Now
iOS Forensics Making the Phone Produce a Backup
16
• iTunes uses pairing records to identify a trusted desktop
• A trusted desktop can be used to produce a local backup
• No need to unlock the iPhone, but it must be unlocked at least once after being powered on
Windows: %ProgramData%\Apple\Lockdown
Mac OS X: /var/db/lockdown
* Since iOS 8, lockdown files expire after iOS device reboots
iOS Forensics Lockdown Records
iOS 4 through 7, iOS 8.0 through 8.2
Access to file_relay, afc, house_arrest
Can extract almost everything, even if backup password is specified
iOS 8.3 and newer
Backup only, settings apply (e.g. password protection)
17
The lockdown record has expired
You cannot use an expired lockdown record to authenticate an iPhone
Try unlocking via other means
“Cold boot” situation
Unlock the device at least once after booting so that it can accept iTunes pairing records
The Encrypt iPhone backup option is activated and you don’t know the password
Password cannot be changed without specifying the old password
Make the phone produce a backup nevertheless. Attempt recovering backup password with Elcomsoft Phone Breaker
iOS Forensics What If…?
18
• If backup password is specified (in iTunes):
• All encryption is performed inside the device (iPhone, iPad)
• iTunes pulls encrypted data stream
• No way to intercept plain data since there is none
• If you don’t know the password: no way to reset or remove it
* Can still access device info including Serial Number, iOS version etc.
iOS Forensics iTunes Backup Password
No unencrypted data leaves the phone*
19
• Unknown backup password MUST be recovered
• Recommended: use GPU acceleration
• iOS 9: 2400 combinations per second with CPU; 150,000 with GTX 1080
• iOS 10 (prior to 10.1 beta): 6 million combinations per second with CPU
iOS 10 uses single sha256 hash instead of 10,000 iterations of pbkdf2 (sha1)
• Long and complex passwords are impossible to break
• Password might exist in OS X keychain
• Passwords are often re-used
iOS Forensics Breaking iTunes Backup Password
20
Decrypt backup (using the password you specified or recovered)
Explore decrypted backup using forensic software (some affordable or even free solutions exist)
Decrypt the keychain
Try to find Apple ID password or token, get access to cloud backup and FileVault recovery key
Extract passwords to other accounts (such as Google and Microsoft; get BitLocker recovery key)
Get access to mail to be able to reset other passwords
Extract authentication tokens (social networks, messengers etc)
iOS Forensics What’s Next?
21
On newer devices, jailbreak is required (no known bootrom exploits)
Passcode must be known or recovered
On 64-bit devices (iPhone 5S and up), passcode must be removed in device settings
No jailbreak for iOS 9.3.4+ and iOS 10
A lot more information than with logical or cloud acquisition
iOS Forensics Option 2: Physical Acquisition
22
You know the passcode
Or no passcode at all
Or device is already unlocked
Device is or can be jailbroken
Very few iOS users jailbreak their devices
You’ll have to do it
Jailbreaking can be tricky, not always possible
Requires passcode and Apple ID password
Find My Phone must be disabled
iOS Forensics Physical Acquisition: prerequisites
Benefits Acquires complete, bit-precise device images
Unallocated space is extracted but cannot be decrypted
Decrypts all keychain items
Guaranteed (short) timeframe
Passcode not required for older devices or if jailbreak is installed
Simple 4-digit passcodes recovered in 10-40 minutes (for older or jailbroken devices)
23
32-bit and 64-bit devices
iPhone 4, iPad 1, iPod Touch 1-4 and all older devices with or without jailbreak
Phone 4S/5/5C, iPad 2-4, iPad Mini 1 only if already jailbroken or if jailbreak can be installed (known or empty passcode)
Phone 5S/6/6S/7/Plus, iPad Air, Air 2, iPad Mini 2+, iPad Pro only if already jailbroken or if jailbreak can be installed (known or empty passcode). Passcode must be known and must be removed in device settings prior to acquisition. Keychain cannot be decrypted (thanks to Secure Enclave)
No jailbreak for iOS 10 at this time
iOS Forensics Physical Acquisition: Hardware
24
Use TaiG (8.1.3-8.4) or Pangu (9.0-9.3.3) jailbreak
www.taig.com or www.pangu.io
http://en.pangu.io/help.html for iOS 9.3.3
Backup via iTunes
Remove passcode
Settings > Passcode > Enter your passcode > Turn Passcode Off > Enter your passcode
Disable Find My Phone
Settings > iCloud > Find My iPhone > Click to turn off
(optional) Switch to airplane mode
Start jailbreak
No jailbreak for newer iOS versions
iOS Forensics Jailbreak: How To
25
Jailbreak has many forensic implications
Dangerous, no guaranteed outcome
May brick device, destroy evidence
Not forensically sound, introduces artifacts
Process must be carefully documented
Chinese version of Pangu jailbreak for iOS 9.3.3 suspected to steal Apple ID and password
http://en.pangu.io/help.html offers a safe jailbreak that will expire in 7 days (unless Apple Developer account is used)
Each Apple Developer account can be used to sign IPA files to jailbreak a limited number of devices
Single-use Apple ID to jailbreak iOS 9.3.3 a good idea
iOS Forensics Jailbreak: Issues
26
Cloud backups are produced when:
Device connected to a known Wi-Fi network (matching SSID and password)
Connected to a charger
Screen locked
If device is unlocked or can be unlocked:
Fresh iCloud backup can be forced
Settings – iCloud – Storage & Backup – Back Up Now
iOS Forensics Option 3: Producing Cloud Backup
Use when:
Unknown iTunes backup password is set
Breaking backup password would take considerable time, need evidence immediately
Physical acquisition not available
64-bit hardware, unknown passcode
No jailbreak for this version of iOS
27
Try other methods first if passcode known or unlock possible
Bring to the proximity of a known Wi-Fi network SSID and password must match Connect to a charger Leave “overnight” If iCloud backups are enabled, the phone should produce a
fresh cloud backup The device must be unlocked with passcode at least once after booting. Otherwise, Wi-Fi passwords remain encrypted, and the device will not attempt to connect to any Wi-Fi network.
iOS Forensics Forcing a Cloud Backup on a Locked iPhone
28
If you know the password to user’s Apple ID, perform cloud acquisition first
If you don’t, DO NOT RESET APPLE ID PASSWORD EVEN IF YOU CAN - otherwise, you won’t be able to make the phone produce a fresh cloud backup without unlocking it first
What can happen
San-Bernardino case: password reset, iCloud backup impossible even with Apple cooperation
iOS Forensics Apple ID Password
29
What can go wrong:
Two-factor authentication may be an issue
Access to secondary authentication factor is required (unless using authentication token)
Cloud backup may not exist
It can be very old
iOS Forensics You Know Apple ID Password
If iCloud for Windows is installed, binary authentication token may exist
What can go wrong: in iOS 8.x, iCloud authentication tokens expire quickly
…or you do not
30
The iCloud authentication token has expired
Expired tokens cannot be used to download cloud backups
The Apple ID password has been changed
All existing authentication tokens are immediately invalidated
Must enter the correct password and overcome 2FA
To force the creation of a new cloud backup, unlock the device and enter the new Apple ID password
iOS Forensics What If…?
31
Backups
Photos (iCloud Photo Library, Photo Streams)
▫ including deleted?
Internet activities: Bookmarks, Open tabs, Reading list, Browsing history
Contacts, Notes, Calendars, Wallet (including boarding passes), Maps (searches and bookmarks), Books, HomeKit data, News subscriptions, Weather
iCloud Keychain (very hard to decrypt, mandatory 2FA)
iOS Forensics iCloud Data Sync
32
• Account information
• iCloud storage information
• Contact information (billing/shipping address, emails, credit cards (last 4 digits)
• Connected devices
• Customer service records
• iTunes (purchase/download transactions and connections, update/re-download connections, Match connections, gift cards)
• Retail and online store transactions
• Email content and mail logs
• Family sharing
• iMessage and FaceTime metadata
• Devices locations
iOS Forensics iCloud Data (more)
33
Protects access to backup data, files on iCloud Drive and synced account data
Verification code sent to trusted device(s)
Overcoming 2FA is easy, if the second authentication factor is available
Alternatives:
▫ Recovery key (older two-step verification only)
▫ Authentication token extracted from user’s desktop
Two-step authentication only required once
▫ Authentication token can be saved for future access without login, password or 2FA
iOS Forensics Roadblock: Two-Factor Authentication
34
iOS Forensics What you should know about Apple iCloud • The data is stored on 3rd party services (Microsoft, Amazon, Google)
• The data is encrypted, but encryption keys are stored along with the data
• For non-US accounts, the keys are stored in the US (source: Apple)
• No user-definable password or encryption, keys are managed by Apple
• Only keychain is further encrypted and has mandatory 2FA
• Two-step verification and two-factor authentication are available, but not default
• No notification on iCloud user access (except if 2FA is enabled)
• Workaround for 2FA-protected accounts: using authentication tokens
• Apple stores more days that they say
• No API to access most of the data (private protocols)
35
iOS Forensics Acquisition methods pros and cons
Pros Cons Workarounds
Logical • Easiest • Can get the keychain • Works for all devices models • Works for all iOS versions
• Device may be passcode-locked • Backup may be password
protected
• Using pairing (lockdown) records to perform backup
• Using GPU acceleration to break backup password
Physical • Can get as much info as possible
(including location data and 3rd party app data)
• Limited device and iOS version support
• Passcode is required • Jailbreaking might be required
• Passcode recovery devices • NAND mirroring (32-bit only)
iCloud • Three last backups available • No device required • Can get iCloud synced data from
all devices
• Apple ID and password required • Account may be protected with
2SV or 2FA • Account backups are not always
available
• Extracting iCloud password from Mac keychain
• Using authentication tokens • Apple may help
36
iOS Forensics Google/Android to the rescue? No :( • Google stores much more data that Apple
• Contacts, Calendars, Notes
• All internet activities
• Passwords saved in Chrome
• Location data
• Device and application activities
• Different approach: syncing
• Data is not encrypted
• No way to disable syncing some data
• No way to delete most of the data
37
iTunes
Open-source tools
▫ iLoot (https://github.com/hackappcom/iloot)
▫ InflatableDonkey (https://github.com/horrorho/InflatableDonkey)
▫ libmobiledevice (http://www.libimobiledevice.org)
▫ iMobileDevice (http://quamotion.mobi/iMobileDevice)
Commercial software
▫ Cellebrite, ElcomSoft, BlackBag etc.
iOS Forensics Tools to use
38
Vladimir Katalov, ElcomSoft Co. Ltd.
https://www.elcomsoft.com http://blog.elcomsoft.com
Facebook: ElcomSoft Twitter: @elcomsoft
iOS Acquisition Methods Compared: extracting data via physical, logical, or cloud acquisition