1

iOS Acquisition Methods Compared: extracting data via physical, logical, or cloud acquisition

Vladimir Katalov, ElcomSoft Co.Ltd.

2

• Contacts

• Call logs and text messages

• Emails and chats

• Account passwords

• Web, application and Wi-Fi passwords

• Documents, settings and databases

• Web browsing and history

• Pictures and videos

• Geolocation history, routes and places

• 3rd party app data

• Cached internet data

• System and application logs

• Social network activities How To Extract It?

What’s Inside?

3

Preserving evidence

Seizing and storing the device

Common mistakes and their consequences

Vectors of attack

Cloud and Over-the-Air Acquisition

Offline Backups

Physical Acquisition

Common mistakes and consequences

iOS Forensics

4

Some acquisition methods common on other platforms are not available for iOS

JTAG: there is no test access port

Chip-off: full-disk encryption makes offline attacks completely useless

Bypassing screen lock: encryption key derived from passcode

iOS Forensics Acquisition Methods That Don’t Work

5

If it’s on, don’t switch it off Some data is available even if device is locked

If switched off, no Wi-Fi connection until unlocked with passcode

If switched off, unlocking with fingerprint reader not possible (must enter passcode)

If unlocked, don’t let it lock Settings – General – Auto Lock – Never

Much easier acquisition

Will be able to produce offline backup

iOS Forensics Seizing and Preserving Evidence

6

Use Faraday bag; Connect to a charger

Isolates from wireless networks

Otherwise, remote wipe easily possible

What can happen:

▫ BBC News: Cambridgeshire, Derbyshire, Nottingham, and Durham police "don't know how people wiped them.“ (9.Oct.14)

▫ Darvel Walker, Morristown wiped his iPhone remotely, charged with tampering with evidence (7.Apr.15)

Seizing and Preserving Evidence

iOS Forensics

7

• 64-bit Apple devices equipped with fingerprint reader: iPhone 5S to 7, iPad Mini 3/4, iPad Air 2, iPad Pro

• Touch ID expires in 48 hours, or if passcode not used for 6 days AND not unlocked with Touch ID for 8 hours

• Unavailable after cold boot (device must be unlocked with passcode at least once to use Touch ID)

• You only have 3 attempts (when checking device lock status, DO HOT PUSH THE HOME BUTTON (or you lose one of the 3 attempts); use Power button instead

• Touch ID cannot be used to jailbreak the device

• Touch ID can be used to:

• establish trust with a desktop

• make local backup

• force cloud backup

iOS Forensics Touch ID

8

Logical Acquisition (Backups)

Backup can be encrypted with unknown password

Recovery timeframe unpredictable, result not guaranteed

Physical Acquisition

On recent devices, must unlock/know the passcode

Jailbreak required, multiple issues arise

Apple won’t help breaking into devices running iOS 8 and newer

▫ Pairing records survive until first reboot

Over-the-Air (Cloud) Extraction

Apple ID/password or binary authentication token

Can be obtained from Apple with court order

iOS Forensics Vectors of Attack

9

Depends on what you have and what you know

Case-by-case basis

One or more methods may be available

Each method has pros and contras

No straightforward solution

iOS Forensics Choosing Acquisition Method

10

The ability to unlock the device is crucial for many acquisition approaches

Knowing the passcode is enormous help

Full-disk encryption tied to the passcode

Bypassing is pointless. Passcode must be known

Passcode recovery boxes

Some claim to bypass “Erase data after 10 failed passcode attempts”

Claimed recovery time: 17 hours to fully enumerate 4-digit passcodes

Reality: about 10% success rate; sometimes, devices are erased after 10 failed attempts contrary to manufacturer’s claims

iOS Forensics Passcode Lock

11

Request cloud backups from Apple Need to follow Legal Process Guidelines

Long response time

Not convenient data format

Fresh backup may not be available

▫ San-Bernardino case: last backup several months old

First Things First

iOS Forensics

12

Is the device locked?

Was it unlocked at least once after boot?

• Is fingerprint unlock available?

Do you know the passcode?

Is it jailbroken?

• Can it be jailbroken?

What version of iOS is it running?

iOS Forensics What Is Available?

Do you have access to synced desktop?

• Lockdown records available?

Local backups available?

• Password-protected or not?

iCloud for Windows installed?

• Mac OS X Lion v10.7.5 has iCloud

iCloud authentication token available?

Do you know Apple ID & password?

13

If device is unlocked or can be unlocked, several acquisition options are available

Option 1: produce local backup with iTunes or iOS Forensic Toolkit

Option 2: attempt jailbreak, perform physical acquisition

Option 3: force cloud backup (via Settings – iCloud – Backups)

iOS Forensics Device Is Unlocked

14

Acquisition steps:

Make the device produce a backup or

Access information stored in existing backup

Limitations:

Device must be unlocked (with passcode, Touch ID, iTunes or lockdown file)

May produce encrypted backup Must break password (no guaranteed timeframe, no guarantee of success)

Limited amount of information

iOS Forensics Make a Local Backup

15

Connect to iTunes

Unlock (with passcode or via iTunes)

Check if Encrypt iPhone backup is activated

If not set, select that option and specify your own backup password (otherwise, keychain items will be encrypted with a hardware key and cannot be decrypted)

Choose This Computer, then Backup Now

iOS Forensics Making the Phone Produce a Backup

16

• iTunes uses pairing records to identify a trusted desktop

• A trusted desktop can be used to produce a local backup

• No need to unlock the iPhone, but it must be unlocked at least once after being powered on

Windows: %ProgramData%\Apple\Lockdown

Mac OS X: /var/db/lockdown

* Since iOS 8, lockdown files expire after iOS device reboots

iOS Forensics Lockdown Records

iOS 4 through 7, iOS 8.0 through 8.2

Access to file_relay, afc, house_arrest

Can extract almost everything, even if backup password is specified

iOS 8.3 and newer

Backup only, settings apply (e.g. password protection)

17

The lockdown record has expired

You cannot use an expired lockdown record to authenticate an iPhone

Try unlocking via other means

“Cold boot” situation

Unlock the device at least once after booting so that it can accept iTunes pairing records

The Encrypt iPhone backup option is activated and you don’t know the password

Password cannot be changed without specifying the old password

Make the phone produce a backup nevertheless. Attempt recovering backup password with Elcomsoft Phone Breaker

iOS Forensics What If…?

18

• If backup password is specified (in iTunes):

• All encryption is performed inside the device (iPhone, iPad)

• iTunes pulls encrypted data stream

• No way to intercept plain data since there is none

• If you don’t know the password: no way to reset or remove it

* Can still access device info including Serial Number, iOS version etc.

iOS Forensics iTunes Backup Password

No unencrypted data leaves the phone*

19

• Unknown backup password MUST be recovered

• Recommended: use GPU acceleration

• iOS 9: 2400 combinations per second with CPU; 150,000 with GTX 1080

• iOS 10 (prior to 10.1 beta): 6 million combinations per second with CPU

iOS 10 uses single sha256 hash instead of 10,000 iterations of pbkdf2 (sha1)

• Long and complex passwords are impossible to break

• Password might exist in OS X keychain

• Passwords are often re-used

iOS Forensics Breaking iTunes Backup Password

20

Decrypt backup (using the password you specified or recovered)

Explore decrypted backup using forensic software (some affordable or even free solutions exist)

Decrypt the keychain

Try to find Apple ID password or token, get access to cloud backup and FileVault recovery key

Extract passwords to other accounts (such as Google and Microsoft; get BitLocker recovery key)

Get access to mail to be able to reset other passwords

Extract authentication tokens (social networks, messengers etc)

iOS Forensics What’s Next?

21

On newer devices, jailbreak is required (no known bootrom exploits)

Passcode must be known or recovered

On 64-bit devices (iPhone 5S and up), passcode must be removed in device settings

No jailbreak for iOS 9.3.4+ and iOS 10

A lot more information than with logical or cloud acquisition

iOS Forensics Option 2: Physical Acquisition

22

You know the passcode

Or no passcode at all

Or device is already unlocked

Device is or can be jailbroken

Very few iOS users jailbreak their devices

You’ll have to do it

Jailbreaking can be tricky, not always possible

Requires passcode and Apple ID password

Find My Phone must be disabled

iOS Forensics Physical Acquisition: prerequisites

Benefits Acquires complete, bit-precise device images

Unallocated space is extracted but cannot be decrypted

Decrypts all keychain items

Guaranteed (short) timeframe

Passcode not required for older devices or if jailbreak is installed

Simple 4-digit passcodes recovered in 10-40 minutes (for older or jailbroken devices)

23

32-bit and 64-bit devices

iPhone 4, iPad 1, iPod Touch 1-4 and all older devices with or without jailbreak

Phone 4S/5/5C, iPad 2-4, iPad Mini 1 only if already jailbroken or if jailbreak can be installed (known or empty passcode)

Phone 5S/6/6S/7/Plus, iPad Air, Air 2, iPad Mini 2+, iPad Pro only if already jailbroken or if jailbreak can be installed (known or empty passcode). Passcode must be known and must be removed in device settings prior to acquisition. Keychain cannot be decrypted (thanks to Secure Enclave)

No jailbreak for iOS 10 at this time

iOS Forensics Physical Acquisition: Hardware

24

Use TaiG (8.1.3-8.4) or Pangu (9.0-9.3.3) jailbreak

www.taig.com or www.pangu.io

http://en.pangu.io/help.html for iOS 9.3.3

Backup via iTunes

Remove passcode

Settings > Passcode > Enter your passcode > Turn Passcode Off > Enter your passcode

Disable Find My Phone

Settings > iCloud > Find My iPhone > Click to turn off

(optional) Switch to airplane mode

Start jailbreak

No jailbreak for newer iOS versions

iOS Forensics Jailbreak: How To

25

Jailbreak has many forensic implications

Dangerous, no guaranteed outcome

May brick device, destroy evidence

Not forensically sound, introduces artifacts

Process must be carefully documented

Chinese version of Pangu jailbreak for iOS 9.3.3 suspected to steal Apple ID and password

http://en.pangu.io/help.html offers a safe jailbreak that will expire in 7 days (unless Apple Developer account is used)

Each Apple Developer account can be used to sign IPA files to jailbreak a limited number of devices

Single-use Apple ID to jailbreak iOS 9.3.3 a good idea

iOS Forensics Jailbreak: Issues

26

Cloud backups are produced when:

Device connected to a known Wi-Fi network (matching SSID and password)

Connected to a charger

Screen locked

If device is unlocked or can be unlocked:

Fresh iCloud backup can be forced

Settings – iCloud – Storage & Backup – Back Up Now

iOS Forensics Option 3: Producing Cloud Backup

Use when:

Unknown iTunes backup password is set

Breaking backup password would take considerable time, need evidence immediately

Physical acquisition not available

64-bit hardware, unknown passcode

No jailbreak for this version of iOS

27

Try other methods first if passcode known or unlock possible

Bring to the proximity of a known Wi-Fi network SSID and password must match Connect to a charger Leave “overnight” If iCloud backups are enabled, the phone should produce a

fresh cloud backup The device must be unlocked with passcode at least once after booting. Otherwise, Wi-Fi passwords remain encrypted, and the device will not attempt to connect to any Wi-Fi network.

iOS Forensics Forcing a Cloud Backup on a Locked iPhone

28

If you know the password to user’s Apple ID, perform cloud acquisition first

If you don’t, DO NOT RESET APPLE ID PASSWORD EVEN IF YOU CAN - otherwise, you won’t be able to make the phone produce a fresh cloud backup without unlocking it first

What can happen

San-Bernardino case: password reset, iCloud backup impossible even with Apple cooperation

iOS Forensics Apple ID Password

29

What can go wrong:

Two-factor authentication may be an issue

Access to secondary authentication factor is required (unless using authentication token)

Cloud backup may not exist

It can be very old

iOS Forensics You Know Apple ID Password

If iCloud for Windows is installed, binary authentication token may exist

What can go wrong: in iOS 8.x, iCloud authentication tokens expire quickly

…or you do not

30

The iCloud authentication token has expired

Expired tokens cannot be used to download cloud backups

The Apple ID password has been changed

All existing authentication tokens are immediately invalidated

Must enter the correct password and overcome 2FA

To force the creation of a new cloud backup, unlock the device and enter the new Apple ID password

iOS Forensics What If…?

31

Backups

Photos (iCloud Photo Library, Photo Streams)

▫ including deleted?

Internet activities: Bookmarks, Open tabs, Reading list, Browsing history

Contacts, Notes, Calendars, Wallet (including boarding passes), Maps (searches and bookmarks), Books, HomeKit data, News subscriptions, Weather

iCloud Keychain (very hard to decrypt, mandatory 2FA)

iOS Forensics iCloud Data Sync

32

• Account information

• iCloud storage information

• Contact information (billing/shipping address, emails, credit cards (last 4 digits)

• Connected devices

• Customer service records

• iTunes (purchase/download transactions and connections, update/re-download connections, Match connections, gift cards)

• Retail and online store transactions

• Email content and mail logs

• Family sharing

• iMessage and FaceTime metadata

• Devices locations

iOS Forensics iCloud Data (more)

33

Protects access to backup data, files on iCloud Drive and synced account data

Verification code sent to trusted device(s)

Overcoming 2FA is easy, if the second authentication factor is available

Alternatives:

▫ Recovery key (older two-step verification only)

▫ Authentication token extracted from user’s desktop

Two-step authentication only required once

▫ Authentication token can be saved for future access without login, password or 2FA

iOS Forensics Roadblock: Two-Factor Authentication

34

iOS Forensics What you should know about Apple iCloud • The data is stored on 3rd party services (Microsoft, Amazon, Google)

• The data is encrypted, but encryption keys are stored along with the data

• For non-US accounts, the keys are stored in the US (source: Apple)

• No user-definable password or encryption, keys are managed by Apple

• Only keychain is further encrypted and has mandatory 2FA

• Two-step verification and two-factor authentication are available, but not default

• No notification on iCloud user access (except if 2FA is enabled)

• Workaround for 2FA-protected accounts: using authentication tokens

• Apple stores more days that they say

• No API to access most of the data (private protocols)

35

iOS Forensics Acquisition methods pros and cons

Pros Cons Workarounds

Logical • Easiest • Can get the keychain • Works for all devices models • Works for all iOS versions

• Device may be passcode-locked • Backup may be password

protected

• Using pairing (lockdown) records to perform backup

• Using GPU acceleration to break backup password

Physical • Can get as much info as possible

(including location data and 3rd party app data)

• Limited device and iOS version support

• Passcode is required • Jailbreaking might be required

• Passcode recovery devices • NAND mirroring (32-bit only)

iCloud • Three last backups available • No device required • Can get iCloud synced data from

all devices

• Apple ID and password required • Account may be protected with

2SV or 2FA • Account backups are not always

available

• Extracting iCloud password from Mac keychain

• Using authentication tokens • Apple may help

36

iOS Forensics Google/Android to the rescue? No :( • Google stores much more data that Apple

• Contacts, Calendars, Notes

• All internet activities

• Passwords saved in Chrome

• Location data

• Device and application activities

• Different approach: syncing

• Data is not encrypted

• No way to disable syncing some data

• No way to delete most of the data

37

iTunes

Open-source tools

▫ iLoot (https://github.com/hackappcom/iloot)

▫ InflatableDonkey (https://github.com/horrorho/InflatableDonkey)

▫ libmobiledevice (http://www.libimobiledevice.org)

▫ iMobileDevice (http://quamotion.mobi/iMobileDevice)

Commercial software

▫ Cellebrite, ElcomSoft, BlackBag etc.

iOS Forensics Tools to use

38

Vladimir Katalov, ElcomSoft Co. Ltd.

https://www.elcomsoft.com http://blog.elcomsoft.com

Facebook: ElcomSoft Twitter: @elcomsoft

iOS Acquisition Methods Compared: extracting data via physical, logical, or cloud acquisition