Extracting evidence from a seized iphone: systematic approach, tools and challenges ElcomSoft Ltd. www.elcomsoft.com 1 What s Inside? Call logs and text messages Emails and chats Account passwords Web and application passwords Wi-Fi passwords Documents, settings and databases Web browsing history Pictures and videos Geolocation history, routes and places How To Extract It? 2 Oleg Alfonin, ElcomSoft 1
In This Presentation Preserving evidence Seizing and storing the device Common mistakes and their consequences Vectors of attack Cloud and Over-the-Air Acquisition Offline Backups Physical Acquisition Common mistakes and consequences 3 Mobile Forensics ios Forensics Full-disk encryption Invasive extraction methods are useless Bypassing passcode is useless Multi-layer protection Keychain only available with some methods Acquisition approach depends on what you have and what you know 4 Oleg Alfonin, ElcomSoft 2
Acquisition Methods That Don t Work Some acquisition methods common on other platforms are not available for ios JTAG: there is no test access port Chip-off: full-disk encryption makes offline attacks completely useless Bypassing screen lock: encryption key derived from passcode 5 Seizing and Preserving Evidence If it s on, don t switch it off Some data is available even if device is unlocked If switched off, no Wi-Fi connection until unlocked with passcode If switched off, unlocking with fingerprint reader not possible (must enter passcode) 6 Oleg Alfonin, ElcomSoft 3
Seizing and Preserving Evidence If unlocked, don t let it lock Settings General Auto Lock Never Much easier acquisition Will be able to produce offline backup 7 Seizing and Preserving Evidence Use Faraday bag; Connect to a charger Isolates from wireless networks Otherwise, remote wipe easily possible What can happen: BBC News: Cambridgeshire, Derbyshire, Nottingham, and Durham police "don't know how people wiped them. (9.Oct.14) Darvel Walker, Morristown wiped his iphone remotely, charged with tampering with evidence (7.Apr.15) 8 Oleg Alfonin, ElcomSoft 4
Vectors of Attack Over-the-Air (Cloud) Extraction Apple ID/password or binary authentication token Can be obtained from Apple with court order Physical Acquisition On recent devices, must unlock/know the passcode Jailbreak required, may not be available for latest ios Apple won t help breaking into devices running ios 8 and newer Logical Acquisition (Backups) Backup can be encrypted with unknown password Recovery timeframe unpredictable, result not guaranteed 9 Choosing Acquisition Method Depends on what you have and what you know Case-by-case basis One or more methods may be available Each method has pros and contras No straightforward solution 10 Oleg Alfonin, ElcomSoft 5
Passcode Lock The ability to unlock the device is crucial for many acquisition approaches Knowing the passcode is enormous help Full-disk encryption tied to the passcode Bypassing is pointless. Passcode must be known. 11 Passcode Lock Device is jailbroken Use Elcomsoft ios Forensic Toolkit to recover the passcode (32-bit devices only) Erase data after 10 unsuccessful attempts option successfully bypassed 30 minutes to recover 4-digit passcode Several days to recover 6-digit passcode Alphanumerical passcodes don t have a defined recovery timeframe 12 Oleg Alfonin, ElcomSoft 6
Passcode Recovery Boxes Device is NOT jailbroken Many passcode recovery boxes advertised Some claim to bypass Erase data after 10 failed passcode attempts Claimed recovery time: 17 hours to fully enumerate 4- digit passcodes Reality: about 10% success rate Sometimes, devices are erased after 10 failed attempts contrary to manufacturer s claims 13 First Things First Request cloud backups from Apple May be sporadic Fresh backup may not be available San-Bernardino case: last backup several months old 14 Oleg Alfonin, ElcomSoft 7
Forcing a Cloud Backup Make the phone produce a fresh cloud backup Try other methods first if passcode known or unlock possible Bring to the proximity of a known Wi-Fi network SSID and password must match Connect to a charger Leave overnight If icloud backups are enabled, the phone should produce a fresh cloud backup Request from Apple 15 Potential Issues Device susceptible to remote wipe command (that s why try other methods first) Won t connect to Wi-Fi if device was turned off and never unlocked afterwards (at least once) icloud backups may not be enabled If the phone can be unlocked, try other methods first (itunes backup, physical acquisition) 16 Oleg Alfonin, ElcomSoft 8
Device Acquisition Full-disk encryption Invasive extraction methods are useless Bypassing passcode is useless Multi-layer protection Keychain only available with some methods Acquisition approach depends on what you have and what you know Apple declines government information requests for devices running ios 8 and 9, citing technical limitations. Handing over the device to Apple will no longer result in receiving its full image. https://www.apple.com/privacy/governmentinformation-requests/ 17 Acquisition Methods Compared Approximate timeframe Physical acquisition Logical acquisition Cloud forensics 35 50 minutes Instant (unprotected backups) 0 4 hours (depending on (depending on device model) Unknown (password protected) connection speed and data volume) Keychain recovery Yes No (unprotected backups) No Yes (password protected) Access to deleted files No No No Access to deleted SQLite records Yes Yes Yes Possible issues Jailbreak required and passcode must be known for last generation devices Long, complex passwords may prevent the recovery Two factor authentication Notification email 18 Oleg Alfonin, ElcomSoft 9
Device Acquisition Methods PHYSICAL (32 bit and 64 bit) LOGICAL (via itunes backups) Over the Air (icloud) 19 What Is Available? Is the device locked? Was it unlocked at least once after boot? Is fingerprint unlock available? Do you know the passcode? Is it jailbroken? What version of ios is it running? Can it be jailbroken? 20 Oleg Alfonin, ElcomSoft 10
What Is Available? Do you have access to synced PC? Lockdown records available? Local backups available? Password-protected or not? icloud for Windows installed? Mac OS X Lion v10.7.5 has icloud icloud authentication token available? Do you know Apple ID password? 21 Device Is Unlocked If device is unlocked or can be unlocked, several acquisition options are available Option 1: produce local backup with itunes Option 2: attempt jailbreak, perform physical acquisition Option 3: enable cloud backups, connect to known Wi-Fi network, charge, leave overnight 22 Oleg Alfonin, ElcomSoft 11
Option 1: Make a Local Backup We ll try producing an offline backup If done properly, most data is saved 23 Make a Local Backup Acquisition steps: Make the device produce a backup or Access information stored in existing backup Limitations: Device must be unlocked (with passcode or via itunes) May produce encrypted backup - Must break password (no guaranteed timeframe, no guarantee of success) Limited amount of information 24 Oleg Alfonin, ElcomSoft 12
Making the Phone Produce a Backup Connect to itunes Unlock (with passcode or via itunes) Check if Encrypt iphone backup is activated If not set, select that option and specify your own backup password (otherwise, keychain items will be encrypted with a hardware key and cannot be decrypted) Choose This Computer, then Backup Now 25 itunes Backup Password If backup password is specified (in itunes): No unencrypted data leaves the phone All encryption is performed inside the device (iphone, ipad) itunes pulls encrypted data stream No way to intercept plain data since there is none If you don t know the password: No way to reset or remove it 26 Oleg Alfonin, ElcomSoft 13
Breaking itunes Backup Password Unknown backup password MUST be recovered Elcomsoft Phone Breaker supports GPU acceleration 1500 combinations per second with CPU alone Up to 67000 combinations per second with one gaming video card 45 times faster than using a CPU alone Use multiple video cards for greater acceleration 27 Breaking itunes Backup Password Select backup Configure attacks Run the tool 28 Oleg Alfonin, ElcomSoft 14
What s Next? Decrypt backup with Elcomsoft Phone Breaker (using the password you specified or recovered) Explore decrypted backup with Elcomsoft Phone Viewer 29 What If? The Encrypt iphone backup option is activated and you don t know the password Password cannot be changed without specifying the old password Make the phone produce a backup nevertheless. Attempt recovering backup password with Elcomsoft Phone Breaker Attempt physical acquisition 30 Oleg Alfonin, ElcomSoft 15
Option 2: Physical Acquisition On newer devices, jailbreak is required Passcode must be known or recovered On 64-bit devices (iphone 5S and up), passcode must be removed in device settings 31 iphone 5C: Physical Acquisition Prerequisites: You know the passcode Or no passcode at all Or device is already unlocked Device is or can be jailbroken Very few ios users jailbreak their devices You ll have to do it Jailbreaking can be tricky, not always possible Jailbreaking requires passcode and Apple ID password Find My Phone must be disabled in order to jailbreak 32 Oleg Alfonin, ElcomSoft 16
Mobile Forensics Physical Acquisition: The Ifs and Buts iphone 3G ipod Touch 1/2 iphone 3Gs, ipod Touch 3th gen, ipad 1 iphone 4 ipod Touch 4th gen ipod Touch 5th gen ipad 2+, ipad Mini iphone 4S/5/5C iphone 5S, 6, 6S, 6/6S Plus ipod Touch 6th gen ipad Air, Air 2, ipad Mini 2, 3 and 4 ios 1..3 ios 4.x ios 3 ios 4/5 ios 4 through 9.x ios 7 through 9.x Physical imaging Logical imaging Passcode recovery instant instant Keychain decryption Disk decryption(*) instant instant instant 64 bit devices: support via 64 bit acquisition process passcode is known AND device is jailbroken (ios up to 9.x) 32 bit devices: passcode is known OR device is jailbroken (ios 5 through 9.x) 33 Mobile Forensics Physical Acquisition: Benefits Acquires complete, bit-precise device images Unallocated space is extracted but cannot be decrypted on recent versions of ios Decrypts keychain items, extracts device keys Guaranteed timeframe: 20 to 50 minutes for 32 GB models Passcode not required for older devices or if jailbreak is installed Simple 4-digit passcodes recovered in 10-40 minutes (for older or jailbroken devices) 34 Oleg Alfonin, ElcomSoft 17
Mobile Forensics Physical Acquisition: Unique Benefits Cached (downloaded) mail: regardless of the type of an email account Geolocation data Comprehensive information incl. frequent locations and geo data requested by all Apple and third-party apps and system services System logs and crash logs Cached application data Keychain Passwords to Web sites, apps and accounts, financial information, and any data saved by third-party apps Extended keychain acquisition Accessing a cached copy of the icloud keychain may be possible, enabling instant icloud access and opening access to other devices with the same Apple ID 35 Mobile Forensics Physical Acquisition: Hardware 32-bit and 64-bit devices iphone 4, ipad 1, ipod Touch 1-4 and all older devices with or without jailbreak Phone 4S/5/5C, ipad 2-4, ipad Mini 1 only if already jailbroken or if jailbreak can be installed (known or empty passcode) Phone 5S/6/6SC/Plus, ipad Air, Air 2, ipad Mini 2+ only if already jailbroken or if jailbreak can be installed (known or empty passcode). Passcode must be known and must be removed in device settings prior to acquisition. 36 Oleg Alfonin, ElcomSoft 18
Jailbreak: How To Use TaiG (8.1.3-8.4) or Pangu (9.0-9.0.2) jailbreak www.taig.com or www.pangu.io Backup via itunes Remove passcode Settings > Passcode > Enter your passcode > Turn Passcode Off > Enter your passcode Disable Find My Phone Settings > icloud > Find My iphone > Click to turn off (optional) Switch to airplane mode Start jailbreak 37 iphone 5C: Physical Acquisition Acquisition steps via Elcomsoft ios Forensic Toolkit Connect device to PC Run Elcomsoft ios Forensic Toolkit and follow the instructions Produces full decrypted image of the device in 25-50 minutes 38 Oleg Alfonin, ElcomSoft 19
iphone 5C: Physical Acquisition Acquisition steps via Elcomsoft ios Forensic Toolkit Option 4: GET KEYS Option 5: DECRYPT KEYCHAIN" 32-bit devices (iphone 5C): Option 6: IMAGE DISK Option 7: DECRYPT DISK 64-bit devices (iphone 5S and newer): Option 8: TAR FILES 39 What If Imaging a 64-bit device Must remove passcode from device settings prior to acquisition Settings > Passcode > Enter your passcode > Turn Passcode Off > Enter your passcode Use option 8: TAR FILES This engages a new 64-bit acquisition process 40 Oleg Alfonin, ElcomSoft 20
What If Already jailbroken, passcode unknown, 32-bit hardware (iphone 5C and older) Use option 3: GET PASSCODE 30 minutes for 4-digit passcode Several days for 6-digit passcode Undefined timeframe for alphanumerical passcodes 41 What If Already jailbroken, passcode unknown, 64-bit hardware Physical acquisition unavailable Secure Enclave enforces 5-second delay for passcode attempts iphone 5S, 6/Plus, 6S/Plus and newer 42 Oleg Alfonin, ElcomSoft 21
What If Erase data after 10 attempts may be active This option is enforced in software (ios) Successfully bypassed on jailbroken devices 43 Option 3: Producing Cloud Backup Cloud backups are produced when: Device connected to a known Wi-Fi network (matching SSID and password) Connected to a charger Screen locked 44 Oleg Alfonin, ElcomSoft 22
Forcing Cloud Backup If device is unlocked or can be unlocked: Fresh icloud backup can be forced Settings icloud Storage & Backup Back Up Now Use when: Unknown itunes backup password is set Breaking backup password would take considerable time, need evidence immediately Physical acquisition not available 64-bit hardware, unknown passcode No jailbreak for this version of ios 45 Apple ID Password If you know the password to user s Apple ID, perform cloud acquisition first If you don t, DO NOT RESET APPLE ID PASSWORD EVEN IF YOU CAN Otherwise, you won t be able to make the phone produce a fresh cloud backup without unlocking it first What can happen: San-Bernardino case: password reset, icloud backup impossible even with Apple cooperation 46 Oleg Alfonin, ElcomSoft 23
Not That Easy Auto Join Wi-Fi network is enabled in device settings Device unlocked at least once after booting * Device was discovered powered on, and It was kept powered on in a Faraday bag Wi-Fi enabled on the device * The device must be unlocked with passcode at least once after booting. Otherwise, Wi-Fi passwords remain encrypted, and the device will not attempt to connect to any Wi-Fi network. 47 Can Be Dangerous Allowing device to connect makes it susceptible to remote erase Use as last resort Apple can block remote erase requests 48 Oleg Alfonin, ElcomSoft 24
You Know Apple ID Password Use Elcomsoft Phone Breaker to download cloud backup What can go wrong: Two-factor authentication may be an issue Access to secondary authentication factor is required (unless using authentication token) Cloud backup may not exist It can be very old 49 PC with icloud for Windows If icloud for Windows is installed, binary authentication token may exist Use Elcomsoft Phone Breaker to locate and extract the token Use Elcomsoft Phone Breaker to download cloud backup using the authentication token What can go wrong: In ios 8.x, icloud authentication tokens expire quickly In ios 9.x, icloud Drive is used, tokens do not expire 50 Oleg Alfonin, ElcomSoft 25
Over-the-Air Acquisition You have: Apple ID and password, or PC synced with icloud (binary authentication token) Acquisition steps: Use Apple ID and password to download the backup Extract binary authentication tokens, use to download backup 51 Download Cloud Backup Launch Elcomsoft Phone Breaker Tools - Apple Download backup from icloud On the Download backup from icloud page, define authentication type as Password or Token Sign in Download 52 Oleg Alfonin, ElcomSoft 26
Authentication Tokens Extracting from disk image or volume Launch Elcomsoft Phone Breaker Tools Extract authentication token Follow the prompts Extracting from live system Launch ATEX.EXE from Command Prompt Authentication token will be saved, path displayed 53 Limitations of Cloud Backups NO downloaded mail NO application cache LIMITED app data LIMITED amount of geolocation data Keychain data: no Wi-Fi passwords, no email passwords etc. 54 Oleg Alfonin, ElcomSoft 27
What s Next? Explore downloaded backup with Elcomsoft Phone Viewer Open in third-party forensic tool 55 There Is a Synced Computer icloud for Windows (icloud Control Panel in OS X) may have a cloud authentication token May be able to use tokens to access cloud backups Bypass two-factor authentication ios 8.x: icloud; tokens have limited lifespan ios 9.x: icloud Drive; tokens do not expire Extract and use authentication tokens with Elcomsoft Phone Breaker 56 Oleg Alfonin, ElcomSoft 28
There Is a Synced Computer itunes may have pairing records (lockdown records) May be used to produce a local backup if device locked with unknown passcode Lockdown records expire quickly Backup may be encrypted Windows: %ProgramData%\Apple\Lockdown OS X: /var/db/lockdown 57 Lockdown Records itunes uses pairing records to identify a trusted PC A trusted PC can be used to produce a local backup No need to unlock the iphone, but It must be unlocked at least once after being powered on Backup may be encrypted 58 Oleg Alfonin, ElcomSoft 29
Using Lockdown Records Extract (single file) Allows to back up a locked device Device must be unlocked at least once after cold boot ios 4 through 7, ios 8.0 through 8.2 Access to file_relay, afc, house_arrest Can extract almost everything, even if backup password is specified ios 8.3 and newer Backup only, settings apply (e.g. password protection) 59 What If? The lockdown record has expired You cannot use an expired lockdown record to authenticate an iphone Try unlocking via other means Cold boot situation Unlock the device at least once after booting so that it can accept itunes pairing records The Encrypt iphone backup option is activated and you don t know the password Password cannot be changed without specifying the old password Make the phone produce a backup nevertheless. Attempt recovering backup password with Elcomsoft Phone Breaker 60 Oleg Alfonin, ElcomSoft 30
What If? The icloud authentication token has expired Expired tokens cannot be used to download cloud backups The Apple ID password has been changed All existing authentication tokens are immediately invalidated Must enter the correct password and overcome 2FA To force the creation of a new cloud backup, unlock the device and enter the new Apple ID password 61 Touch ID 64-bit Apple devices equipped with fingerprint reader iphone 5S+, ipad mini3+, Air 2, Pro Convenient, utilized by most users Touch ID expires in 48 hours Unavailable after cold boot Device must be unlocked with passcode at least once to use Touch ID Can use Touch ID to unlock the device Within 48 hours of last use Not after cold boot 62 Oleg Alfonin, ElcomSoft 31
New in ios 9.3 If Settings icloud Safari is enabled, it syncs: Bookmarks Open tabs Reading list Browsing history Acquisition: work in progress 63 Roadblock: Two-Step Authentication Protects access to backup data, keychain Verification code sent to trusted device If enabled, 2FA is enforced for icloud backups - but not files sideloaded to icloud Drive Overcoming 2FA is easy - if the second authentication factor is available Alternatives: Recovery key Authentication token extracted from user s PC 64 Oleg Alfonin, ElcomSoft 32
Roadblock: Two-Step Authentication Access to one of the following is required at acquisition: Access to trusted device Recovery Key Two-step authentication only required once: Authentication token can be saved for future access without login, password or 2FA 65 What s Next? View with Elcomsoft Phone Viewer Analyze with forensic suite of your choice Cellerbrite EnCase Oxygen Forensic Toolkit 66 Oleg Alfonin, ElcomSoft 33
Tools Mentioned in This Presentation Elcomsoft ios Forensic Toolkit physical acquisition of 32-bit ios hardware Elcomsoft Phone Breaker acquisition via offline and cloud backups; breaking backup passwords Elcomsoft Phone Viewer viewing extracted disk images, downloaded or decrypted backups Elcomsoft Mobile Forensic Bundle contains all of the above tools in PC and Mac versions at a 30% discount 67 A practical guide to recovering evidence from a seized iphone (c) ElcomSoft 2016 Oleg Afonin, ElcomSoft Co. Ltd. http://www.elcomsoft.com http://blog.crackpassword.com Facebook: ElcomSoft Twitter: @elcomsoft 68 Oleg Alfonin, ElcomSoft 34