iOS Forensics

iPhone Forensics

Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant

% of iOS versions used now

August 2011

State at: 12.04.2012

New Users: Total:

Forensics mean: ANALYZE

• Steps to recover user activities• Fully accountabling: every step of investigation

is logged and recorded

Tools we use

• AccessData FTK• Guidance EnCase• redsn0w_mac• tcprelay.py• keychain_tool.py• dump_data_partition.sh• emf_decrypter.py

iOS version to encryption

• iOS 3.x - passcode is not needed to decrypt filesystem or any of keychain items; moreover, the passcode can be recovered instantly

• iOS 4 - you can still decrypt filesystem image without the passcode - however, some of the files will remain encrypted (Mail.app databases and some other) and so will most of the device keychain items. To recover the passcode using the brute-fore attack - for simple (4-digit ones), it takes just about a half an hour

• iOS 5 – we are blind (yet)

Forensics: Backup vs Physical

• We are able to recover all information from backup files made with iTunes but

Physical iOS forensics

• Physical iOS forensics offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, SMS and mail files.

Steps involved in iPhone forensics:

1.Creating & Loading forensic toolkit on to the device without damaging the evidence

2.Establishing a communication between the device and the computer

3.Bypassing the iPhone passcode restrictions4.Reading the encrypted file system5.Recovering the deleted files

difference between logical and physical acquisition?

• Logical acquisition creates a copy of the file system, saving all folder/file structure. Some files, however, are 'locked' and so cannot be copied.

• Physical acquisition creates a bit-by-bit image of the partition, including unallocated space.

Chain Of Trust – Normal Mode

BootRom

Low Level BootLoader

User Applications

iBoot

Kernel

Chain Of Trust – DFU Mode

BootRom

iBSS

RAM DISK

iBEC

Kernel

Breaking Chain Of Trust BootRom

iBSS

Custom RAM DiSK

iBEC

Kernel

limera1n

Patch

Patch

Patch

Forensics

• Creating & Loading forensic toolkit on to the device without damaging the evidence

• Establishing a communication between the device and the computer

• Bypassing the iPhone passcode restrictions• Reading the encrypted file system• Recovering the deleted files

Devices versions

• iPhone 3G• iPhone 3GS• iPhone 4 (GSM)• iPhone 4 (CDMA)• iPod Touch 3rd gen• iPod Touch 4th gen• iPad

Bypassing the iPhone Passcode Restrictions

Passcode Complexity Bruteforce time4 digits 18 minutes4 alphanumeric 51 hours5 alphanumeric 8 years8 alphanumeric 13,000 years

Simple 4-digit iOS 4 and iOS 5 passcodes recovered in 20-40 minutes

Keychains

Keychain is a Sqllite database which stores sensitive data on your deviceKeychain is encrypted with hardware key. Keychain also restrict which applications can access the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier.

Tools

• Oxygen Forensic Suite 2010 PRO• Micro Systemation XRY• iPhone Analyzer• Cellebrite UFED• Cellebrite UFED Physical

Regulatory

• NIST 800-68 Guide to Integrating Forensic Techniques into Incident Response

• NIST 800-72 Guidelines on PDA Forensics

What about iPad2

• Unfortunately, iPad 2 bootrom isn't vulnerable to any public exploits, so we cannot do anything with it, sorry. The only way to perform forensic analysis of iPad 2 is work with iTunes backup; if backup is password-protected and/or you want to decrypt the keychain, our Elcomsoft Phone Password Breaker will help.

References• iPhone data protection in depth by Jean-Baptiste Bédrune, Jean

Sigwaldhttp://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf

• iPhone data protection tools • http://code.google.com/p/iphone-dataprotection/• ‘Handling iOS encryption in forensic investigation’ by Jochem van

Kerkwijk• iPhone Forensics by Jonathan Zdziarski• iPhone forensics white paper – viaforensics• Keychain dumper• 25C3: Hacking the iPhone • The iPhone wiki