Today, we’ll discuss the main challenges of iOS forensics, look at some of the most interesting solutions available to law enforcement, and share our experience gaining access to some of the most securely protected evidence stored in Apple iOS devices. Today, the iPhone is one of the most secure mobile devices. This level of security comes not only from the exemplary implementation of full-disk encryption, but from a complex of purposely designed measures aimed at protecting the device from a wide range of exploitation techniques.
Of course, these two challenges are just the tip of the iceberg. We omitted the legal part, and we didn’t even mention the very important steps in seizing the device and preserving evidence on its way to the lab. We didn’t touch the analysis and reporting stage either. Instead, we’ll be discussing the real technical challenges. A number of solutions exist that allow accessing evidence in a locked iPhone without actually unlocking the device through the use of lockdown records. OS Logical Acquisition: The Last Hope For Passcode-Locked Devices, How Can I Break Into a Locked iOS 10 iPhone,
With a risk of repeating myself, I will say that obtaining a lockdown record (a small file from the user’s computer) may help experts to extract information from an iPhone locked with an unknown passcode. At least this would be the case for timely (within 7-day timeframe) acquisition of devices that were properly seized and transported to the lab. Back to lockdown records: the “expiration” issue is in fact very confusing.
On a side note, I should say that it becomes harder and harder to test. In our lab, we currently have over fifty iOS devices from original iPhone to iPhone X, running different iOS versions from 3 to 11.4 beta, with and without jailbreaks, as well as dozens lockdown records created at different times. In fact, the logic behinds lockdown services operation is not 100% clear yet.
We were experimenting with iOS 11.4 beta 2 and beta 3, and found that in fact lockdown records may remain valid for much longer than officially stated. 1. Boot and unlock the iPhone; connect to computer; establish trusted relationship by confirming the “Trust this computer, 2. Disconnect the iPhone from the computer. Leave the phone alone for 7 days.
4. Waited 7 more days (so 14 days in total after the last unlock). Disconnected the iPhone from the computer. Unlocked the phone with a passcode. Connected it back to the computer and used the same lockdown file.Result: no “Trust this computer, ” prompt appeared; the lockdown file remained valid and usable, even after 14 days. Device information AVAILABLE. List of installed apps AVAILABLE.
AFC, shared files and backup services AVAILABLE. If the passcode is not known or cannot be cracked, is it possible to unlock the device using Touch ID or Face ID, The answer is iffy, and with every iOS update, it becomes even iffier. Starting with iOS 11, you can no longer use biometric unlock to establish trust relationship.
The passcode is now required to confirm the “Trust this computer, ” prompt; see New Security Measures in iOS 11 and Their Forensic Implications. With Face ID, you will also need to enter the passcode after invoking the Emergency SOS mode. I think it would be a great idea (for the users, not for forensics) to disable data transfers via the Lightning/USB port after invoking the Emergency SOS mode as well. The passcode is a hallmark of iOS security.
While previous versions of iOS had multiple layers of protection to safeguard user data even if the passcode was compromised, iOS 11 shifted the entire security model heavily towards the passcode. As we demonstrated, the passcode is really the culprit for successful device extraction. Breaking the passcode can be essential for accessing a locked device if there is no valid lockdown record available. There are several providers offering assistant to law enforcement for breaking iPhone passcodes. Cellebrite is the most well-known, offering unlock services to select law enforcement agencies.
0 Comments