That’s it. There is one million possible 6-digits codes; multiply that by 80 (ms), and you will get less about 22 hours. The actual passcode cracking is in fact significantly slower, about just one passcode per second. And even this is not always the case. Some GrayKey users are saying the device may switch into a “slow brute-force mode” under certain circumstances (e.g. after trying some unspecified number of combinations). To summarize, neither Cellebrite nor GrayShift will disclose the speed of their passcode cracking process, as well as other conditions and limitations.
They do not make claims that breaking the 6-digit passcode is guaranteed, and they mention that a dictionary must be used in order to attempt the recovery or an alphanumerical passcode. Most of the articles just refer to some “unnamed sources”, while other articles just rephrase what was already said.
Suppose you have successfully unlocked the iPhone by recovering its passcode. First and foremost, it is essential to make a full local backup of the device. While logical acquisition is great, it may not contain the data you need. Specifically, a local backup does not contain downloaded email messages. In addition, many instant messaging apps disallow backups, so you may not get access to certain IM conversations. If you require access to every sandboxed app data, you will need to copy the entire file system of the device.
Unsurprisingly, this will not be possible without root (superuser) access. For the general user, root access is usually only possible through a jailbreak. Jailbreaks exploit a series of CVE vulnerabilities in order to bypass kernel protection and allow installing unsigned apps. Tools such as Elcomsoft iOS Forensic Toolkit rely on existing jailbreaks to image the file system. However, it is technically possible to image the file system without jailbreaking. Instead, a known CVE vulnerability can be exploited to allow TAR imaging code to execute on the device without installing a whole bunch of unnecessary stuff (e.g. the Cydia store).
Can you extract anything from an iPhone without the passcode (but being able to boot it), A very limited set of information is still extractable, including the call log, some system logs and file system metadata (the complete file and folder structure including file sizes). The rest of the data is impossible to extract because of full disk encryption.
This is exactly what Apple claimed in their Privacy Policy when iOS 8 was released. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8,” (Tim Cook via CNet). Apparently, such extraction was possible in iOS 7 and earlier; these, however, are beyond the scope of this article. So how is the file system image “better” than a local iTunes-style backup,
In fact, a file system image contains a different, much more extensive set of data compared to a backup. In fact there is much more - quite a lot of very useful artefacts can be discovered. Of course, an iTunes backup is also a great source of data, but with TAR, you get… well, almost everything except the keychain. Is it possible to perform “true” physical acquisition for iOS devices, and create a DMG image of the device storage,
You can forget about it since Apple started using 64-bit processors and Secure Enclave (iPhone 5S to iPhone X). You are now limited to the TAR archive, which, in fact, has almost everything you need. Unallocated space cannot be decrypted anyway. So what will GreyKey do once the passcode is recovered, They either exploit some CVE vulnerabilities to gain root privileges or operate right from the custom firmware, and save a TAR file containing the image (or, rather, a copy) of the file system. What will ElcomSoft do,
We won’t break the passcode, yet we can still use a lockdown record to extract some information from a locked iPhone. But what if you do know the passcode, or what if there is no passcode at all, If this is the case, we (Elcomsoft iOS Forensic Toolkit) will make a TAR image of the file system; the very same TAR image as one can obtain with GreyKey. However, our tool requires you to manually jailbreak the iPhone before the extraction. That was really funny.
0 Comments