ACQUISITION AND ANALYSIS OF IOS DEVICES MATTIA EPIFANI SANS MUNICH MUNICH, 1 APRIL 2014 FORENSIC ACQUISITION….BEFORE STARTING When we are dealing with the forensics acquisition of an iOS device we have to answer 3 questions before starting the operation: 1. What is the model? 2. What is the iOS version installed? 3. Is the device locked with a pass code? 1. Simple passcode? 2. Complex passcode? IDENTIFY THE MODEL The model number is located on the back of the device IDENTIFY THE MODEL AND THE OPERATING SYSTEM Boot your PC with Santoku Live CD https://santoku-linux.com/ Tool: ideviceinfo (libimobiledevice.org) Opensource Use ideviceinfo –s It works also if the device is locked by a passcode IDENTIFY THE MODEL AND THE OPERATING SYSTEM IPHONE MODEL CHART Device name Model number Internal Name Identifier Year Capacity (GB) iPhone 5S (CDMA) A1457-A1518-A1528-A1530 N53AP iPhone6,2 2013 16, 32 iPhone 5S (GSM) A1433– A1533 N51AP iPhone6,1 2013 16, 32, 64 iPhone 5C (CDMA) A1507 – A1516 – A1526 – A1529 N49AP iPhone5,4 2013 16, 32 iPhone 5C (GSM) A1456 – A1532 N48AP iPhone5,3 2013 16, 32 iPhone 5 rev.2 A1429 - A1442 N42AP iPhone5,2 2012 16, 32, 64 iPhone 5 A1428 N41AP iPhone5,1 2012 16, 32, 64 iPhone 4s (China) A1431 8, 16, 32, 64 A1387 iPhone4,1 2011 iPhone 4S N94AP 2011 8, 16, 32, 64 iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325 8, 16, 32 A1303 iPhone2,1 2009 iPhone 3GS N88AP 2009 8, 16, 32 iPhone 3G (China) A1324 8, 16 A1241 iPhone1,2 2009 iPhone 3G N82AP 2008 8, 16 iPhone 2G A1203 M68AP iPhone1,1 2007 4, 8, 16 IOSSUPPORTMATRIX.COM IS THE DEVICE LOCKED? Digits only Length = 4 (simple passcode) IS THE DEVICE LOCKED? Digits only Length > 4 (simple passcode) IS THE DEVICE LOCKED? Contains non digits Any length PHYSICAL VS BACKUP ACQUISITION Physical acquisition Bit-by-bit image of the device Backup acquisition Extract (part of) the file system What is NOT available in a backup? Email Geolocation database (Consolidated.db) Apps “Cache” folder (es. Opened files in Dropbox) Executables PHYSICAL ACQUISITION (IPHONE 3G, IPHONE 3GS, IPHONE 4, IPAD) It is always possible to perform a physical acquisition, also if the device is password protected with a strong passcode! We can access all the contents if: 1. Device is not locked or 2. Device is locked with a passcode that can be cracked within a “reasonable time” If it’s not possible to crack the device passcode you cannot access email and third party applications, but you can recover address book, SMS, pictures, videos, browsing history and so on HOW LONG DOES IT TAKE TO CRACK? (IPHONE 4) IPHONE 4 – PHYSICAL ACQUISITION IPHONE 4 – PHYSICAL ACQUISITION IPHONE 4 – PHYSICAL ACQUISITION IPHONE 4 – PHYSICAL ACQUISITION IPHONE 4 – PHYSICAL ACQUISITION PHYSICAL ACQUISITION (IPHONE 4S, 5, 5C AND IPAD 2, 3, 4, MINI) If the device is not passcode protected we can jailbreak (up to iOS 7.0.6 at the moment) and then use Elcomsoft iOS Forensic Toolkit If the device is password protected it must be already jailbroken and then we can use the same tool If the device is password protected and not jailbroken No way at the moment! BE CAERFUL: JAILBREAKING IS AN INVASIVE OPTION! JAILBREAK – THE IPHONE WIKI EVASION 7 PHYSICAL ACQUISITION – IOS FORENSIC TOOLKIT LOGICAL AND BACKUP ACQUISITION Always possibile with any device not password protected We can use: Forensic tools Oxygen Forensics, UFED Cellebrite, AccessData MPE+, XRY, MobilEdit, etc. iTunes + Backup parser/analyzer iPhone Backup Analyzer 2 Opensource iBackupBot Commercial iPhone Backup Extractor Commercial iDevice Browsing Tools iFunBox DiskAid iExplorer IPHONE BACKUP ANALYZER SMS / iMessage Call Logs Address Book Decode and Explore iPhone backup XML Plist viewer Binary Plist viewer SQLITE Browser Hex viewer Text viewer Image and EXIF viewer Note Network Safari History Skype WhatsApp Safari Bookmarks Safari State Viber Thumbnails Known WiFi IPHONE BACKUP ANALYZER – MAIN WINDOW IPHONE BACKUP ANALYZER – SQLITE AND PLIST IPHONE BACKUP ANALYZER – CALLS AND MESSAGES IPHONE BACKUP ANALYZER – WHATSAPP AND SKYPE IFUNBOX LOGICAL ACQUISITION AND BACKUP What can we do if we have iPhone 4s/5/5s/5c or iPad 2/3/4/Mini Passcode protected Not jailbroken We need to answer another question: Do we have access to any computer (PC/MAC) the device was synced with? If not…we can not perform any kind of acquisition! (but there is still a way…we will see later) If yes… 1. 2. 1. 2. 3. Is it a not password protected backup available in the PC? Is it a password protected backup available in the PC? Are the lockdown certificates available? We can analyze it! We can try to crack it! We can access the device!!! PASSWORD PROTECTED BACKUP LOCKDOWN CERTIFICATES Stored in: C:\Program Data\Apple\Lockdown Win 7/8 C:\Users\[username]\AppData\roaming\Apple Computer\Lockdown Vista C:\Documents and Settings\[username]\Application Data\Apple Computer\Lockdown XP /private/var/db/lockdown Mac OS X One certificate for every device synced with the computer Certificate name Device UDID.plist Recall: we can always retrieve the Device UDID (by using ideviceinfo) We can take the certificate and copy into another machine We will then have access to the device! STORED PASSWORD RECOVERY Using iTunes we can make a backup of an iOS device In order to perform the backup it is essential to find out whether: The phone is not protected by a lock code, or Do we know the lock code, or Can we obtain the synchronization certificates for the device from a trusted computer The keychain file stores WiFi, e-mail and third-party applications passwords If the backup is not encrypted keychain file is encrypted using a key hard-coded into the device If the backup is password protected keychain file is encrypted using the user-chosen password STORED PASSWORD RECOVERY LIVE DEMO - SCENARIO An iPhone 4S was seized from Mattia Epifani, a very dangerous WiFi wardriver The iPhone is locked with a 4 digit passcode and it is not jailbroken (iOS 7.1) A laptop was also seized in Mattia’s flat We are searching for: WiFi network that the iPhone was connected to WiFi password stored on the device Personal email password SMS, WhatsApp, etc. LIVE DEMO - SCENARIO 1. Search for a lockdown certificate on the laptop 2. Perform an unecrypted backup to access SMS, Call Log, WhatsApp an WiFi Network 3. Perform an encrypted backup to access WiFi and personal password stored on the device ICLOUD Researchers at the Russian software company Elcomsoft have analyzed the communication protocol between iDevice and Apple iCloud They were able to emulate the correct commands to retrieve the contents of a user's iCloud storage http://cansecwest.com/slides/2013/Cracking% 20and% 20Analyzing% 20Apple% 20iCloud.ppt http://www.elcomsoft.com/PR/recon_2013.pdf The download operations are completely transparent to the device owner, so an attacker can monitor user activities every time a new backup is created online ICLOUD ICLOUD ICLOUD THE LAST OPPORTUNITY… Directly ask help to Apple legal team Very difficult to obtain but successfully used recently in a famous murder case IOS SECURITY IN 7 STEPS 1. If you have an iPhone 4 or before….change it immediately 2. If you have an iPhone 4s or later, be sure to authorize your computer only if it is really necessary (eg. to perform a backup) 3. Do not authorize any other computer that is not yours 4. Periodically (my suggestion: every time you authorize) remove the lockdown certificates from your computer/laptop 5. Be sure to choose a very strong password for your local backup 6. Do not use iCloud 7. Do not jailbreak 8. Burn Apple headquarter in Cupertino (just joking!) OPENSOURCE/FREE TOOLS FOR MOBILE FORENSICS GENERAL TOOLS IOS Oxygen Forensics Standard http://www.oxygen-forensic.com/en/download/freeware iPhone Backup Analyzer http://www.ipbackupanalyzer.com/ Santoku Linux https://santoku-linux.com/ DEFT Linux http://www.deftlinux.net/it/ Libimobiledevice http://www.libimobiledevice.org/ MobiSec http://sourceforge.net/projects/mobisec/ iPhone Data Protection Tools http://code.google.com/p/iphone-dataprotection/ WhatsApp Xtract http://blog.digital-forensics.it iPhone Analyzer http://sourceforge.net/projects/iphoneanalyzer/ SkypeExtractor http://www.skypextractor.com/ iFunBox http://www.i-funbox.com/ DiskAid http://www.digidna.net/diskaid iExplorer http://www.macroplant.com/iexplorer/ ANDROID AFLogical https://viaforensics.com/resources/tools/android-forensics-tool/ SAFT http://www.signalsec.com/saft/ Android Data Extractor Lite https://github.com/mspreitz/ADEL Andriller http://android.saz.lt/ BLACKBERRY MagicBerry http://download.cnet.com/MagicBerry/3000-10743_4-10962130.html Rubus http://www.cclgroupltd.com/product/rubus-ipd-deconstructor/ LINKS The iPhone Wiki http://theiphonewiki.com iOS Support Matrix http://iossupportmatrix.com/ Cellebrite UFED Touch http://www.cellebrite.com/mobile-forensics/capabilities/ios-forensics Elcomsoft iOS Forensic Toolkit http://www.elcomsoft.it/eift.html Elcomsoft Phone Password Breaker http://www.elcomsoft.it/eppb.html iPhone Backup Analyzer http://www.ipbackupanalyzer.com/ iPhone Backup Unlocker http://www.windowspasswordsrecovery.com/product/iphone-backup-unlocker.htm iFunBox http://www.i-funbox.com/ Q&A? Mattia Epifani Digital Forensics Analyst and Mobile Device Security Analyst Owner @ REALITY NET – System Solutions GCFA, GMOB, CEH, CHFI, CCE, CIFI, ECCE, AME, ACE, MPSC Mail mattia.epifani@realitynet.it Twitter @mattiaep Linkedin http://www.linkedin.com/in/mattiaepifani Blog http://mattiaep.blogspot.com