iPhone Forensics
Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
% of iOS versions used now
August 2011
State at: 12.04.2012
New Users: Total:
Forensics mean: ANALYZE
• Steps to recover user activities
• Fully accountabling: every step of
investigation is logged an...
Tools we use
• AccessData FTK
• Guidance EnCase
• redsn0w_mac
• tcprelay.py
• keychain_tool.py
• dump_data_partition.sh
• ...
iOS version to encryption
• iOS 3.x - passcode is not needed to decrypt
filesystem or any of keychain items; moreover,
the...
Forensics: Backup vs Physical
• We are able to recover all information from
backup files made with iTunes but
Physical iOS forensics
• Physical iOS forensics offers access to much
more information compared to what’s
available in tho...
Steps involved in iPhone forensics:
1.Creating & Loading forensic toolkit on to the
device without damaging the evidence
2...
difference between logical and
physical acquisition?
• Logical acquisition creates a copy of the file
system, saving all f...
Chain Of Trust – Normal Mode
BootRom
Low Level
BootLoader
User Applications
iBoot
Kernel
Chain Of Trust – DFU Mode
BootRom
iBSS
RAM DISK
iBEC
Kernel
Breaking Chain Of Trust
BootRom
iBSS
Custom RAM DiSK
iBEC
Kernel
limera1n
Patch
Patch
Patch
Forensics
• Creating & Loading forensic toolkit on to the
device without damaging the evidence
• Establishing a communicat...
Devices versions
• iPhone 3G
• iPhone 3GS
• iPhone 4 (GSM)
• iPhone 4 (CDMA)
• iPod Touch 3rd gen
• iPod Touch 4th gen
• i...
Bypassing the iPhone Passcode
Restrictions
Passcode Complexity Bruteforce time
4 digits 18 minutes
4 alphanumeric 51 hours...
Keychains
Keychain is a Sqllite database which stores
sensitive data on your device
Keychain is encrypted with hardware ke...
Tools
• Oxygen Forensic Suite 2010 PRO
• Micro Systemation XRY
• iPhone Analyzer
• Cellebrite UFED
• Cellebrite UFED Physi...
Regulatory
• NIST 800-68 Guide to Integrating Forensic
Techniques into Incident Response
• NIST 800-72 Guidelines on PDA F...
What about iPad2
• Unfortunately, iPad 2 bootrom isn't vulnerable
to any public exploits, so we cannot do
anything with it...
References
• iPhone data protection in depth by Jean-Baptiste Bédrune, Jean
Sigwald
http://esec-lab.sogeti.com/dotclear/pu...
iOS Forensics
iOS Forensics
iOS Forensics
iOS Forensics
Upcoming SlideShare
Loading in...5
×

iOS Forensics

1,263

Published on

iOS forensics approach

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,263
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
66
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • iOS 1.0: Alpine (1.0.0 – 1.0.2: Heavenly) iOS 1.1: Little Bear (1.1.1: Snowbird, 1.1.2: Oktoberfest) iOS 2.0: Big Bear iOS 2.1: Sugarbowl iOS 2.2: Timberline iOS 3.0: Kirkwood iOS 3.1: Northstar iOS 3.2: Wildcat (iPad only) iOS 4.0: Apex iOS 4.1: Baker iOS 4.2: Jasper (iOS 4.2.5 – 4.2.10: Phoenix) iOS 4.3: Durango iOS 5.0: Telluride iOS 5.1: Hoodoo 
  • iOS users – paying ones more than those who are broke – are generally updating very quickly, even within the iterations over the current generation of operating system.Paying customers are more likely to update their iOS version: 94% use 4.xNon-paying customers lag a little more behind: 13% still on 3.x
  • http://www.marco.org/2011/08/13/instapaper-ios-device-and-version-stats-updateThe iPad 2 has sold incredibly well, with its numbers now almost identical to the iPad 1’s among my customers. It wouldn’t surprise me if 40 million iPads have sold already.iPad usage has grown from 47% to 56% of my customers.Adoption of iOS 4.3 has jumped from 65% to 82%.Adoption of iOS 4.0 has risen from 98.1% to 98.4%. I expect this to increase significantly in the next few months as a lot of iPhone 3G owners upgrade to the next iPhone.
  • http://www.14oranges.com/2012/03/ios-version-statistics-march-21st-2012/As you can see, 5.1 is increasing. Note we had a bit of a spike with 4.3 users but likely due to our small sample pool.
  • But even without the passcode there is another option: if you have physical access to the computer the device has been synced with, you can get the special "escrow" keys from there, and the passcode will not be needed, i.e. the Toolkit will be able to perform the full decryption (incl. keychain and Mail.app files).
  • Transcript of "iOS Forensics "

    1. 1. iPhone Forensics Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
    2. 2. % of iOS versions used now August 2011
    3. 3. State at: 12.04.2012 New Users: Total:
    4. 4. Forensics mean: ANALYZE • Steps to recover user activities • Fully accountabling: every step of investigation is logged and recorded
    5. 5. Tools we use • AccessData FTK • Guidance EnCase • redsn0w_mac • tcprelay.py • keychain_tool.py • dump_data_partition.sh • emf_decrypter.py
    6. 6. iOS version to encryption • iOS 3.x - passcode is not needed to decrypt filesystem or any of keychain items; moreover, the passcode can be recovered instantly • iOS 4 - you can still decrypt filesystem image without the passcode - however, some of the files will remain encrypted (Mail.app databases and some other) and so will most of the device keychain items. To recover the passcode using the brute-fore attack - for simple (4-digit ones), it takes just about a half an hour • iOS 5 – we are blind (yet)
    7. 7. Forensics: Backup vs Physical • We are able to recover all information from backup files made with iTunes but
    8. 8. Physical iOS forensics • Physical iOS forensics offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, SMS and mail files.
    9. 9. Steps involved in iPhone forensics: 1.Creating & Loading forensic toolkit on to the device without damaging the evidence 2.Establishing a communication between the device and the computer 3.Bypassing the iPhone passcode restrictions 4.Reading the encrypted file system 5.Recovering the deleted files
    10. 10. difference between logical and physical acquisition? • Logical acquisition creates a copy of the file system, saving all folder/file structure. Some files, however, are 'locked' and so cannot be copied. • Physical acquisition creates a bit-by-bit image of the partition, including unallocated space.
    11. 11. Chain Of Trust – Normal Mode BootRom Low Level BootLoader User Applications iBoot Kernel
    12. 12. Chain Of Trust – DFU Mode BootRom iBSS RAM DISK iBEC Kernel
    13. 13. Breaking Chain Of Trust BootRom iBSS Custom RAM DiSK iBEC Kernel limera1n Patch Patch Patch
    14. 14. Forensics • Creating & Loading forensic toolkit on to the device without damaging the evidence • Establishing a communication between the device and the computer • Bypassing the iPhone passcode restrictions • Reading the encrypted file system • Recovering the deleted files
    15. 15. Devices versions • iPhone 3G • iPhone 3GS • iPhone 4 (GSM) • iPhone 4 (CDMA) • iPod Touch 3rd gen • iPod Touch 4th gen • iPad
    16. 16. Bypassing the iPhone Passcode Restrictions Passcode Complexity Bruteforce time 4 digits 18 minutes 4 alphanumeric 51 hours 5 alphanumeric 8 years 8 alphanumeric 13,000 years Simple 4-digit iOS 4 and iOS 5 passcodes recovered in 20-40 minutes
    17. 17. Keychains Keychain is a Sqllite database which stores sensitive data on your device Keychain is encrypted with hardware key. Keychain also restrict which applications can access the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier.
    18. 18. Tools • Oxygen Forensic Suite 2010 PRO • Micro Systemation XRY • iPhone Analyzer • Cellebrite UFED • Cellebrite UFED Physical
    19. 19. Regulatory • NIST 800-68 Guide to Integrating Forensic Techniques into Incident Response • NIST 800-72 Guidelines on PDA Forensics
    20. 20. What about iPad2 • Unfortunately, iPad 2 bootrom isn't vulnerable to any public exploits, so we cannot do anything with it, sorry. The only way to perform forensic analysis of iPad 2 is work with iTunes backup; if backup is password- protected and/or you want to decrypt the keychain, our Elcomsoft Phone Password Breaker will help.
    21. 21. References • iPhone data protection in depth by Jean-Baptiste Bédrune, Jean Sigwald http://esec-lab.sogeti.com/dotclear/public/publications/11- hitbamsterdam-iphonedataprotection.pdf • iPhone data protection tools • http://code.google.com/p/iphone-dataprotection/ • ‘Handling iOS encryption in forensic investigation’ by Jochem van Kerkwijk • iPhone Forensics by Jonathan Zdziarski • iPhone forensics white paper – viaforensics • Keychain dumper • 25C3: Hacking the iPhone • The iPhone wiki
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×