iOS and BlackBerry Forensics

6,256 views
5,977 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,256
On SlideShare
0
From Embeds
0
Number of Embeds
44
Actions
Shares
0
Downloads
158
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

iOS and BlackBerry Forensics

  1. 1. iOS and BlackBerry Forensics Andrey Belenko Elcomsoft Co. Ltd. 1
  2. 2. Agenda• Basics• iOS Forensics – iOS Security before iOS 4 – iOS 4 Data Protection – iOS 5 Data Protection Changes• BlackBerry Forensics• Summary 2
  3. 3. Forensics 101Acquisition ➜ Analysis ➜ ReportingGOALS:1.  Assuming  physical  access  to  the  device  extract  as  much  informa>on  as  prac>cal2.  Leave  as  li@le  traces/ar>facts  as  prac>cal 3
  4. 4. 4
  5. 5. iOS: Why Even Bother?• Almost 5 years on the market• 250+ million iOS devices sold worldwide• 6 iPhones, 4 iPods, 2 iPads• “Smart devices” – they do carry a lot of sensitive data• Corporate deployments are increasing There was, is, and will be a real need in iPhone Forensics 5
  6. 6. iPhone Forensics 101• Acquisition –Need to get data off the device• Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough• Keychain –Central storage for sensitive data (passwords, keys) –Encrypted• Storage (disk) encryption 6
  7. 7. iPhone Forensics 101• Acquisition –Need to get data off the device• Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough• Keychain –Central storage for sensitive data (passwords, keys) –Encrypted• Storage (disk) encryption 7
  8. 8. Acquisition Options• Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information• Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices)• Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 8
  9. 9. What is Jailbreak?• Jailbreak – circumventing iOS security in order to run custom code• Boot-level or application-level• Tethered or untethered 9
  10. 10. Types of Jailbreaks• App-level JB gets kernel code execution by exploiting apps –e.g. JailbreakMe –Can be fixed by new firmware• Boot-level JB breaks loads custom kernel by breaking chain of trust –e.g. limera1n –Can’t be fixed if exploits vulnerability in BootROM 10
  11. 11. Jailbreak and Forensics• Tethered JB –Host connection is required to boot into JB state –Exploit(s) are sent by the host –May leave minimal traces on the device• Untethered JB –Device is modified so that it can boot in jailbroken state by itself –Leaves permanent traces 11
  12. 12. Acquisition Options• Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information• Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices)• Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 12
  13. 13. Acquisition Options• Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information• Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices)• Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 13
  14. 14. Unlocking the Device• Passcode• iTunes pairing –if iTunes have seen the device before, it can unlock it –iOS 4: always –iOS 5: if passcode has been entered on device after power-on –don’t switch off iOS 5 device after seizure (if there is a chance that you’ll have PC/Mac it is paired with) 14
  15. 15. iPhone Forensics 101• Acquisition –Need to get data off the device• Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough• Keychain –Central storage for sensitive data (passwords, keys) –Encrypted• Storage (disk) encryption 15
  16. 16. iOS < 4.0 Passcode• Lockscreen (i.e. UI) is the only protection• Passcode is stored in the keychain –Passcode itself, not its hash• Can be recovered or removed instantly –Remove record from the keychain –And/or remove setting telling UI to ask for the passcode 16
  17. 17. iOS 4/5 Passcode• Passcode is used to compute encryption key –Computation tied to hardware key –Same passcode will yield different passcode keys on different devices!• Passcode key is required to unlock some of the content protection keys –most files don’t require a passcode for decryption –most keychain items do require a passcode for decryption 17
  18. 18. iOS 4/5 Passcode• Passcode-to-Key transformation is slow• Offline bruteforce currently is not possible –Requires extracting hardware key• On-device bruteforce is slow –2 p/s on iPhone 3G, 7 p/s on iPad• We have hint on password complexity 18
  19. 19. iOS 4/5 Passcode• 0 – digits only, length = 4 (simple passcode) 19
  20. 20. iOS 4/5 Passcode• 0 – digits only, length = 4 (simple passcode)• 1 – digits only, length != 4 20
  21. 21. iOS 4/5 Passcode• 0 – digits only, length = 4 (simple passcode)• 1 – digits only, length != 4• 2 – contains non-digits, any length 21
  22. 22. iOS 4/5 Passcode• 0 – digits only, length = 4 (simple passcode)• 1 – digits only, length != 4• 2 – contains non-digits, any length Can at least identify weak passcodes 22
  23. 23. iPhone Forensics 101• Acquisition –Need to get data off the device• Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough• Keychain –Central storage for sensitive data (passwords, keys) –Encrypted• Storage (disk) encryption 23
  24. 24. iOS < 4.0 Keychain• SQLite3 DB, only passwords are encrypted• All items are encrypted with the device key and random IV• Key can be extracted (computed) for offline use• All past and future keychain items from the device can be decrypted using that key Encrypted  with  Key  0x835 IV Data SHA-­‐1  (Data) 0 16 24
  25. 25. iOS 4 Keychain• SQLite3 DB, only passwords are encrypted• Random key for each item, AES-CBC• Item key is protected with corresponding protection class master key• Some keychain items are included in the iTunes backup• In encrypted iTunes backup keychain items are encrypted using backup password 0 Class Wrapped  Item  Key Encrypted  Item 0 4 8 48 25
  26. 26. iOS 5 Keychain• Based on iOS 4 encryption• All attributes are now encrypted (not only password)• AES-GCM is used instead of AES-CBC • Enables integrity verification2 Class Wrapped  Key  Length Wrapped  Key Encrypted  Data  (+Integrity  Tag)0 4 8 12 26
  27. 27. iPhone Forensics 101• Acquisition –Need to get data off the device• Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough• Keychain –Central storage for sensitive data (passwords, keys) –Encrypted• Storage (disk) encryption 27
  28. 28. iOS < 4.0 Disk Encryption• No encryption 28
  29. 29. iOS 4 Disk Encryption• Only User partition is encrypted• Available protection classes: – NSProtectionNone (can decrypt without passcode) – NSProtectionComplete (can’t decrypt without passcode)• Filesystem metadata encrypted transparently• Files are encrypted using per-file random key –Reliable recovery of deleted files is not currently possible 29
  30. 30. iOS 5 Disk Encryption• New partition scheme – “LwVM” – Lightweight Volume Manager• Any partition can be encrypted• New protection classes – NSFileProtectionCompleteUntilFirstUserAuthentication – NSFileProtectionCompleteUnlessOpen• IV for file encryption is computed differently 30
  31. 31. iOS Forensics• Acquiring disk image is not enough for iOS 4+ – Content protection keys must also be extracted from the device during acquisition• Passcode or escrow keybag is needed for a complete set of content protection keys• In real world it might be a good idea to extract source data and compute protection keys offline 31
  32. 32. iOS Forensics Must be done on the device Passcode Required to decrypt files/keychain Sufficient for offline key reconstruction UID Key KDF FS Key Decrypt Key 89B Key 835 Passcode KeyEffaceable Storage ‘EMF!’ / ‘LwVM’ System Keybag (locked) ‘Dkey’ Class A Key (#1) ‘BAG1’ Unlock Class B Key (#2) Class C Key (#3) Class D Key (#4) Class Key #5 systembag.kb Decrypt System Keybag … (unlocked) Class Key #11 32
  33. 33. Useful Tools• Logical: iPhone Backup –iTunes (acquire) –Oxygen Forensics Suite, iBackupBot (view) –Elcomsoft Phone Password Breaker (recover password, view backup keychain, decrypt backup)• Read files directly (AFP) –iExplorer• Physical: filesystem acquisition –Elcomsoft iOS Forensic Toolkit, AccessData MPE+, Cellebrite UFED, XRY, etc –iphone-dataprotection (at Google Code) 33
  34. 34. iOS Forensic Toolkit iPhone 3GS iPhone iPhone 3G iPhone 4 iPhone 4S iPod Touch 3 iPod Touch 1 iPod Touch 2 iPod Touch 4 iPad 2 iPad 1 iOS version 3.1.3 4.2.1 3.1.3 5.1.1 5.1.1 5.0, 5.01 (JB) Physical + + + + + acquisition Passcode instant + instant + + recovery Keychain + + + + + decryptionDisk decryption not encrypted + + 34
  35. 35. Conclusions• iPhone physical analysis is possible• Physical acquisition requires boot-time exploit• Passcode is usually not a problem – Due to technology before iOS 4 – Due to human factor with iOS 4/5• Both proprietary and open-source tools for iOS 4/5 acquisition are available 35
  36. 36. iCloud Backups• It is now possible to download iOS backups from the iCloud• Backups in iCloud are NOT encrypted –Even if backup encryption is ON• Apple ID and password are required – Can be found on PC/Mac/iOS devices 36
  37. 37. 37
  38. 38. BlackBerry Forensics 101• Acquisition –Need to get data off the device• Device password –Prevents unauthorized access to the device• File encryption –i.e. *.rem files on SD Card 38
  39. 39. Acquisition Options• Logical: BlackBerry backup –Must know device password –Backup encryption is NOT enforced –Limited amount of information• Physical –Must know device password –Can get all information from the device• Chip-off –Don’t need device password –Destructive process 39
  40. 40. Acquisition Options• Logical: BlackBerry backup –Must know device password –Backup encryption is NOT enforced –Limited amount of information• Physical –Must know device password –Can get all information from the device• Chip-off –Don’t need device password –Destructive process 40
  41. 41. Device Password• No reliable ways to recover• Can be recovered in one special case: –Files on SD card are encrypted –Encryption is set to “Security password” or “Device password”• Can be recovered for “Device password & Device Key” if device dump is available 41
  42. 42. BlackBerry Forensics 101• Acquisition –Need to get data off the device• Device password –Prevents unauthorized access to the device• File encryption –i.e. *.rem files on SD Card 42
  43. 43. File Encryption• Encryption options: –Device Key –Device Password –Device Password & Device Key• Device Key is per-card and stored in NVRAM• Some files are encrypted using different key (?) –E.g. WhatsApp database on SD card –Not clear why, maybe an implementation of PersistentStore 43
  44. 44. File Decryption• Files can be decrypted provided –Device dump (for Device Key option) –Device password (for Device Password option) –Both (for Device Password & Device Key option)• ‘PersistentStore’ files (e.g. WhatsApp database) can be decrypted provided device dump –Tool for this is available free of charge for law enforcement 44
  45. 45. Useful Tools• Logical: BlackBerry backup –BlackBerry Desktop Manager (acquire) –Elcomsoft BlackBerry Backup Explorer (view) –Elcomsoft Phone Password Breaker (recover backup password, decrypt backup; recover BlackBerry PasswordKeeper and Wallet passwords)• Physical –Cellebrite• Other –Elcomsoft Phone Password Breaker (recover device password, decrypt SD card files) 45
  46. 46. Thank You!a.belenko@elcomsoft.comhttp://ru.linkedin.com/in/belenko@andreybelenko 46
  47. 47. iOS and BlackBerry Forensics Andrey Belenko Elcomsoft Co. Ltd. 47

×