iOS Forensics


Published on

iOS forensics approach

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • iOS 1.0: Alpine (1.0.0 – 1.0.2: Heavenly) iOS 1.1: Little Bear (1.1.1: Snowbird, 1.1.2: Oktoberfest) iOS 2.0: Big Bear iOS 2.1: Sugarbowl iOS 2.2: Timberline iOS 3.0: Kirkwood iOS 3.1: Northstar iOS 3.2: Wildcat (iPad only) iOS 4.0: Apex iOS 4.1: Baker iOS 4.2: Jasper (iOS 4.2.5 – 4.2.10: Phoenix) iOS 4.3: Durango iOS 5.0: Telluride iOS 5.1: Hoodoo 
  • iOS users – paying ones more than those who are broke – are generally updating very quickly, even within the iterations over the current generation of operating system.Paying customers are more likely to update their iOS version: 94% use 4.xNon-paying customers lag a little more behind: 13% still on 3.x
  • iPad 2 has sold incredibly well, with its numbers now almost identical to the iPad 1’s among my customers. It wouldn’t surprise me if 40 million iPads have sold already.iPad usage has grown from 47% to 56% of my customers.Adoption of iOS 4.3 has jumped from 65% to 82%.Adoption of iOS 4.0 has risen from 98.1% to 98.4%. I expect this to increase significantly in the next few months as a lot of iPhone 3G owners upgrade to the next iPhone.
  • you can see, 5.1 is increasing. Note we had a bit of a spike with 4.3 users but likely due to our small sample pool.
  • But even without the passcode there is another option: if you have physical access to the computer the device has been synced with, you can get the special "escrow" keys from there, and the passcode will not be needed, i.e. the Toolkit will be able to perform the full decryption (incl. keychain and files).
  • iOS Forensics

    1. 1. iPhone Forensics Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
    2. 2. % of iOS versions used now August 2011
    3. 3. State at: 12.04.2012 New Users: Total:
    4. 4. Forensics mean: ANALYZE • Steps to recover user activities • Fully accountabling: every step of investigation is logged and recorded
    5. 5. Tools we use • AccessData FTK • Guidance EnCase • redsn0w_mac • • • •
    6. 6. iOS version to encryption • iOS 3.x - passcode is not needed to decrypt filesystem or any of keychain items; moreover, the passcode can be recovered instantly • iOS 4 - you can still decrypt filesystem image without the passcode - however, some of the files will remain encrypted ( databases and some other) and so will most of the device keychain items. To recover the passcode using the brute-fore attack - for simple (4-digit ones), it takes just about a half an hour • iOS 5 – we are blind (yet)
    7. 7. Forensics: Backup vs Physical • We are able to recover all information from backup files made with iTunes but
    8. 8. Physical iOS forensics • Physical iOS forensics offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, SMS and mail files.
    9. 9. Steps involved in iPhone forensics: 1.Creating & Loading forensic toolkit on to the device without damaging the evidence 2.Establishing a communication between the device and the computer 3.Bypassing the iPhone passcode restrictions 4.Reading the encrypted file system 5.Recovering the deleted files
    10. 10. difference between logical and physical acquisition? • Logical acquisition creates a copy of the file system, saving all folder/file structure. Some files, however, are 'locked' and so cannot be copied. • Physical acquisition creates a bit-by-bit image of the partition, including unallocated space.
    11. 11. Chain Of Trust – Normal Mode BootRom Low Level BootLoader User Applications iBoot Kernel
    12. 12. Chain Of Trust – DFU Mode BootRom iBSS RAM DISK iBEC Kernel
    13. 13. Breaking Chain Of Trust BootRom iBSS Custom RAM DiSK iBEC Kernel limera1n Patch Patch Patch
    14. 14. Forensics • Creating & Loading forensic toolkit on to the device without damaging the evidence • Establishing a communication between the device and the computer • Bypassing the iPhone passcode restrictions • Reading the encrypted file system • Recovering the deleted files
    15. 15. Devices versions • iPhone 3G • iPhone 3GS • iPhone 4 (GSM) • iPhone 4 (CDMA) • iPod Touch 3rd gen • iPod Touch 4th gen • iPad
    16. 16. Bypassing the iPhone Passcode Restrictions Passcode Complexity Bruteforce time 4 digits 18 minutes 4 alphanumeric 51 hours 5 alphanumeric 8 years 8 alphanumeric 13,000 years Simple 4-digit iOS 4 and iOS 5 passcodes recovered in 20-40 minutes
    17. 17. Keychains Keychain is a Sqllite database which stores sensitive data on your device Keychain is encrypted with hardware key. Keychain also restrict which applications can access the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier.
    18. 18. Tools • Oxygen Forensic Suite 2010 PRO • Micro Systemation XRY • iPhone Analyzer • Cellebrite UFED • Cellebrite UFED Physical
    19. 19. Regulatory • NIST 800-68 Guide to Integrating Forensic Techniques into Incident Response • NIST 800-72 Guidelines on PDA Forensics
    20. 20. What about iPad2 • Unfortunately, iPad 2 bootrom isn't vulnerable to any public exploits, so we cannot do anything with it, sorry. The only way to perform forensic analysis of iPad 2 is work with iTunes backup; if backup is password- protected and/or you want to decrypt the keychain, our Elcomsoft Phone Password Breaker will help.
    21. 21. References • iPhone data protection in depth by Jean-Baptiste Bédrune, Jean Sigwald hitbamsterdam-iphonedataprotection.pdf • iPhone data protection tools • • ‘Handling iOS encryption in forensic investigation’ by Jochem van Kerkwijk • iPhone Forensics by Jonathan Zdziarski • iPhone forensics white paper – viaforensics • Keychain dumper • 25C3: Hacking the iPhone • The iPhone wiki