7. Forensics mean: ANALYZE
• Steps to recover user activities
• Fully accountabling: every step of
investigation is logged and recorded
8.
9. Tools we use
• AccessData FTK
• Guidance EnCase
• redsn0w_mac
• tcprelay.py
• keychain_tool.py
• dump_data_partition.sh
• emf_decrypter.py
10. iOS version to encryption
• iOS 3.x - passcode is not needed to decrypt
filesystem or any of keychain items; moreover,
the passcode can be recovered instantly
• iOS 4 - you can still decrypt filesystem image
without the passcode - however, some of the files
will remain encrypted (Mail.app databases and
some other) and so will most of the device
keychain items. To recover the passcode using the
brute-fore attack - for simple (4-digit ones), it
takes just about a half an hour
• iOS 5 – we are blind (yet)
11. Forensics: Backup vs Physical
• We are able to recover all information from
backup files made with iTunes but
12. Physical iOS forensics
• Physical iOS forensics offers access to much
more information compared to what’s
available in those backups, including access to
passwords and usernames, email messages,
SMS and mail files.
13. Steps involved in iPhone forensics:
1.Creating & Loading forensic toolkit on to the
device without damaging the evidence
2.Establishing a communication between the
device and the computer
3.Bypassing the iPhone passcode restrictions
4.Reading the encrypted file system
5.Recovering the deleted files
14. difference between logical and
physical acquisition?
• Logical acquisition creates a copy of the file
system, saving all folder/file structure. Some
files, however, are 'locked' and so cannot be
copied.
• Physical acquisition creates a bit-by-bit image
of the partition, including unallocated space.
15. Chain Of Trust – Normal Mode
BootRom
Low Level
BootLoader
User Applications
iBoot
Kernel
16. Chain Of Trust – DFU Mode
BootRom
iBSS
RAM DISK
iBEC
Kernel
17. Breaking Chain Of Trust
BootRom
iBSS
Custom RAM DiSK
iBEC
Kernel
limera1n
Patch
Patch
Patch
18. Forensics
• Creating & Loading forensic toolkit on to the
device without damaging the evidence
• Establishing a communication between the
device and the computer
• Bypassing the iPhone passcode restrictions
• Reading the encrypted file system
• Recovering the deleted files
20. Bypassing the iPhone Passcode
Restrictions
Passcode Complexity Bruteforce time
4 digits 18 minutes
4 alphanumeric 51 hours
5 alphanumeric 8 years
8 alphanumeric 13,000 years
Simple 4-digit iOS 4 and iOS 5 passcodes recovered in 20-40 minutes
21. Keychains
Keychain is a Sqllite database which stores
sensitive data on your device
Keychain is encrypted with hardware key.
Keychain also restrict which applications can
access the stored data. Each application on your
device has a unique application-identifier (also
called as entitlements). The keychain service
restricts which data an application can access
based on this identifier.
23. Regulatory
• NIST 800-68 Guide to Integrating Forensic
Techniques into Incident Response
• NIST 800-72 Guidelines on PDA Forensics
24. What about iPad2
• Unfortunately, iPad 2 bootrom isn't vulnerable
to any public exploits, so we cannot do
anything with it, sorry. The only way to
perform forensic analysis of iPad 2 is work
with iTunes backup; if backup is password-
protected and/or you want to decrypt the
keychain, our Elcomsoft Phone Password
Breaker will help.
25. References
• iPhone data protection in depth by Jean-Baptiste Bédrune, Jean
Sigwald
http://esec-lab.sogeti.com/dotclear/public/publications/11-
hitbamsterdam-iphonedataprotection.pdf
• iPhone data protection tools
• http://code.google.com/p/iphone-dataprotection/
• ‘Handling iOS encryption in forensic investigation’ by Jochem van
Kerkwijk
• iPhone Forensics by Jonathan Zdziarski
• iPhone forensics white paper – viaforensics
• Keychain dumper
• 25C3: Hacking the iPhone
• The iPhone wiki
iOS users – paying ones more than those who are broke – are generally updating very quickly, even within the iterations over the current generation of operating system.Paying customers are more likely to update their iOS version: 94% use 4.xNon-paying customers lag a little more behind: 13% still on 3.x
http://www.marco.org/2011/08/13/instapaper-ios-device-and-version-stats-updateThe iPad 2 has sold incredibly well, with its numbers now almost identical to the iPad 1’s among my customers. It wouldn’t surprise me if 40 million iPads have sold already.iPad usage has grown from 47% to 56% of my customers.Adoption of iOS 4.3 has jumped from 65% to 82%.Adoption of iOS 4.0 has risen from 98.1% to 98.4%. I expect this to increase significantly in the next few months as a lot of iPhone 3G owners upgrade to the next iPhone.
http://www.14oranges.com/2012/03/ios-version-statistics-march-21st-2012/As you can see, 5.1 is increasing. Note we had a bit of a spike with 4.3 users but likely due to our small sample pool.
But even without the passcode there is another option: if you have physical access to the computer the device has been synced with, you can get the special "escrow" keys from there, and the passcode will not be needed, i.e. the Toolkit will be able to perform the full decryption (incl. keychain and Mail.app files).