Successfully reported this slideshow.
Your SlideShare is downloading. ×

iOS Forensics: where are we now and what are we missing?

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 60 Ad

iOS Forensics: where are we now and what are we missing?

Download to read offline

In the last years several things have chaned in the world of iOS forensics, both in terms of acquisition and in terms of analysis. The objective of this presentation is to provide an overview of the state of the art in terms of acquisition techniques and overcoming of the device's protection mechanisms, in particular the access code chosen by the user. In addition, the presentation aims to highlight what information we are missing by using the techniques and tools available on the market and what are the alternative paths we can use to overcome this problem

In the last years several things have chaned in the world of iOS forensics, both in terms of acquisition and in terms of analysis. The objective of this presentation is to provide an overview of the state of the art in terms of acquisition techniques and overcoming of the device's protection mechanisms, in particular the access code chosen by the user. In addition, the presentation aims to highlight what information we are missing by using the techniques and tools available on the market and what are the alternative paths we can use to overcome this problem

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to iOS Forensics: where are we now and what are we missing? (20)

Advertisement

Recently uploaded (20)

Advertisement

iOS Forensics: where are we now and what are we missing?

  1. 1. FOR408 Windows Forensic Analysis<YOUR COURSE NAME HERE> SANS DFIR Prague, 3rd October 2017 © 2017 Mattia Epifani | All Rights Reserved | iOS Forensics: where are we now and what are we missing?
  2. 2. •iOS acquisition challenges •Search and seizure of iOS Devices •Acquisition techniques •Alternative options 2 Overview on iOS Forensics
  3. 3. 3 Why iOS Forensics? September 2017 – Mobile OS (source Statcounter.com)
  4. 4. 4 Why iOS Forensics? September 2017 –Tablet OS (source Statcounter.com)
  5. 5. •iOS devices use full disk encryption •Other protection layers (i.e. per-file key, backup password) •JTAG ports are not available •Chip-off techniques are not useful because of full disk encryption • But some experimental techniques are just out! 5 iOS Acquisition Challenges
  6. 6. •Turned off device •LEAVE IT OFF! •Turned on device (locked or unlocked) •DON’T TURN IT OFF AND THINK! 6 iOS Forensics RULES!
  7. 7. 1.Activate Airplane mode 2.Connect to a power source (i.e. external battery) 3.Verify the model 4.Verify the iOS version 7 PRESERVATION -Turned ON and LOCKED
  8. 8. 8 PRESERVATION - Activate Airplane Mode on a Locked Device
  9. 9. 9 IDENTIFICATION - Identify the model (I)
  10. 10. 10 IDENTIFICATION - Identify the model (II) and the iOSVersion •Libimobiledevice (Linux/Mac) http://www.libimobiledevice.org/ •iMobiledevice (Windows) http://quamotion.mobi/iMobileDevice/ •ideviceinfo -s •They also work on locked devices!
  11. 11. 11 IDENTIFICATION - Identify the model (II) and the iOSVersion
  12. 12. 12 IDENTIFICATION - iPhone Model Chart Device name Model number Internal Name Identifier Year Capacity (GB) iPhone 7 Plus A1784 D111AP iPhone9,4 2016 32, 128, 256 iPhone 7 Plus (China/Japan) A1661 – A1785 – A1786 D11AP iPhone9,2 2016 32, 128, 256 iPhone 7 A1778 D101AP iPhone9,3 2016 32, 128, 256 iPhone 7 (China) A1660 – A1779 – A1780 D10AP iPhone 9,1 2016 32, 128, 256 iPhone SE A1662 – A1723 – A1724 N69AP iPhone8,4 2016 16, 32, 64, 128 iPhone 6s Plus A1634 – A1687 – A1699 – A1690 N66AP iPhone8,2 2015 16, 64, 128 iPhone 6s A1633 – A1688 – A1700 – A1691 N71AP iPhone8.1 2015 16, 64, 128 iPhone 6 Plus A1522 – A1524 – A1593 N56AP iPhone7,1 2014 16, 64, 128 iPhone 6 A1549 – A1586 N61AP iPhone7,2 2014 16, 64, 128 iPhone 5S (CDMA) A1457 – A1518 – A1528 – A1530 N53AP iPhone6,2 2013 16, 32 iPhone 5S (GSM) A1433 – A1533 N51AP iPhone6,1 2013 16, 32, 64 iPhone 5C (CDMA) A1507 – A1516 – A1526 – A1529 N49AP iPhone5,4 2013 16, 32 iPhone 5C (GSM) A1456 – A1532 N48AP iPhone5,3 2013 16, 32 iPhone 5 rev.2 A1429 – A1442 N42AP iPhone5,2 2012 16, 32, 64 iPhone 5 A1428 N41AP iPhone5,1 2012 16, 32, 64 iPhone 4s (China) A1431 N94AP iPhone4,1 2011 8, 16, 32, 64 iPhone 4S A1387 2011 8, 16, 32, 64 iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325 N88AP iPhone2,1 2009 8, 16, 32 iPhone 3GS A1303 2009 8, 16, 32 iPhone 3G (China) A1324 N82AP iPhone1,2 2009 8, 16 iPhone 3G A1241 2008 8, 16 iPhone 2G A1203 M68AP iPhone1,1 2007 4, 8, 16
  13. 13. 1. Prevent the phone locking! I. Don’t press power button! II. Disable Auto-lock! 2. Verify if a lock code is set! 3. Activate Airplane mode 4. Acquire the data as soon as possible, keeping the phone unlocked! OR Connect to a computer to «pair» the iPhone OR 1. Connect to a power source (i.e. external battery) 2. Identify the model 3. Identify the iOS version 13 PRESERVATION -Turned ON and UNLOCKED
  14. 14. 14 PRESERVATION PREVENT LOCK STATE! (Disable Auto-Lock)
  15. 15. 15 PRESERVATION - Activate Airplane Mode on an unlocked device
  16. 16. • iTunes Backup Can be password protected! • Apple File Relay Zdziarski, 2014 – Up to iOS 7 • Apple File Conduit Result depends on iOS version • iCloud Already stored data or forced • Full file system Possible only on jailbroken devices File System • Available up to iPhone 4 • Possible on jailbroken devices Physical 16 ACQUISITION - Acquisition techniques
  17. 17. • Physical acquisition is always possible • In case of simple passcode all data will be decrypted • In case of complex passcode you will get in any case native applications data (i.e. address book, SMS, notes, video, images, etc.) 17 ACQUISITION - iPhone 4 and below
  18. 18. 18 ACQUISITION – Turned ON and unlocked –Turned OFF and without passcode • Always possible doing some kind of file system acquisition • The obtained data strongly depends on the iOS version • General approach • Connect the phone to a computer containing iTunes or a mobile forensics tool • ”Pair” the phone with the computer • Acquire the data with the various possible techniques/protocols
  19. 19. 19 ACQUISITION – Turned ON and unlocked –Turned OFF and without passcode • Possible problems: • Backup password • Managed devices  Connection to PC inhibited • iOS 11 (!!!)
  20. 20. 20 iOS 11 – Lockdown generation https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/ • Establishing Trust (“pairing”) with a PC now requires the passcode!
  21. 21. 21 ACQUISITION -Turned ON and LOCKED •Search for a lockdown certificate on a synced computer •Unlock through fingerprint •Try to force an iCloud backup •Specific iOS version vulnerability for bypassing passcode
  22. 22. 22 ACQUISITION – Lockdown certificate • Stored in: • C:Program DataAppleLockdown Win 7/8/10 • /private/var/db/lockdown Mac OS X • Certificate file name  Device_UDID.plist • The certificate can be extracted from the computer and used in another with some forensic tools or directly with iTunes • Lockdown certificate stored on a computer is valid for 30 days • Lockdown certificate can be used within 48 hours since last user unlocked with the passcode
  23. 23. • To configure Touch ID, you must first set up a passcode. Touch ID is designed to minimize the input of your passcode; but your passcode will be needed for additional security validation: • After restarting your device • When more than 48 hours have elapsed from the last time you unlocked your device • To enter the Touch ID & Passcode setting • https://support.apple.com/en-us/HT204587 23 ACQUISITION – Fingerprint Unlock
  24. 24. 24 iOS 11 – SOS Mode • Apple has added an new emergency feature designed to give users an intuitive way to call emergency by simply pressing the Power button five times in rapid succession • This SOS mode not only allows quickly calling an emergency number, but also disables Touch ID https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/
  25. 25. 25 ACQUISITION – Force iCloud backup • Be careful when using this option and try other methods first! • Possible overwriting of already existing backup • Risk of remote wiping • Follow this approach: • Bring the device close to a known Wi-Fi network • Connect to a power source • Wait a few hours • Request data from Apple or download it • Legal authorization • Credentials or token is needed
  26. 26. • A comprehensive and continuously updated list is maintained at: • http://blog.dinosec.com/2014/09/bypas sing-ios-lock-screens.html • Latest available for iOS 10.3 • CVE-2017-2397 • “An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Accounts" component. It allows physically proximate attackers to discover an Apple ID by reading an iCloud authentication prompt on the lock screen.” 26 ACQUISITION – Specific iOS version vulnerability
  27. 27. • Try to use a lockdown certificate • It works well on iOS 7 (AFR and AFC) • It can still get some data on iOS 8 (AFC) • Not useful on iOS 9/10/11 • Some specific unlocking tools • They work on iOS 7 and iOS 8 • UFED User Lock Code Recovery Tool • IP-BOX • MFC Dongle • Xpin Clip 27 ACQUISITION –Turned OFF and LOCKED
  28. 28. 28 ACQUISITION –Turned OFF and LOCKED (iPhone 7)
  29. 29. 29 ACQUISITION –Turned OFF and LOCKED (iPhone 7)
  30. 30. 30 ACQUISITION – CAIS (Cellebrite Advanced Investigative Services) https://www.cellebrite.com/en/services/unlock-services/
  31. 31. 31 Alternative options • Local backup stored on user’s computer • Other data stored on user’s computer • iCloud acquisition • Experimental techniques (chip-off)
  32. 32. 32 Backup stored on the user’s computer
  33. 33. 33 Encrypted backup
  34. 34. 34 iOS Backup password cracking on Mac OS X
  35. 35. 35 Dumpkeychain
  36. 36. 36 Dumpkeychain
  37. 37. 37 Other data stored on the user’s computer • Windows • C:ProgramDataAppleComputer • iTunesiPodDevices.xml  Connected iOS devices • C:Users[username]AppDataRoamingApple Computer • MobileSyncBackup  Device Backup • Logs  Various device logs • MediaStream  PhotoStream information • iTunes  iTunes Preferences and Apple account information • Mac OS X • https://www.mac4n6.com/resources/ • Sarah Edwards • Ubiquity Forensics - Your iCloud and You
  38. 38. 38 iPodDevices.xml
  39. 39. 39 MobileMeAccounts.plist
  40. 40. 40 Logs Folder
  41. 41. 41 Logs folder • Installed applications list and usage • Various logs like PowerLog, Security, OnDemand • iTunes username • itunesstored.2.log file • File name of e-mail attachments • MobileMail logs • List of Wi-Fi networks and history of latest connections • Wi-Fi logs
  42. 42. 42 OnDemand log
  43. 43. 43 itunesstored.2.log
  44. 44. 44 MobileMail Log
  45. 45. 45 Wi-Fi log
  46. 46. • You need • User credentials OR • Token extracted from a computer (Windows/Mac) • Only if iCloud Control Panel is installed! • You can obtain • iCloud Device Backup • iCloud Calendars • iCloud Contacts • Photo Streams • Email • Specific application data 46 iCloud Acquisition
  47. 47. 47 ACQUISITION – iCloud Acquisition
  48. 48. 48 ACQUISITION – iCloud Acquisition
  49. 49. 49 ACQUISITION – iCloud Acquisition
  50. 50. 50 ACQUISITION – iCloud Acquisition
  51. 51. 51 ACQUISITION – iCloud Acquisition
  52. 52. 52 ACQUISITION – iCloud Acquisition
  53. 53. 53 ACQUISITION – iCloud Acquisition
  54. 54. • You can request: • Subscriber information • Mail logs • Email content • Other iCloud Content • iOS Device Backups • iCloud Photo Library • iCloud Drive • Contacts • Calendar • Bookmarks • Safari Browsing History • Find My iPhone • Game Center • iOS Device Activation • Sign-on logs • My Apple ID and iForgot logs • FaceTime logs 54 Apple support https://images.apple.com/legal/privacy/law-enforcement-guidelines-outside-us.pdf
  55. 55. • Recently published research by Sergei Skorobogatov • The bumpy road towards iPhone 5C NAND mirroring • http://www.cl.cam.ac.uk/~sps32/5c_proj.html • https://arxiv.org/pdf/1609.04327v1.pdf • https://www.youtube.com/watch?v=tM66GWrwbsY 55 Chip Off (Experimental)
  56. 56. 56 iOS ForensicsTools Forensic Tools Cellebrite Physical Analyzer Magnet IEF/AXIOM/Acquire Oxygen Forensic Elcomsoft Phone Breaker Elcomsoft Phone Viewer Elcomsoft iOS Forensic Toolkit XRY MPE+ Paraben Device Seizure X-Ways/FTK/Encase Other tools iTunes Libimobiledevice iMobiledevice iBackupbot iPhone Backup Extractor iFunBox iTools iExplorer Plisteditor SQLite Database Broswer
  57. 57. 57 Learning iOS Forensics – Second Edition https://www.packtpub.com/networking-and-servers/learning-ios-forensics-second-edition
  58. 58. 58 SANS FOR 585 - Advanced Smartphone Forensics https://www.sans.org/course/advanced-smartphone-mobile-device-forensics
  59. 59. 59 SANS FOR 585 - Advanced Smartphone Forensics https://www.sans.org/course/advanced-smartphone-mobile-device-forensics
  60. 60. 60 Q&A Mattia Epifani • CEO @ REALITY NET – System Solutions • Digital Forensics Analyst • Mobile Device Security Specialist • Member of Clusit, DFA, IISFA, ONIF, Tech&Law • GCFA, GCFE, GASF, GREM, GNFA, GMOB, GCWN • CEH, CHFI, CCE, CIFI, ECCE, AME, ACE, MPSC mattia.epifani@realitynet.it @mattiaep http://www.linkedin.com/in/mattiaepifani http://www.realitynet.it http://blog.digital-forensics.it

×