Successfully reported this slideshow.
Your SlideShare is downloading. ×

The state of the art in iOS Forensics

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 93 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to The state of the art in iOS Forensics (20)

Advertisement

Recently uploaded (20)

Advertisement

The state of the art in iOS Forensics

  1. 1. The state of the art in iOS Forensics BELKADAY, 16 MARCH 2021 MATTIA EPIFANI
  2. 2. WHO AM I • I live and work in Italy • Master’s Degree in IT in 2002 @ UNIGE • Founder and CEO @ REALITY NET • Digital Forensics Analyst • Contract professor in Digital Forensics @ UNIGE • SANS Institute Certified Instructor FOR585/FOR500 • Researcher at IGSG – CNR (Italian National Council of Research)
  3. 3. MOST POPULAR IPHONES 2020 SOURCE: DEVICEATLAS.COM
  4. 4. Mobile iOS VERSION (iPhone) SOURCE: STATCOUNTER.COM – FEBRUARY 2021
  5. 5. Tablet iOS Version (iPad) SOURCE: STATCOUNTER.COM – FEBRUARY 2021
  6. 6. iOS Forensics: RULES! Turned on device (locked or unlocked) DON’T TURN IT OFF AND THINK! Turned off device LEAVE IT OFF!
  7. 7. 4 Scenarios 1. Turned on and unlocked 2. Turned on and locked 3. Turned off with passcode 4. Turned off without passcode
  8. 8. PRESERVATION – Disable network connections
  9. 9. PRESERVATION – Disable Auto-Lock
  10. 10. PRESERVATION – Verify if a lock code is set
  11. 11. PRESERVATION – Verify device type and iOS version
  12. 12. ACQUISITION – Pairing Establishing Trust (“pairing”) with a PC requires the passcode!
  13. 13. What if you don’t know the passcode? 1. Take pictures! 2. Search for a lockdown certificate 3. AirDrop?
  14. 14. ACQUISITION – Take Pictures! I’m not joking ☺ Just take as much pictures of the screen as possible by browsing through the various applications!
  15. 15. ACQUISITION – Search for a lockdown certificate  Lockdown file name → Device_UDID.plist  Stored in:  C:Program DataAppleLockdown Win 7/8/10  /private/var/db/lockdown Mac OS X  The certificate can be extracted from the computer and (under certain conditions) can be used in another computer with some forensic tools or directly with iTunes  Lockdown certificate can be expired…  Lockdown certificate can’t be used  on freshly restarted device  within some hours since last time user unlocked with the passcode
  16. 16. ACQUISITION – Lockdown certificate
  17. 17. ACQUISITION – iTunes Backup with certificate
  18. 18. ACQUISITION – iTunes Backup with certificate
  19. 19. ACQUISITION – iTunes Backup with certificate
  20. 20. ACQUISITION – iTunes Backup with certificate
  21. 21. ACQUISITION – iTunes Backup with certificate
  22. 22. ACQUISITION – iTunes Backup with certificate
  23. 23. ACQUISITION – AirDrop?
  24. 24. TURNED ON AND UNLOCKED 1. Prevent the device locking! Don’t press power button e DON’T TURN OFF the device! 2. Disable network connections 3. Disable “Auto-lock” 4. Verify if a passcode is set 1. If no passcode is set, turn off the device 2. If a passcode is set, don’t turn off the device! 1. Take pictures of the screen by browsing through the various applications 2. Identify the Device UDID and search if a lockdown certificate is available on a synced PC or Mac and acquire the device as soon as possible 3. Eventually consider using AirDrop, by connecting the phone to a Wi-Fi without Internet connection
  25. 25. 4 Scenarios 1. Turned on and unlocked 2. Turned on and locked 3. Turned off with passcode 4. Turned off without passcode
  26. 26. TURNED ON AND LOCKED
  27. 27. PRESERVATION – Disable network connections
  28. 28. PRESERVATION – Verify Lock/FaceID/TouchID
  29. 29. ACQUISITION – USB Restricted Mode
  30. 30. ACQUISITION – Lockdown certificate
  31. 31. ACQUISITION – iTunes Backup with certificate
  32. 32. ACQUISITION – Identify device type and OS Version
  33. 33. TURNED ON AND LOCKED 1. Disable network connections 1. Don’t remove the SIM Card! 2. Verify passcode type / FaceID / TouchID 3. Can you unlock with FaceID / TouchID? 4. Is USB Restricted Mode active? 5. Can you find a valid lockdown certificate? 6. Keep it powered on and AFU?
  34. 34. 4 Scenarios 1. Turned on and unlocked 2. Turned on and locked 3. Turned off with passcode 4. Turned off without passcode
  35. 35. PRESERVATION – Remove the SIM Card
  36. 36. IDENTIFICATION – Identify the device type 1. Device IMEI 1. In the SIM Tray (iPhone 6s and above) 2. On the back of the device (up to iPhone 6) 2. Device Model 1. In the SIM Tray (iPhone 8 and above) 2. On the back of the device (up to iPhone 7)
  37. 37. CHECKM8  Checkm8 is a bootrom exploit discovered and publicly released by the Twitter user “axi0mX” on 27th September 2019  iPhone 4s to iPhone X are vulnerable
  38. 38. ACQUISITION – Checkm8 BFU
  39. 39. ACQUISITION – Checkm8 BFU
  40. 40. ACQUISITION – Checkm8 BFU
  41. 41. ACQUISITION – Checkm8 BFU
  42. 42. ACQUISITION – Checkm8 BFU
  43. 43. ACQUISITION – Checkm8 BFU
  44. 44. ACQUISITION – Checkm8 BFU
  45. 45. ACQUISITION – Checkm8 BFU
  46. 46. ACQUISITION – Checkm8 BFU
  47. 47. ACQUISITION – Checkm8 BFU
  48. 48. ACQUISITION – Checkm8 BFU
  49. 49. ACQUISITION – Checkm8 BFU
  50. 50. ACQUISITION – Checkm8 BFU
  51. 51. Passcode Cracking  Graykey Grayshift  Cellebrite CAS/Premium  Elcomsoft iOS Forensic Toolkit (only iPhone 4/5/5c)
  52. 52. TURNED OFF WITH PASSCODE 1. Can you obtain a BFU acquisition? 2. Can you crack the passcode?
  53. 53. 4 Scenarios 1. Turned on and unlocked 2. Turned on and locked 3. Turned off with passcode 4. Turned off without passcode
  54. 54. • Checkm8-based Full File System iPhone 5s/6/6+/6s/6s+/7/7+/8/8+/X • iTunes Backup • Apple File Conduit (AFC) • Crash Logs and Sysdiagnose • Agent Based Acquisition • Jailbreak iPhone XR/XS/XS Max/11/11 Pro/11 Pro Max SE(2020)/12/12 Mini/12 Pro /12 Pro Max Acquisition Techniques
  55. 55. ACQUISITION – AFC
  56. 56. ACQUISITION – AFC
  57. 57. ACQUISITION – AFC
  58. 58. ACQUISITION – Crash Logs
  59. 59. ACQUISITION – Crash Logs
  60. 60. ACQUISITION – Crash Logs
  61. 61. Using Apple “Bug Reporting” for Forensic Purposes https://www.for585.com/sysdiagnose https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts
  62. 62. ACQUISITION – Agent backup
  63. 63. ACQUISITION – Agent backup
  64. 64. ACQUISITION – Agent backup
  65. 65. ACQUISITION – Agent backup
  66. 66. ACQUISITION – Agent backup
  67. 67. ACQUISITION – Agent backup
  68. 68. ACQUISITION – unc0ver Jailbreak
  69. 69. ACQUISITION – unc0ver Jailbreak
  70. 70. ACQUISITION – Jailbroken Device
  71. 71. ACQUISITION – Jailbroken Device
  72. 72. ACQUISITION – Jailbroken Device
  73. 73. ACQUISITION – Jailbroken Device
  74. 74. ACQUISITION – Jailbroken Device
  75. 75. ACQUISITION – Jailbroken Device
  76. 76. ACQUISITION – Jailbroken Device
  77. 77. TURNED OFF WITHOUT PASSCODE 1. Is the device checkm8-compatible? 2. If Yes, obtain a full file system with checkm8 3. If No 1. Obtain an iTunes backup [check encryption] 2. Obtain an AFC acquisition 3. (Eventually) Generate a sysdiagnose 4. Extract CrashLogs (and sysdiagnose) 5. Is the device compatible for a full file system agent based extraction? 6. Is the device compatible with a jailbreak?
  78. 78. WHERE TO GO WHEN YOU ARE LOCKED OUT? • Local backup stored on user’s computer • Windows • Users<username>AppDataRoamingMobileSyncBackup • Users<username>AppleMobileSyncBackup • Mac • /Users/[USERNAME]/Library/Application Support/MobileSync/Backup • Other data stored on user’s computer • Crash Logs • C:ProgramDataAppleComputeriTunesiPodDevices.xml • iCloud • Synced devices (Apple Watch / Apple TV) • Apple Support (Only LE)
  79. 79. ACQUISITION – iCloud
  80. 80. Data analysis 1. iOS configuration and logs 2. Native applications 3. Third party applications
  81. 81. SANS FOR585 Smartphone Poster https://digital-forensics.sans.org/media/DFIR_FOR585_Digital_Poster.pdf
  82. 82. System Files
  83. 83. System Files
  84. 84. System Files
  85. 85. Data analysis 1. iOS configuration and logs 2. Native applications 3. Third party applications
  86. 86. Native Applications
  87. 87. Native Applications
  88. 88. Data analysis 1. iOS configuration and logs 2. Native applications 3. Third party applications
  89. 89. Third Party Applications https://www.sans.org/security-resources/posters/dfir/ios-third-party-apps-forensics-reference-guide-poster-300
  90. 90. Third Party Applications
  91. 91. Third Party Applications
  92. 92. Third Party Applications https://www.sans.org/webcasts/ios-third-party-apps-analysis-reference-guide-poster-117244
  93. 93. CONTACTS Mattia Epifani mattia.epifani@realitynet.it @mattiaep

×