The state of the art in iOS Forensics

The state of the art in
iOS Forensics
BELKADAY, 16 MARCH 2021
MATTIA EPIFANI

WHO AM I
• I live and work in Italy
• Master’s Degree in IT in 2002 @ UNIGE
• Founder and CEO @ REALITY NET
• Digital Forensics Analyst
• Contract professor in Digital Forensics @ UNIGE
• SANS Institute Certified Instructor FOR585/FOR500
• Researcher at IGSG – CNR (Italian National Council of
Research)

MOST POPULAR IPHONES 2020
SOURCE: DEVICEATLAS.COM

Mobile iOS VERSION (iPhone)
SOURCE: STATCOUNTER.COM – FEBRUARY 2021

Tablet iOS Version (iPad)
SOURCE: STATCOUNTER.COM – FEBRUARY 2021

iOS Forensics: RULES!
Turned on device
(locked or unlocked)
DON’T TURN IT OFF AND THINK!
Turned off device
LEAVE IT OFF!

4 Scenarios
1. Turned on and unlocked
2. Turned on and locked
3. Turned off with passcode
4. Turned off without passcode

PRESERVATION – Disable network connections

PRESERVATION – Disable Auto-Lock

PRESERVATION – Verify if a lock code is set

PRESERVATION – Verify device type and iOS version

ACQUISITION – Pairing
Establishing
Trust (“pairing”)
with a PC
requires the
passcode!

What if you don’t know the passcode?
1. Take pictures!
2. Search for a lockdown certificate
3. AirDrop?

ACQUISITION – Take Pictures!
I’m not joking ☺
Just take as much pictures of the
screen as possible by browsing
through the various applications!

ACQUISITION – Search for a lockdown
certificate
 Lockdown file name → Device_UDID.plist
 Stored in:
 C:Program DataAppleLockdown Win 7/8/10
 /private/var/db/lockdown Mac OS X
 The certificate can be extracted from the computer and (under certain conditions)
can be used in another computer with some forensic tools or directly with iTunes
 Lockdown certificate can be expired…
 Lockdown certificate can’t be used
 on freshly restarted device
 within some hours since last time user unlocked with the passcode

ACQUISITION – Lockdown certificate

ACQUISITION – iTunes Backup with certificate

TURNED ON AND UNLOCKED
1. Prevent the device locking!
Don’t press power button e DON’T TURN OFF the
device!
2. Disable network connections
3. Disable “Auto-lock”
4. Verify if a passcode is set
1. If no passcode is set, turn off the device
2. If a passcode is set, don’t turn off the device!
1. Take pictures of the screen by browsing through the various applications
2. Identify the Device UDID and search if a lockdown certificate is available on a
synced PC or Mac and acquire the device as soon as possible
3. Eventually consider using AirDrop, by connecting the phone to a Wi-Fi without Internet
connection

PRESERVATION – Verify Lock/FaceID/TouchID

ACQUISITION – USB Restricted Mode

ACQUISITION – Identify device type and
OS Version

TURNED ON AND LOCKED
1. Disable network connections
1. Don’t remove the SIM Card!
2. Verify passcode type / FaceID / TouchID
3. Can you unlock with FaceID / TouchID?
4. Is USB Restricted Mode active?
5. Can you find a valid lockdown certificate?
6. Keep it powered on and AFU?

PRESERVATION – Remove the SIM Card

IDENTIFICATION – Identify the device type
1. Device IMEI
1. In the SIM Tray (iPhone 6s and above)
2. On the back of the device (up to iPhone 6)
2. Device Model
1. In the SIM Tray (iPhone 8 and above)
2. On the back of the device (up to iPhone 7)

CHECKM8
 Checkm8 is a bootrom
exploit discovered and
publicly released by
the Twitter user
“axi0mX” on 27th
September 2019
 iPhone 4s to iPhone X
are vulnerable

Passcode Cracking
 Graykey Grayshift
 Cellebrite CAS/Premium
 Elcomsoft iOS Forensic Toolkit
(only iPhone 4/5/5c)

TURNED OFF WITH PASSCODE
1. Can you obtain a BFU acquisition?
2. Can you crack the passcode?

• Checkm8-based Full File System
iPhone 5s/6/6+/6s/6s+/7/7+/8/8+/X
• iTunes Backup
• Apple File Conduit (AFC)
• Crash Logs and Sysdiagnose
• Agent Based Acquisition
• Jailbreak
iPhone XR/XS/XS Max/11/11 Pro/11 Pro Max
SE(2020)/12/12 Mini/12 Pro /12 Pro Max
Acquisition Techniques

Using Apple “Bug Reporting” for Forensic Purposes
https://www.for585.com/sysdiagnose
https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts

ACQUISITION – unc0ver Jailbreak

ACQUISITION – Jailbroken Device

TURNED OFF WITHOUT PASSCODE
1. Is the device checkm8-compatible?
2. If Yes, obtain a full file system with checkm8
3. If No
1. Obtain an iTunes backup [check encryption]
2. Obtain an AFC acquisition
3. (Eventually) Generate a sysdiagnose
4. Extract CrashLogs (and sysdiagnose)
5. Is the device compatible for a full file system
agent based extraction?
6. Is the device compatible with a jailbreak?

WHERE TO GO WHEN YOU ARE
LOCKED OUT?
• Local backup stored on user’s computer
• Windows
• Users<username>AppDataRoamingMobileSyncBackup
• Users<username>AppleMobileSyncBackup
• Mac
• /Users/[USERNAME]/Library/Application Support/MobileSync/Backup
• Other data stored on user’s computer
• Crash Logs
• C:ProgramDataAppleComputeriTunesiPodDevices.xml
• iCloud
• Synced devices (Apple Watch / Apple TV)
• Apple Support (Only LE)

Data analysis
1. iOS configuration and logs
2. Native applications
3. Third party applications

SANS FOR585 Smartphone Poster
https://digital-forensics.sans.org/media/DFIR_FOR585_Digital_Poster.pdf

Third Party Applications
https://www.sans.org/security-resources/posters/dfir/ios-third-party-apps-forensics-reference-guide-poster-300

Third Party Applications
https://www.sans.org/webcasts/ios-third-party-apps-analysis-reference-guide-poster-117244

CONTACTS
Mattia Epifani
mattia.epifani@realitynet.it
@mattiaep

The state of the art in iOS Forensics

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The state of the art in iOS Forensics

Similar to The state of the art in iOS Forensics (20)

More from Reality Net System Solutions

More from Reality Net System Solutions (10)

Recently uploaded

Recently uploaded (20)

The state of the art in iOS Forensics