ios forensics
DESCRIPTION
iOS forensics approachTRANSCRIPT
iPhone Forensics
Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
% of iOS versions used now
August 2011
State at: 12.04.2012
New Users: Total:
Forensics mean: ANALYZE
• Steps to recover user activities• Fully accountabling: every step of investigation
is logged and recorded
Tools we use
• AccessData FTK• Guidance EnCase• redsn0w_mac• tcprelay.py• keychain_tool.py• dump_data_partition.sh• emf_decrypter.py
iOS version to encryption
• iOS 3.x - passcode is not needed to decrypt filesystem or any of keychain items; moreover, the passcode can be recovered instantly
• iOS 4 - you can still decrypt filesystem image without the passcode - however, some of the files will remain encrypted (Mail.app databases and some other) and so will most of the device keychain items. To recover the passcode using the brute-fore attack - for simple (4-digit ones), it takes just about a half an hour
• iOS 5 – we are blind (yet)
Forensics: Backup vs Physical
• We are able to recover all information from backup files made with iTunes but
Physical iOS forensics
• Physical iOS forensics offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, SMS and mail files.
Steps involved in iPhone forensics:
1.Creating & Loading forensic toolkit on to the device without damaging the evidence
2.Establishing a communication between the device and the computer
3.Bypassing the iPhone passcode restrictions4.Reading the encrypted file system5.Recovering the deleted files
difference between logical and physical acquisition?
• Logical acquisition creates a copy of the file system, saving all folder/file structure. Some files, however, are 'locked' and so cannot be copied.
• Physical acquisition creates a bit-by-bit image of the partition, including unallocated space.
Chain Of Trust – Normal Mode
BootRom
Low Level BootLoader
User Applications
iBoot
Kernel
Chain Of Trust – DFU Mode
BootRom
iBSS
RAM DISK
iBEC
Kernel
Breaking Chain Of Trust BootRom
iBSS
Custom RAM DiSK
iBEC
Kernel
limera1n
Patch
Patch
Patch
Forensics
• Creating & Loading forensic toolkit on to the device without damaging the evidence
• Establishing a communication between the device and the computer
• Bypassing the iPhone passcode restrictions• Reading the encrypted file system• Recovering the deleted files
Devices versions
• iPhone 3G• iPhone 3GS• iPhone 4 (GSM)• iPhone 4 (CDMA)• iPod Touch 3rd gen• iPod Touch 4th gen• iPad
Bypassing the iPhone Passcode Restrictions
Passcode Complexity Bruteforce time4 digits 18 minutes4 alphanumeric 51 hours5 alphanumeric 8 years8 alphanumeric 13,000 years
Simple 4-digit iOS 4 and iOS 5 passcodes recovered in 20-40 minutes
Keychains
Keychain is a Sqllite database which stores sensitive data on your deviceKeychain is encrypted with hardware key. Keychain also restrict which applications can access the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier.
Tools
• Oxygen Forensic Suite 2010 PRO• Micro Systemation XRY• iPhone Analyzer• Cellebrite UFED• Cellebrite UFED Physical
Regulatory
• NIST 800-68 Guide to Integrating Forensic Techniques into Incident Response
• NIST 800-72 Guidelines on PDA Forensics
What about iPad2
• Unfortunately, iPad 2 bootrom isn't vulnerable to any public exploits, so we cannot do anything with it, sorry. The only way to perform forensic analysis of iPad 2 is work with iTunes backup; if backup is password-protected and/or you want to decrypt the keychain, our Elcomsoft Phone Password Breaker will help.
References• iPhone data protection in depth by Jean-Baptiste Bédrune, Jean
Sigwaldhttp://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf
• iPhone data protection tools • http://code.google.com/p/iphone-dataprotection/• ‘Handling iOS encryption in forensic investigation’ by Jochem van
Kerkwijk• iPhone Forensics by Jonathan Zdziarski• iPhone forensics white paper – viaforensics• Keychain dumper• 25C3: Hacking the iPhone • The iPhone wiki