State of iPhone and...
 
Notifications
Clear all

State of iPhone and iPad forensics (physical & logical)

16 Posts
7 Users
0 Likes
1,382 Views
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Hello,

I wanted to get a complete summary of the current state of forensics that can be done with i-Devices, from what I read in this forum and other blogs/articles/research we have the following

- Physical and logical extraction possible on devices up to iPhone 4 and iPad 1 running firmware up to iOS 5.

- Logical acquisition possible on iPhone 4GS, 5 and iPad 2,3 running up to iOS 6.

- Physical extraction currently not possible with iPhone 4GS, iPhone 5, iPad 2, and iPad 3 (regardless of iOS version).

- PIN Code lock bypass not possible on iPhone 4GS, iPhone 5, iPad 2 and iPad 3.

Am I correct in my summary or has there been any advancements that I might have missed?

Thanks guys!

-Alistair

 
Posted : 17/07/2013 4:51 pm
(@cvanaernam)
Posts: 10
Active Member
 

- Physical and logical extraction possible on devices up to iPhone 4 and iPad 1 running firmware up to iOS 5.

Physical Analyzer from Cellebrite supports physical and file system extractions up to iPhone 4 and iPad 1 running firmware up to iOS 6.1.3. Not sure about the rest of the mobile device products out there.

 
Posted : 17/07/2013 6:19 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

Elcomsoft claims, and I have not verified this, that they can perform a physical acquisition on an iPhone 4S and 5 and iPad 2+. The device has to be jailbroken either by the examiner or already jailbroken by the user. The PIN cannot be bypassed.

Can anyone verify this? I do not own Elcomsoft iOS Forensic Toolkit. I'd rather not jailbreak a phone, but if it's a choice between not jailbreaking and getting nothing and jailbreaking, I guess I'll jailbreak it.

 
Posted : 18/07/2013 1:56 am
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Hey Bulldawg,

it's possible to jailbreak an iPhone without knowing the passcode right? Is entering DFU mode enough?

 
Posted : 18/07/2013 5:08 am
(@horking)
Posts: 10
Active Member
 

does the jailbroken are not clean up all data of users in iPhone4S/5?

 
Posted : 18/07/2013 11:08 am
(@coligulus)
Posts: 165
Estimable Member
 

I have not looked at the most recent version of the toolkit but have been doing some jailbreak testing over the last couple of weeks. To confirm, it is possible to jailbreak a PIN locked device running 6.1.3 without access to the passcode and from my testing it does not appear to do anything with the data on the device. In the interest of clarity my test device only had 1 contact on it prior to jailbreaking and the contact remained afterwards.

The big problem IMO with the message from Elcomsoft, and anybody else that offers this on the newer devices is that while it may be possible to jailbreak the device without losing data, or, the device may be jailbroken already if the device does not have SSH installed from Cydia then it will not be possible to connect to the device and get any data out. They do mention this in the FAQ but of course it's not part of the marketing message.

So, if the device is locked, you can jailbreak it but without getting past the PIN screen you cannot install OpenSSH from Cydia thus you cannot connect to it.

If the device is already jailbroken and OpenSSH installed you still need the owner to not have the sense to change the root password. Because if they did, even with SSH installed you do not have the correct credentials to authenticate.

One thing I havent tried on this front is installing a "custom bundle" in to the jailbreak payload which includes OpenSSH, however I think there are a number of dependencies that are required and as such this may not be as easy as it sounds, or indeed possible at all.

edit Thinking about this further, one shouldn't overlook the ability to get a physical acquisition from these devices which are not PIN locked, or where the PIN has been provided. As I'm sure all know the volume of data present in a backup is limited and a physical acquisition and the ability to decode from any device is not to be sniffed at. Though, this may a) involver jailbreaking the device and thus changing the state and b) connecting it to a network to download OpenSSH from Cydia once compromised. There is clearly an inherent risk with both of these steps.

Hopefully that information is useful and perhaps prompts some additional discussion/research on the topic.

Colin

 
Posted : 18/07/2013 4:25 pm
(@coligulus)
Posts: 165
Estimable Member
 

I just did a quick test to see if an already jailbroken device could be accessed using iExplorer on a PC which had not previously "met" the iDevice. The answer was a resounding no. Again it would seem even if jailbroken, if the PC does not have the necessary escrow keybags you cannot access the device prior to inputting the PIN.

 
Posted : 18/07/2013 4:48 pm
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Great reply Coligulus, that was my thought too.

As far as I know, no method exists for brute forcing the PIN on iOS 6.1.3, is that correct?
The method proposed by iphone-dataprotection (http//code.google.com/p/iphone-dataprotection/) can crack a 4-digit PIN on iOS versions up to 5.x. However, it seems that brute forcing the PIN on iOS versions 6.x is not possible as of yet.

I also like the proposed method by Coligulus of jailbreaking with a custom package (jailbreak bundled with OpenSSH and other utilities). This could indeed enable law enforcement to connect to the i-Device without having to bypass the PIN lock.

So can we safely say that, at the moment, an iPhone 4 and above running iOS 6.x with PIN lock (which is unknown to the forensics investigator) is pretty much unbreakable? It seems that this would void most forensic results on iPhones recovered since Apple tends to push iOS upgrades and most people agree to installing them as soon as they sync with iTunes.

Cheers.

 
Posted : 18/07/2013 6:07 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

No, an iPhone 4 with a PIN can still be imaged. It is the iPhone 4S and iPhone 5 that will cause problems with a PIN lock. That's my understanding, anyway. I don't currently have an iPhone 4 I can play with.

 
Posted : 18/07/2013 7:06 pm
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Sorry I meant iPhone 4S and up, I have an iPhone 4 and I was able to image it successfully.

 
Posted : 18/07/2013 7:18 pm
Page 1 / 2
Share: