Unlocked iPhone 6s ...
 
Notifications
Clear all

Unlocked iPhone 6s data extraction blocked

19 Posts
8 Users
0 Likes
1,837 Views
(@meroslave)
Posts: 10
Active Member
Topic starter
 
I have an unlocked iPhone 6s v. 10.3.3 and i'm trying to extract the data using Oxygen-forensic Analyst version but unfortunately it asks for pass code to complete the data extraction process (backup method). The same happens when I create a backup using i Tunes and try to examine it.
so the questions are
1- Any definition about the problem, is it a pass code protection for the data or is it a sort of data encryption?
2- I think Oxygen-forensic Analyst is not capable to bypass this obstacle, am I right or not? so, any suggestion for other software can fix it? (I'm about to download MAGNET trial)

PS The phone had a pass code and I already turned it off using the correct pass code with no troubles.

 
Posted : 14/11/2017 8:15 pm
(@meroslave)
Posts: 10
Active Member
Topic starter
 
 
Posted : 14/11/2017 8:18 pm
(@mcman)
Posts: 189
Estimable Member
 

This is the iTunes backup password, not the phone passcode (2 different things). If the user has ever set a backup password, it will create an encrypted backup with that password. Apple is starting to force that by default on the latest versions so that all backups are encrypted.

You can also force an encrypted backup by setting your own password as well if one wasn't previously set. The pros of getting an encrypted backup is that you'll get the keychain and more data as a result. If no password has been set, you can get an unencrypted backup but with less data.

So if you know the iTunes backup password put it in there and it will decrypt the data for you, if not, you might just get an encrypted backup and you would have to crack the password if you don't know it.

Jamie

 
Posted : 14/11/2017 9:13 pm
(@lcherne)
Posts: 9
Active Member
 

Try researching the iTunes backup password - is this something you can ask the user for?

Oxygen's documentation says it can assist with password recovery for a preexisting backup (for example if there is a backup that was previously made on a computer) but you're out of luck obtaining a backup.

To obtain a backup, you'll need to have the iTunes backup password or reset it using iOS 11. Check out Cindy Murphy's recent blog post at the Gillware blog for details and disclaimers upgrading to iOS 11.

 
Posted : 14/11/2017 9:16 pm
(@meroslave)
Posts: 10
Active Member
Topic starter
 

This is the iTunes backup password, not the phone passcode (2 different things). If the user has ever set a backup password, it will create an encrypted backup with that password. Apple is starting to force that by default on the latest versions so that all backups are encrypted.

You can also force an encrypted backup by setting your own password as well if one wasn't previously set. The pros of getting an encrypted backup is that you'll get the keychain and more data as a result. If no password has been set, you can get an unencrypted backup but with less data.

So if you know the iTunes backup password put it in there and it will decrypt the data for you, if not, you might just get an encrypted backup and you would have to crack the password if you don't know it.

Jamie

Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
Any alternatives?

 
Posted : 14/11/2017 9:43 pm
(@meroslave)
Posts: 10
Active Member
Topic starter
 

Try researching the iTunes backup password - is this something you can ask the user for?

Oxygen's documentation says it can assist with password recovery for a preexisting backup (for example if there is a backup that was previously made on a computer) but you're out of luck obtaining a backup.

To obtain a backup, you'll need to have the iTunes backup password or reset it using iOS 11. Check out Cindy Murphy's recent blog post at the Gillware blog for details and disclaimers upgrading to iOS 11.

The user denied that he made a backup password and he only gives the phone pass code.

 
Posted : 14/11/2017 10:05 pm
(@mcman)
Posts: 189
Estimable Member
 

Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
Any alternatives?

For iOS, all you're getting is a iTunes backup no matter what tool you use. Oxygen, Cellebrite, XRY, Magnet ACQUIRE/AXIOM, all will only give you an iTunes backup for anything running iOS 8.3 or newer. With older versions of iOS you could get file relay data but Apple shut that door with iOS 8.3. You can't get physical extraction on anything iPhone 4S or newer due to encryption.

If you use Cellebrite's paid unlocking service (CAIS), they can unlock and dump an iPhone 6(s) running iOS 10 I believe but you're going to be paying a decent chunk of money for the ability to unlock that one single phone. Depends if the case is worth it for you I guess but there are no tools out there magically cracking the latest iOS beyond an iTunes backup, which in your case, is encrypted (the user may or may not know this password, I've come across many who had no idea, best bet, ask them for their iTunes or Apple ID password, it's often the same).

You can also try cracking it as stated by others. If you have a backup on a PC you can use the keychain to unlock. If not, try giving Passware/Elcomsoft (paid), or hashcat (free) a go at cracking the backup.

The iOS struggle is real, see Apple/FBI/San Bernardino.

Jamie

 
Posted : 15/11/2017 1:53 pm
(@meroslave)
Posts: 10
Active Member
Topic starter
 

Nice, according to your answer, forget about the backup at all, which is password protected and let's extract the data by logical /physical method which is password free. But the both methods are not available at Oxygen forensic analyst (with iOS).
Any alternatives?

For iOS, all you're getting is a iTunes backup no matter what tool you use. Oxygen, Cellebrite, XRY, Magnet ACQUIRE/AXIOM, all will only give you an iTunes backup for anything running iOS 8.3 or newer. With older versions of iOS you could get file relay data but Apple shut that door with iOS 8.3. You can't get physical extraction on anything iPhone 4S or newer due to encryption.

If you use Cellebrite's paid unlocking service (CAIS), they can unlock and dump an iPhone 6(s) running iOS 10 I believe but you're going to be paying a decent chunk of money for the ability to unlock that one single phone. Depends if the case is worth it for you I guess but there are no tools out there magically cracking the latest iOS beyond an iTunes backup, which in your case, is encrypted (the user may or may not know this password, I've come across many who had no idea, best bet, ask them for their iTunes or Apple ID password, it's often the same).

You can also try cracking it as stated by others. If you have a backup on a PC you can use the keychain to unlock. If not, try giving Passware/Elcomsoft (paid), or hashcat (free) a go at cracking the backup.

The iOS struggle is real, see Apple/FBI/San Bernardino.

Jamie

Anyway, it was a value reply mcman, really so thanks for you.

 
Posted : 15/11/2017 3:56 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Only Oxygen Forensic Detective has an ability to find the password to the encrypted iTunes backup. The built-in Passware module does it with latest algorithms including distributed processing and GPU acceleration with ATI and NVIDIA boards. The available attacks are brute-force, dictionary, Xieve, etc.
This functionality is not included in Oxygen Forensic Analyst version.

 
Posted : 15/11/2017 4:15 pm
(@meroslave)
Posts: 10
Active Member
Topic starter
 

Only Oxygen Forensic Detective has an ability to find the password to the encrypted iTunes backup. The built-in Passware module does it with latest algorithms including distributed processing and GPU acceleration with ATI and NVIDIA boards. The available attacks are brute-force, dictionary, Xieve, etc.
This functionality is not included in Oxygen Forensic Analyst version.

If it's sure 100% the detective version with pasware included able to bypass the password, definitely I will upgrade my analyst. But if not, what is the percentage to success?

 
Posted : 15/11/2017 5:26 pm
Page 1 / 2
Share: