Category: Uncategorized

• Viewing/using passwords or passkeys saved in iCloud Keychain
• Applying for a new Apple Card
• Viewing an Apple Card virtual card
• Turning off Lost Mode
• Erasing all content and settings
• Taking certain Apple Cash and Savings actions in Wallet
• Using payment methods saved in Safari
• Using your iPhone to set up a new device

Actions that will require Face ID or Touch ID authentication and have a one-hour security delay when the feature is turned on:

• Changing your Apple ID password
• Updating select Apple ID account security settings, including adding or removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact
• Changing your iPhone passcode
• Adding or removing Face ID or Touch ID
• Turning off Find My
• Turning off Stolen Device Protection

(Source: iOS 17.3 Beta Adds New Stolen Device Protection Feature to iPhone – MacRumors)

Will Stolen Device Protection have forensic consequences?

Short answer: possibly, but we don’t know. Once we have installed and tested the final release of iOS 17.3, we will publish an update.

Long answer: in its current state, Stolen Device Protection requires biometric authentication (with no passcode fallback) to perform “Reset all settings”, which removes the original screen lock passcode. That same command, however, also removes the iTunes backup password, making logical acquisition difficult or even impossible if the user has a reasonably complex backup password.

The latest update of iOS Forensic Toolkit brought an all-new Linux edition, opening up a world of possibilities in mobile device analysis. The highly anticipated Linux edition preserves and expands the features previously available to macOS and Windows users. Forensic professionals can now perform advanced logical and low-level extractions with the aid of a custom extraction agent and extract information using the bootloader-level exploit, making forensic analysis more accessible on Linux platforms.

But why is the Linux edition such a big deal? For starters, it can run on a large number of existing Linux computers powered by some of the most popular Linux distros, making it more accessible to a broader range of experts. It eliminates the need for expensive Apple hardware, potentially saving costs and making forensic analysis more affordable. Plus, the toolkit being available on Linux means it can run on computers that are more affordable compared to Apple Macs, ensuring accessibility without compromising on functionality. What makes this edition stand out compared to the Windows version of the tool is its support for forensically sound bootloader-level extraction, a feature previously exclusive to macOS.

Elcomsoft on GitHub

As a provider of mobile forensic tools, we at Elcomsoft strongly believe in giving back to the community. Our iOS Forensic Toolkit (EIFT) is a highly complex and powerful mobile acquisition tool, consisting of almost eighty sub-projects, many of which are open source. While we have benefited from the contributions of the community, we also believe in contributing back to the open source community by publishing our changes to those projects as required by their permissive license.

As a company, we are wholly dedicated to providing a solution that complies with licensing regulations, meeting all pertinent legal requirements. In addition to fulfilling our legal obligations, we want to point out the other benefits to open sourcing some of our projects. Collaboration with the open source community can result in faster updates, improved features, and greater security. By sharing our efforts, we can help each other to build better tools, rather than reinventing the wheel. We welcome everyone to check out our GitHub account containing the relevant open-source projects:

Supported Linux distros

The tool has been tested on multiple Linux distributions, officially supporting the current Debian, Ubuntu, Kali Linux, and Mint distros, ensuring seamless operation for forensic professionals using different Linux setups.

Edition comparison

In a bid to bridge feature gaps between editions, the Linux edition inherits many features previously exclusive to the Mac edition, yet certain differences still remain. The Windows edition of iOS Forensic Toolkit supports logical and agent-based extraction methods, but lacks support for bootloader-based extractions, which are only available for macOS and Linux platforms. The ability to sign the extraction agent using a regular, non-developer Apple ID remains an exclusive feature of the Mac edition. Please refer to the following chart to learn more about the differences between editions. Finally, bootloader-level extraction of iOS 16 devices remains a macOS exclusive feature for the time being.

Installing the Linux edition

The installation process of the Linux edition differs slightly from installing either Mac or Windows versions of the tool. Start by unpacking the archive to a folder of your choice (the installation folder) using the password provided in the registration email. Once this is done, cd to the installation folder and run the following command to download and install dependencies:

sudo apt install ./com.elcomsoft.eift-dependency.deb

Obviously, you’ll need Internet connectivity to download the required dependencies.

Command-line interface

iOS Forensic Toolkit for Linux uses the same command-line interface first introduced in macOS and Windows editions, sharing commands and switches across platforms. Leveraging the command line provides complete control throughout the extraction workflow, allowing experts to stay in control if any step of the process requires additional attention.

One more thing

Last but not least, this update brings a significant improvement in precise iOS version identification during bootloader-level extraction. Formerly, the toolkit attempted to guesstimate the installed iOS version based on the version of iBoot, which sometimes resulted in multiple download links in cases where we could not pinpoint the exact version of iOS. The new approach achieves a nearly 100% accurate identification of the iOS version, eliminating any ambiguity in the extraction process.

Last but not least, we’ve added advanced logical extraction support for devices running iOS 17.

The latest update to the iOS Forensic Toolkit has expanded data extraction support for older models of Apple Watch, introducing low-level extraction capabilities for Apple Watch Series 0, Series 1, and Series 2. In a landscape where new devices are released on a yearly schedule, we stand committed to a balanced approach. While it’s easy for many to dismiss older devices, we recognize their significance as they frequently reappear in the labs of forensic experts. It is important to emphasize that, unlike many, we cater to the needs of experts who have to deal with legacy devices. This enhancement enables macOS and Linux users to delve deeper into these watches, retrieving crucial information such as passwords and complete file systems.

The role of wearable devices in mobile forensics

Wearable devices such as Fitbit, Apple Watch, and countless models of watches and fitness trackers made by various manufacturers, are becoming key players in criminal investigations. Information extracted from wearable devices provides valuable insight that aids both prosecution and defense. These devices have been pivotal in several cases, where Fitbit steps did not match the accused’s version of events, and Apple Watch activity data established critical timelines in murder investigations. Prosecutors have utilized health and location data from the suspect’s Apple Watch to support charges and disprove alibi, showcasing their significance in legal proceedings. For mobile forensic specialists, understanding the importance and potential of this data alongside with technical limitations is crucial in providing accurate insights and support in investigations and court proceedings.

Information available in Apple Watch

The Apple Watch is a highly sophisticated companion device built with a powerful SoC and equipped with sizable amounts of storage. The wearable is powered with watchOS, an operating system derived from iOS. Being such a powerful device, it is no wonder that the Watch can store a lot of valuable data. The low-level extraction allows accessing the entire set of data available in the Apple Watch. The extracted data includes an image of the file system and a copy of the keychain, which contains the user’s passwords. Analyzing the file system helps gain access, among other things, to the following types of data:

• Comprehensive health and activity data
• Comprehensive location history
• Keychain
• System events: network usage, app activity, watch unlocks, contact access, Bluetooth events etc.
• Messages: SMS and iMessage
• Contacts
• Wallet (tickets, boarding passes, discount cards etc.)

Apple Watch extraction methods

There are two extraction methods available for Apple Watch devices: low-level extraction based on a bootloader exploit, and logical extraction.

Bootloader-level extraction is based on the checkm8 exploit, which is available for four generations of Apple Watch up to and including Apple Watch Series 3. checkm8 extraction makes it possible to obtain the full file system image and extract a copy of the keychain. Unlike IoT devices such as the HomePod or Apple TV, the Watch can be protected with a passcode, which is one requirement for synchronizing the keychain from the paired iPhone. More on that in checkm8 Extraction of Apple Watch Series 3.

Low-level extraction via a bootloader exploit can only be used on old models of Apple Watch devices, supporting Apple Watch S0, S1, S2, and S3. For newer models of Apple Watch low-level extraction is unavailable; logical extraction must be used instead. The Apple Watch does not have a backup service (watch backups are created and stored on the paired iPhone), so only a limited amount of data can be extracted, including some system and diagnostic logs and some media files.

Both logical and low-level extraction methods require connecting the Watch to the computer, which is generally done with the help of an adapter (Apple Watch Forensics: The Adapters and Apple Watch Forensics: More on Adapters). The latest models of Apple Watch starting with Series 7 no longer come with the hidden diagnostic port, which makes it difficult or even impossible for anyone but Apple to connect these devices to a computer. This in turn means that logical extraction is only supported for Apple Watch Series 4, Series 5, Series 6, and Apple Watch SE (1st generation) devices.

In the table below, Apple Watch models compatible with low-level extraction (checkm8) are marked with green, while models listed in red only support logical extraction. Unlisted models are not supported at all (e.g. Apple Watch Series 7, Series 8, Ultra).

Extracting and analyzing Apple Watch data

The newly added models, which include Apple Watch S0, S1, and S2, utilize the same checkm8-based extraction mechanism we introduced earlier for the Apple Watch 3. Detailed instructions are provided in the following articles:

For analyzing the extracted content, please refer to the following articles:

When it comes to very old devices such as the original Apple Watch (Series 0), one has to be patient. The S0 takes good five minutes to boot the ramdisk, and it is very picky about adapters and cables. You must have a rock solid connection to apply the exploit, and even placing the watch into DFU may take several tries (and each attempt will be painfully slow). We strongly recommend using Recovery first, and then DFU.

Here’s how to place the Watch into DFU:

• Run EIFT in wait mode (-w)
• Connect the Watch to a PC using adapter (pairing not required)
• Press and hold both buttons
• Wait until the screen goes black, then wait for exactly 2 seconds
• Keep holding the digital crown, release the other button
• EIFT will automatically detect connected device in DFU mode

Additional information

We collected several links on the matter of wearables forensics. We strongly recommend checking out at least the first article linked.

The bootloader vulnerability affecting several generations of Apple devices opens the door to forensically sound extraction. In today’s article we’ll discuss the compatibility and features of this exploit with different devices, iOS versions, and platforms. In addition, we’ll provide security professionals and researchers with valuable insight into potential issues and solutions when working with checkm8.

Understanding Bootloader Vulnerabilities

Bootloader vulnerabilities exist in several generations of Apple devices. checkm8, the most famous bootloader exploit, is available for chips that range from the Apple A5 found in the iPhone 4s and several iPad models to A11 Bionic empowering the iPhone 8, 8 Plus, and iPhone X; older devices such as the iPhone 4 have other bootloader vulnerabilities that can be exploited to similar effect. checkm8 plays a significant role in iOS forensics, enabling forensically sound extraction for a wide range of Apple hardware including several generations of iPhones, iPads, Apple Watch, Apple TV, and even HomePod devices.

In mobile forensics, checkm8 allows for low-level access to the device’s file system, making it a valuable tool for security professionals and researchers. While the exploit itself does not alter any data on the device’s system or user partitions, its various implementations including the checkmra1n jailbreak that are not as forensically sound as the underlying exploit. Here at ElcomSoft we developed a checkm8-based extraction process that is both repeatable and verifiable.

checkm8 Compatibility

The checkm8 exploit is available for a wide range of hardware platforms. Being a bootloader-level exploit, checkm8 was initially believed to be fully OS-agnostic. While the exploit itself can indeed be applied to a vulnerable device regardless of the OS version, newer versions of iOS largely mitigate its forensic effect, blocking access to the file system on certain combinations of hardware and software. In particular, iPhone 8, 8 Plus, and iPhone X devices running iOS 16 utilize SEP hardening measures that make it impossible to access the file system even after successfully applying the exploit if the device had a passcode enabled at any time after setup. The same devices running iOS 14 and 15 require passcode removal prior to extraction; the same measures may be required when extracting iPads based on the same chip.

checkm8 compatibility matrix (green cells indicate 32-bit devices, blue cells indicate 64-bit devices):

Using checkm8 for Data Extraction

The pure checkm8 exploit alone is not enough to extract the file system. We built a comprehensive solution based on the checkm8 exploit allowing to extract a copy of the file system from affected devices in a safe, forensically sound manner. For this to work, you’ll need a copy of Elcomsoft iOS Forensic Toolkit 8 and a macOS computer (Intel or Apple Silicon). Please note that the Windows edition of iOS Forensic Toolkit does not support checkm8, while the upcoming Linux version will include support for checkm8 extraction.

The complete step-by-step instructions for checkm8 extraction are available in the following articles:

Using checkm8 requires placing the device into DFU. We wrote several articles on the subject:

checkm8 Troubleshooting

Using checkm8 for device extractions may present challenges without obvious solutions. In this chapter, we will talk about the problems and solutions.

After checkm8 extraction, device always reboots into Recovery

This is expected behavior caused by the autoboot flag set by iOS Forensic Toolkit during the initial stage of applying the exploit. When the device boots into iOS, it alters the data on the user partition, causing checksum mismatch on repeat extractions. The iOS boot sequence may start, for example, if one makes a timing mistake when placing the device into DFU. For this reason, iOS Forensic Toolkit automatically alters the boot behavior of iOS devices by flipping the autoboot flag, making the device boot into Recovery instead of iOS. When you have finished processing the device and are ready to return it, connect the device to the computer with iOS Forensic Toolkit installed and execute the following command (the device must be in Recovery):

./EIFT_cmd tools autobootTrue

After this command, the device will automatically reboot into iOS.

Q: Does flipping the autoboot flag break forensically sound extractions?

A: No. The flag is stored in the device’s NVRAM and not on the data or system partition, so flipping the flag will not alter the checksum.

Detailed explanation: Forensically Sound checkm8 Extraction: Repeatable, Verifiable and Safe.

Important: iOS Forensic Toolkit automatically flips the autoboot flag only after successfully applying the checkm8 exploit, which happens in DFU mode. To prevent the device accidentally rebooting into iOS while you attempt to place it in DFU, we strongly recommend placing the device into Recovery first, then manually flipping the flag as follows:

./EIFT_cmd tools autobootFalse

Error attempting checkm8 extraction on a 32-bit device

When: unlockdata fails on a 32-bit device.

Cause: This is expected behavior.

Solution: For 32-bit devices without Secure Enclave we developed a unique process known as “perfect acquisition”, which, instead of a copy of the file system, makes and decrypts an image of the data partition. This in turn requires a different command sequence compared to the standard checkm8 extraction process.

Detailed explanation and extraction steps: Perfect Acquisition Part 4: The Practical Part

Screen lock passcode reset: when and why

Sometimes you may receive an error early during the boot stage. The error may look as follows (the values for code, line, and commit may vary):

[ERROR] EIFT: failed with exception:
[exception]:
what=Failed to open connection to device
code=11993119
line=183
file=../../../ra1nsn0w/iOSDevice.cpp
commit count=191
commit sha  =1d674084639c73f1397535ee8aec50b35f1760d6

If this happens, it may mean that you need to remove the screen lock passcode from the device, then repeat the extraction. This is caused by SEP hardening measures developed by Apple in an attempt to mitigate the checkm8 exploit.

When: The device is an A11 Bionic device running iOS 14 or 15 (always required), or a 64-bit device running iOS 16 (only if error occurs).

Solution: Boot the device into iOS; unlock with passcode (passcode must be known); open Settings; on devices with Face ID: Tap Face ID & Passcode; on devices with a Home button: Tap Touch ID & Passcode; then tap Turn Passcode Off.

Troubleshooting: Mind the autoboot flag (see above), which must be manually set to ‘true’ if previously attempted checkm8 extraction.

Forensic consequences: Passcode reset causes loss of certain types of data (e.g. downloaded Exchange mail, Apple Pay transactions and more) and removes the trusted device status (if accessing Apple ID/iCloud from that device afterwards).

Cannot place device into DFU

There can be several issues preventing the device DFU mode.

Insufficient charge. This is a common cause for devices with depleted batteries. The issue with this situation is that if you start charging, the device will automatically boot into iOS when the battery reaches a certain level. The only way to prevent this behavior is placing the device into Recovery first, which can be done at any charge level.

Broken or rattling physical buttons. DFU requires following a sequence of button presses with precise timings. If a button is faulty or ‘rattles’, this conditions cannot be satisfied. Solution: use DFU for Devices with Broken Buttons instead (warning: requires disassembly). For A11 devices (iPhone 8/8 Plus/X), you may use a Raspberry Pi Pico instead, which does not require disassembly: Automating DFU Mode with Raspberry Pi Pico.

Incorrect timings, human mistake. We strongly recommend practicing DFU mode beforehand with a known good device of the same model.

General considerations

DFU mode requires some skill. If you have trouble entering DFU mode or exploiting the vulnerability, first try again. Then try changing the cable (preferably use the original Apple part) and/or connecting the device to a different USB port. Do not use USB-C to Lightning cables; if needed, use a USB-C hub or adapter with a regular USB-A to Lightning cable. If this does not help, use another computer (if available). Finally, try entering DFU mode using a different method.

Unmatching or undefined version of firmware 

When: More then one link or no link to Apple firmware are displayed, or the device reboots or fails to unlock the data partition when using the firmware image or link.

Cause: Our implementation of checkm8 requires a copy of Apple original firmware, which will be patched on-the-fly and uploaded into the device’s volatile memory. For this to work, the patched firmware version must match the version of the firmware already installed on the device. In many cases, iOS Forensic Toolkit is able to correctly identify the firmware installed on the device, and displays a single download link (you can either download the entire image or pass the link as an argument to EIFT, in which case only the required parts of the image will be downloaded).

However, the detection works based on the iBoot version. There are multiple iOS releases utilizing the same iBoot, which results in several potential matches and multiple firmware download links. While using a slightly different firmware may work, sometimes the device may either reboot (make sure the autoboot flag is set to avoid booting into iOS) or fail to unlock the data partition.

Solution: If this happens, you will have to either:

1. Identify the correct version of the OS installed on the device by using Diagnostic mode (which is safer and more forensically sound than booting iOS for the same purpose), or
2. Try all firmware links listed by iOS Forensic Toolkit starting from the newest build. This is safe; worst case scenario is device reboot (once again, make sure the autoboot flag is set to avoid booting into iOS).

Sometimes the correct version cannot be determined (e.g. for firmware builds newer than iOS Forensic Toolkit). In this case, you will have to manually locate the download link at ipsw.me.

If the device is running a beta version of iOS, please contact our customer support. Links to beta firmware images are generally not published by Apple.

For Apple TV (often), Apple Watch (always), HomePod (always) and, on rare occasions, even for iPhone/iPad devices there may be no full .ipsw images available. A zipped OTA update may be available instead. OTA firmware links or downloaded .zip files are supported by iOS Forensic Toolkit; there is no need to unpack or rename such files.

‘Snapshot’ warning appears in the output

When: In certain cases, you may see the following output:

Mounts:
[RW] (hfs) /dev/md0 -> /
[RW] (devfs) devfs -> /dev
APFS Volumes:
/dev/disk0s1s1 (Whitetail14A403.D10D101OS) [NONE]
Snapshot: com.apple.os.update-151D1F6F36C3D125B3424A627391C16BCF5FCDA55D4BAE35
C3BE3D65720F574C23EE3363F263A1A37DBF741A65C4CC73
Snapshot: com.apple.os.update-MSUPrepareUpdate
/dev/disk0s1s2 (Data) [NONE]
/dev/disk0s1s3 (Baseband Data) [NONE]

Cause: When you see the “Snapshot” warning in the output log, it usually means your device is in one of two states:

1. Update downloaded, not installed: Your device has downloaded a software update, but it hasn’t been installed yet.
2. Modified system partition: The device’s system partition has been tampered with; it may have a jailbreak, malware, or spyware.

Solution 1: If the device has a downloaded update, you can manually delete it from the device Settings app.

Steps:

1. Open your device’s settings by launching the “Settings” app.
2. Select “General.”
3. Tap on “iPhone Storage.”
4. In the list of apps, find “iOS update” and tap on it.
5. Choose “Delete Update” and confirm.

If you can’t find any updates and still see “Snapshot,” contact our customer team.

There is a way to deal with the “Snapshot” warning without deleting the update, but it is somewhat risky. If required, reach out to our support team for assistance.

Important: Be cautious when allowing the device boot into iOS, as it can lead to potential risks.

Solution 2: If  the device has a modified system partition, please contact our support team.

Corrupted file system, APFS ‘copy-on-write’ issues

When: Some files have abnormally large sizes.

Cause: File system corruption or the consequences of APFS “copy-on-write” scheme may result in abnormally large file sizes for some files. When using EIFT extraction agent, the issue is detected and fixed automatically. However, this approach is not applicable for checkm8 extractions.

Solution: There is currently no universal solution.

Workaround: If you encounter this issue, you might need to access your device via SSH (iOS Forensic Toolkit does support SSH) or performing selective extraction,  manually downloading unaffected files or manually deleting corrupted ones. However, before doing so, we strongly recommend contacting our technical support for assistance.

Future work: We are currently working on a unified extraction agent that will handle file system extractions. This aims to standardize the handling of file system issues while bringing partial data extraction and metadata extraction tools to checkm8 extractions.

Conclusion

This troubleshooting guide provides steps by step instructions to address the various issues occurring during checkm8 extractions. Whether you’re dealing with pending updates or file system issues, our aim is to assist you in resolving these issues effectively and efficiently. If you encounter any issues not covered in this guide, please feel free to contact our customer support team for expert assistance.

We have exciting news: iOS Forensic Toolkit 8 is now available for Windows users in the all-new Windows edition. The new build maintains and extends the functionality of EIFT 7, which is now approaching the end of its life cycle. In addition, we’ve made the Toolkit portable, eliminating the need for installation. Learn what’s new in the eights version of the Toolkit!

Windows Edition

We’ve released iOS Forensic Toolkit 8 almost exactly one year ago. At the time, the eights version of the Toolkit was exclusive to macOS, while Windows users were served by EIFT 7, which was maintained and updated alongside with the newer and greater EIFT 8. Today, we are making iOS Forensic Toolkit 8 available to Windows users and finally discontinuing iOS Forensic Toolkit 7, which has now reached its end-of-life.

The Windows edition of iOS Forensic Toolkit 8 offers the familiar feature set carried over from EIFT 7, which includes advanced logical and low-level extraction with the help of the custom extraction agent. Forensically sound bootloader-level extraction is still exclusive to the macOS edition though.

Limitations of the Windows Edition

Compared to macOS, the Windows edition has the following limitations:

1. No checkm8 support (yet). Bootloader-level extraction remains exclusive to macOS for the time being.
2. Signing the extraction agent requires an Apple ID enrolled in Apple Developer Program. macOS users can use developer and ordinary Apple IDs.

Going Portable

We changed the way iOS Forensic Toolkit is installed and used. On a Windows system, EIFT 8 will no longer require installation. Just download the all-new portable package, unpack the archive with the password provided in your registration email, and start using the Toolkit right away!

Selective Folder Access During Low-Level Extraction

The updated low-level extraction agent now allows experts to pull individual folders or just the file system metadata such as file names, sizes, and timestamps. We’ve made a few other changes to the extraction agent, which are listed below.

The new function is implemented via a couple of extra commands: extract and metadata. The -o switch specifies path to the output folder, while the optional -p switch points to the source file or folder in the iOS file system to be extracted. If no -p switch is present, the tool will extract everything starting with “/private/var/” (the root of the data partition).

Command-line Interface

While EIFT 7 was built around a console-driven menu, iOS Forensic Toolkit 8.41 brings advanced user experience built around the command line. Why did we transition from the menu to a command-line interface? The main reason was the significantly increased number of functions supported by the new build, linked to the growing list of supported extraction methods, device models, and iOS versions. On the one hand, this new functionality introduced exciting possibilities; on the other hand, it led to increased complexity in use. For instance, when using checkm8 extraction, one or more additional commands may be required to unlock the data partition or to mitigate various issues, which could not be hidden behind a single menu item. As a result, we arrived at the current solution: a command-line interface that provides full control over each step of the process.

New Commands

While Windows users will be introduced to CLI with this new build, macOS users have been using the new UI for about a year. The new build introduces several new commands for extraction agent, and modifies the function of the output switch.

Previously, the extraction agent supported two commands: tar and keychain, complemented with the -o switch specifying the output file name, e.g.:

EIFT_cmd agent keychain -o passwords.xml EIFT_cmd agent tar -o data.tar

While you could specify the full path, e.g. “-o /Users/ElcomSoft/Desktop/data/data.tar”, that syntax is now deprecated. Instead, the mandatory -o switch must be used to specify output path (and not a file name as it used to be in the previous build). Starting with this release, file names will be assigned automatically. You’ll have to use the -o switch when pulling the file system image, extracting the keychain, or accessing individual files, folders, or file system metadata.

Examples

Extract file system metadata from the Media folder:

EIFT_cmd agent metadata -p /private/var/mobile/Media/ -o /Users/ElcomSoft/Desktop/metadata/

Extract the complete Media folder:

EIFT_cmd agent extract -p /private/var/mobile/Media/ -o /Users/ElcomSoft/Desktop/data/

Extract full file system image of the user partition:

EIFT_cmd agent extract -o /Users/ElcomSoft/Desktop/data/

Extract a single file Photo.jpg from the media album:

EIFT_cmd agent extract -p /private/var/mobile/Media/DCIM/Photo.jpg -o /Users/ElcomSoft/Desktop/data/

Going Multiplatform

The release of the Windows edition marks a significant step towards true multiplatform compatibility. We are actively working on a Linux edition, with an official announcement expected soon. Stay tuned!

In this tutorial, we will address common issues faced by users of the iOS Forensic Toolkit when installing and using the low-level extraction agent for accessing the file system and keychain on iOS devices. This troubleshooting guide is based on the valuable feedback and data received by our technical support team.

What kind of troubles are we shooting?

In this guide, we won’t dive into the inner workings of the extraction agent, which leverages known vulnerabilities to elevate privileges in Apple iOS. Instead, we’ll focus on what to do when you encounter a difficulty installing or using the extraction agent.

Common mistakes

First, let us cover the two most common mistakes our users regularly make when using the extraction agent.

1. Attempting to Sideload the Agent Without a Firewall: If you try to install and run the extraction agent without using a firewall (software-based or the one using our Raspberry Pi or Orange Pi solution), you may expose the device to the risk of remote lock or wipe.
   • Solution: Follow the installation instructions provided in the user’s manual. Understand how to configure and use a firewall to install the extraction agent without putting the data at risk.
   • Alternative: Use an old Apple Developer account registered before 6 July 2021. In this case, you will not have to verify the signing certificate on the device.
2. Extracting Only the File System Image Without Keychain: Only imaging the file system image without extracting the keychain is a common mistake.
   • Solution: Always perform keychain extraction before imaging the file system. We recommend going after the keychain in the first place, which is nearly instant, followed by file system extraction, which may take a while.

EIFT_cmd normal unpair

EIFT_cmd normal pair

Errors Installing and Using EIFT

In this section, we’ll cover the common problems that may arise during the installation and usage of the extraction agent and iOS Forensic Toolkit.

“Insufficient Permissions” or “Not Found” errors

If you receive the “Insufficient Permissions” error when running iOS Forensic toolkit or the firewall script, this can mean that the tool had not been correctly installed on the computer. These problems can be broken down into the following cases.

The xattr command was not run correctly

To fix this issue, follow these steps:

• Open Terminal.
• Navigate to the folder containing containing iOS Forensic Toolkit.
• Execute the following command (mind the dot at the end of the command):
  • sudo xattr -d com.apple.quarantine .

iOS Forensic Toolkit folder is located on the desktop

Solution: Move EIFT to a different location, such as the local Applications folder.

Shell does not have full disk access permissions

You must grant full access permissions to the OS shell.

• Go to System Preferences -> Security & Privacy -> Full Disk Access
• Click on the padlock icon to allow changes
• Click the ‘+’ button
• Press ‘cmd + Shift + .’ to display hidden files
• Select /bin/sh as a path

Misconfigured Internet sharing for USB devices

Typically, the problem arises from selecting the wrong internet source. Sometimes, more than one iPhone/iPad connection may appear in the list.

Solution: You need to manually identify the correct connection, often through trial and error, using a designated test device.

The firewall is running, tested OK, but sideloading does not work on the target device

• MDM profile on the device disallows sideloading
  • Solution: do risk assessment and either remove MDM profile (risking to lose some types of data) or use a different extraction type (e.g. advanced logical)

The firewall is running, tested OK, but signing does not work on the target device

• Incorrect date and time on the target device
  • Solution: check and set current time and date on the target device; repeat the process starting with agent sideloading

Not enough disk space or FAT32-formatted external drive

You need enough free disk space to fit the file system image. If using an external drive, make sure to format it in a file system other than FAT32, which limits file sizes to 4GB.

The extraction agent is not running or running in background

Ensure that the extraction agent runs as a foreground app during the entire extraction.

Wireless networks not fully disabled

First and foremost, the device must be placed into airplane mode during the extraction. However, depending on the last settings, the Wi-Fi and Bluetooth toggles may not be automatically disabled when the device enters airplane mode.

Solution: place the device into airplane mode first, then check and manually disable the Wi-Fi and Bluetooth toggles.

Error: “All exploits failed”

Cause: too long or too short a delay after booting or restarting the device.

Explanation: the exploits used by the extraction agent are time-sensitive. Some iOS versions require a delay of no more than 10 seconds after a reboot before launching the extraction agent, while iOS 16 requires a delay of approximately one minute to allow all kernel-level processes to stabilize. Providing an exact waiting time for each iOS version is challenging, so if you encounter issues with the exploit, try both shorter and longer delays, rebooting the device between attempts. In some cases, you may need to try up to five times.

Note: if the device has been running for a very long time (e.g. while sitting on a charger), the exploit will almost certainly fail. In this case, you will need to reboot the device.

Solution: reboot the device, wait 10 seconds to 1 minute.

Troubleshooting Guide

If none of the above resolves the issue, try identifying the issue by following steps from the Troubleshooting Guide.

Important: for the troubleshooting guide, always use a designated test device! Do not perform troubleshooting steps using the target device unless specifically instructed.

Step 1: Ensure Internet Connectivity on the Test Device

Ensure that the Internet sharing is working properly by checking that the Internet is accessible on the test device while wireless network interfaces (such as WiFi and mobile data) are disabled, and the text device is connect to your Mac computer via a cable. If you encounter issues with Internet sharing, refer to the “Misconfigured Internet Sharing for USB devices” section for solutions.

Step 2: Try Sideloading and Signing the Extraction Agent Without a Firewall

1. Try signing the agent on the test device without running the firewall script. If successful, the issue may be related to firewall settings.
2. If the agent signing fails even without a firewall, consider creating a new disposable Apple ID. Your goal is reaching a point where the entire process works correctly on the test device at this stage. If the agent signing still fails with a fresh Apple ID, contact our support team. You may need to update iOS Forensic Toolkit to the latest version.

Step 3: Try Sideloading and Signing the Extraction Agent With a Firewall

1. Try sideloading and signing the extraction agent with the firewall script running.
2. If the agent signing fails with the firewall script running, the issue is likely related to firewall settings. Occasionally, rebooting the test device while keeping the firewall script running may help resolve the issue. If rebooting doesn’t solve the problem, please contact our support team.

Step 4: Troubleshoot on the Target Device

If all previous steps were successful on the test device but signing the agent still fails on the target device, follow these steps:

1. Disconnect the target device from the computer and reconnect it, then attempt to sign the agent again (ensure that the firewall script is running).
2. If the issue persists, try disconnecting and rebooting the target device, and then reconnect it (with the firewall script running).

By following these steps, you should be able to troubleshoot and resolve common sideloading and signing issues. If you encounter any persistent problems, do not hesitate to contact our support team for further assistance.

Have you ever tried to unlock a password but couldn’t succeed? This happens when the password is really strong and designed to be hard to break quickly. In this article, we’ll explain why this can be a tough challenge and what you can do about it.

I’ve been running a password recovery attack for a while now, and the attack appears stalled. What should I do?

If the attack is taking a long time without success, this means that the data is protected with a strong password that cannot be quickly recovered. Strong passwords are intentionally designed to be challenging to break quickly.

Why is the password difficult to recover?

It the data is secured by a strong encryption algorithm and protected with a robust password, this makes it significantly harder to recover. Software developers use advanced encryption techniques and hashing algorithms to ensure the security of your data. As a result, the process of recovering a password becomes more computation intensive and, therefore, time-consuming.

What steps can I take to increase my chances of recovering the password?

While there are no guarantees, you can take the following steps to improve your chances:

• Dictionary Attack: Try using a dictionary of the user’s existing passwords and common leaked passwords followed by dictionaries of common words and variations that people frequently use as passwords. For common word dictionaries do use mutations; make sure to use them sensibly as mutations significantly expand the number of password combinations. Do not use mutations for lists of leaked passwords.
• Advanced Attacks: use any information you have about the password to enhance your efforts. Try extracting the user’s existing passwords from sources such as Web browsers, cloud services (e.g. iCloud Keychain, Google Account, Microsoft Account) and mobile devices.
• Brute-Force: If the dictionary attack fails, consider a brute-force approach. This involves trying every possible combination of characters until the correct password is found. You can also use “Brute-force with mask” if you know the specific pattern and characters in the password.

How long can a brute-force attack take for complex passwords?

Brute-force attacks can be time-consuming, especially for long and complex passwords. The time required depends on multiple parameters such as the length and complexity of the password, the data format, the type of attack, and resources available to break the password. Be prepared for the possibility that it might take a considerable amount of time to recover the password using this method, and be aware that long and complex passwords may not be discovered at all for the lifetime of the universe.

Can I speed up the recovery process?

Yes, you can accelerate the recovery process by using GPU acceleration. Both NVidia and AMD graphics cards are supported for this purpose. Additionally, you can create a network of computers using Elcomsoft Distributed Password Recovery to build a password recovery cluster, which can significantly speed up the process. Please note that modern data protection practically requires GPU acceleration for recovering any passwords except the unusually weak ones.

Remember, the recovery of a strong password is a challenging task and success is not guaranteed. By following these steps and leveraging the available advanced recovery methods, you’ll be getting the best possible chance to recover the password. If you have further questions or encounter issues, don’t hesitate to reach out to our support team for assistance.

Related articles:

We published numerous articles on the subject.

• Use The Brute Force, Luke! “There are several methods for recovering the original password ranging from brute force to very complex rule-based attacks. Brute-force attacks are a last resort when all other options are exhausted. What can you reasonably expect of a brute-force attack, what is the chance of success, and how does it depend on the password and the data? Or just “how long will it take you to break it”? Let’s try to find out….”
• A Word About Dictionaries “Dictionary attacks are among the most effective ones because they rely on the human nature. It is human nature to select passwords that are easily memoizable, like their pet names, dates of birth, football teams or whatever.”
• Accelerating Computer Forensics: the Low-Hanging Fruit Strategy Though this article doesn’t focus on password recovery directly, its insights are applicable to the field. The method discussed within can aid in accessing secured data without resorting to time-consuming attacks.

We are excited to announce the release of an open-source software for Orange Pi R1 LTS designed to provide firewall functionality for sideloading, signing, and verifying the extraction agent that delivers robust file system imaging and keychain decryption on a wide range of Apple devices with iOS Forensic Toolkit. This development aims to address the growing security challenge faced by forensic experts when sideloading the extraction agent using regular and developer Apple accounts.

Important: older developer accounts created before June 6, 2021, are exempt from the verification process. If you are using one of these accounts, you will not need a firewall to run the extraction agent.

TL&DR

Our research and development team has introduced an open-source project called EIFTPI (github/eiftpi) . This project has brought forth a custom firewall (or more accurately termed “proxy”) designed specifically for the Orange Pi R1 Plus LTS device. This mini-router boasts several features that make it a better fit for this specific purpose then the more all-around Raspberry Pi 4, including two Ethernet ports, both of which are utilized by our software; lower price and wide accessibility.

Why do you need a firewall for iOS forensics? To perform a low-level extraction of iOS and iPadOS devices with iOS Forensic Toolkit, the extraction agent needs to be sideloaded onto the device being analyzed. Each sideloaded app, including the extraction agent, must be signed by Apple with a unique digital signature specific to the device. When installing (or launching for the first time) a sideloaded app on an iPhone or iPad, users are prompted to verify the digital signature, requiring the device to establish contact with an Apple server. However, connecting the device to the internet poses the risks of unwanted synchronization or remote blocking or erasing its content, especially if it is part of an evidence base.

Previously, we recommended a solution that involved enrolling the Apple ID used for signing the sideloaded app into the Apple Developer program, which in turn allowed for the validation of the digital signature without the need for the device to contact an online server. Unfortunately, due to recent updates on Apple’s side, digital signatures associated with new developer accounts must now undergo verification with an Apple server. Consequently, this reintroduces the potential risks that were previously exclusive to non-developer accounts. Considering these changes, we have developed several solutions to minimize risks by limiting the device’s connection solely to the server required for certificate verification. These solutions are:

1. A script for macOS that acts as an effective firewall
2. An open-source firmware implementing a functional firewall on a Raspberry Pi 4
3. An open-source firmware implementing a functional firewall on an Orange Pi R1 Plus LTS

The Orange Pi R1 Plus LTS router

Orange Pi R1 Plus LTS is an open-source single-board computer with Dual Gigabit Ethernet ports. It is highly compact with a dimension of 56X57mm. According to the manufacturer, it can run OpenWRT, Ubuntu, and Debian. It uses the Rockchip RK3328 SoC featuring a quad-core ARM Cortex-A53 64-Bit processor, 1GB LPDDR3 SDRAM, microSD card slot, and, most importantly, two physical Ethernet ports. The device uses a Type-C port as its power connector, and can be easily powered by connecting it to the Type-C port of your Mac or MacBook.

Advantages of the Orange Pi R1 Pus LTS

Compared to a Raspberry Pi 4, for which we have also developed a functional firewall, the Orange Pi R1 Plus LTS is cheaper (around $35 at the time of this writing), and has two dedicated Ethernet ports, both of which are utilized by our project. Essentially, this means that you won’t need an extra USB to Ethernet adapter as you would in the case of the Raspberry Pi 4. In a word, the Orange Pi R1 Plus LTS is a sligthly easier to use firewall/proxy than the Raspberry Pi 4, but the Raspberry Pi 4 is a more powerful general device. We would like to list the following advantages of the Orange Pi R1 Plus LTS:

1. Wide Accessibility: The Orange Pi R1 Plus LTS device is easily obtainable, both with and without the metal case, ensuring users can quickly procure the necessary hardware for their forensic needs. The EIFTPI firmware is readily available on GitHub, making it accessible to a broad community of forensic professionals and enthusiasts.
2. Cost-Effectiveness: In comparison to some other specialized forensic hardware options, including the Raspberry Pi 4, the Orange Pi R1 Plus LTS is an affordable choice. This affordability extends to its components, as it comes with two Ethernet ports, eliminating the need for an additional adapter. This cost-effectiveness makes it a preferred option for those on a tight budget or smaller forensic teams.
3. Enhanced Connectivity: The Orange Pi R1 Plus LTS features two Ethernet ports – one is labeled “LAN” on the case (if you have the one; this port is located closer to the USB-C port) and the other is labeled as “WAN” (at the right of it).In our implementation, these ports serve distinct purposes. The LAN port connects the device to the internet, while the WAN port is dedicated to connecting iPhones and iPads through the use of appropriate adapters (such as USB-C to Ethernet or Lightning to Ethernet).

Setup requirements

To set up the EIFTPI firewall for iOS forensic purposes, users will need the following:

1. A microSD card
2. A Type-C power supply for the Orange Pi R1 Plus LTS device (you may use a Type-C cable to power the device off a Mac or MacBook USB Type-C port)
3. An adapter for Ethernet connectivity on iPhones/iPads (USB-C to Ethernet or Lightning to Ethernet)
4. Two Ethernet patch cords – one to connect the device to a regular router and another to connect the iPhone/iPad to the Orange Pi R1 Plus LTS

Setting up an Orange Pi R1 Plus LTS as a functional firewall

The EIFTPI image is designed to work as a proxy for wired iOS internet connections, enabling safe agent signing with restricted communication to specific servers. This manual will guide you through the setup process.

First, download the firmware image from GitHub – Elcomsoft/eiftpi. There is a single unified image currently supporting several devices including Raspberry Pi 3B, Raspberry Pi 3B+, Raspberry Pi 4, Orage Pi 5, and Orange Pi R1 Plus LTS.

The simplest way to use it is:

1. Flash image in microSD card (at least 4GB)
2. Insert card into the Pi and power on the Orange Pi R1 Plus LTS device
3. Connect iPhone with Lightning to Ethernet adapter to the WAN port of the Orange Pi R1 Plus LTS
4. Connect the Orange Pi R1 Plus LTS to Internet through the LAN port of the Orange Pi R1 Plus LTS

Important: On the Orange Pi R1 Plus LTS, the uplink (i.e. the connection to the Internet) is the port next to the USB-C port (labeled “LAN” on the metal case). The other port (the one closer to the GPIO pins, at the right; marked as WAN on the case) is the downlink, i.e. to connect the iPhone. Just note that there are no LAN/WAN labels on the board itself, but only on the box.

That’s it! You have successfully installed the firmware on Orange Pi R1 Plus LTS. Connect the Orange Pi R1 Plus LTS device to the internet and then connect your iPhone to the Orange Pi R1 Plus LTS using a cable. We recommend connecting a test iPhone first to ensure that Internet access is limited. The test iPhone should only have access to ppq.apple.com and humb.apple.com. Additionally, www.elcomsoft.com should be accessible (you can use it for testing the connection), while www.apple.com (or any other address except those listed above) should not be accessible.

If you prefer building your own image or using Wi-Fi instead of the built-in Ethernet port (which we generally do not recommend), visit GitHub – Elcomsoft/eiftpi for additional instructions.

Conclusion

As we have shared our open-source software for Orange Pi R1 Plus LTS with firewall functionality, we aim to secure the sideloading of the extraction agent in the iOS ecosystem. The limitations of checkm8 and the complex nature of developer accounts have necessitated new approaches to ensure data security. By embracing open-source solutions and providing alternatives, we strive to empower forensic experts and enhance the effectiveness of the extraction agent in safeguarding valuable information.

When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit is the top choice for forensic experts. Its cutting-edge features and unmatched capabilities have made it the go-to software for investigating iOS devices. In a recent update, we expanded the capabilities of the low-level extraction agent to support full file system extraction and keychain decryption on Apple’s newest devices running iOS 16.5. This achievement represents a breakthrough, as the delay between Apple’s iOS updates and our forensic software release has significantly reduced.

Introduction

Agent-based extraction is an advanced “consent extraction” method used to obtain the complete file system and keychain data from modern iOS and iPadOS devices, namely iPhones and iPads. “Consent extraction” is a term meaning that it can only be used when the device passcode is known or not set. Although agent extraction may not be considered completely “forensically sound” like the acquisition method based on the bootloader exploit, it stands as the sole available technique for the latest Apple devices equipped with A12-A16 Bionic and M1/M2 SoC, and even remains the only working extraction technique for A11 devices (iPhone 8/8 Plus/iPhone X) running iOS 16, for which bootloader-based methods fail. By employing agent-based extraction, investigators can retrieve the maximum amount of data, making it a valuable source of forensic evidence.

The Low-Level Extraction Agent

The low-level extraction agent is what sets iOS Forensic Toolkit apart. We have already established ourselves as pioneers in checkm8 extractions, extended support to various Apple devices, and introduced low-level extraction support for Apple M1 and M2 chip-based iPad models. Previously, our tool could extract the full file system image and decrypt the keychain from supported devices running iOS releases up to and including iOS 16.4; for some devices, the latest supported version of iOS was even older. Now, with full file system extraction and keychain decryption support for the same range of devices, we expanded OS version support all the way up to iOS 16.5 for devices based on Apple A11 Bionic and newer chips, up to and including the M1 and M2.

Investigators can now access crucial evidence in the latest Apple devices running relatively recent versions of iOS, including the contents of apps’ sandboxes, system data, and important online account passwords, shedding light on users’ digital activities. In addition to passwords, the keychain stores crucial keys required to unlock protected chat histories from messaging applications like Signal.

The current support matrix includes iOS 16.5 and beyond, and our development team is actively working to support upcoming iOS versions. Elcomsoft iOS Forensic Toolkit remains at the forefront of iOS forensic tools, continuously evolving to meet the demands of the ever-changing landscape.

A Major Achievement makes for a Breakthrough in Mobile Forensics

Apple is known for its dedication to security and regularly patches iOS with timely security fixes. Their commitment to protecting user data means they release OS updates promptly and frequently, making it challenging for forensic vendors to keep up and develop software that can effectively extract evidence from devices with known passcode running these latest iOS versions. However, despite these difficulties, our forensic team achieved a significant milestone this time, reducing the time gap between the release of iOS 16.5 and our forensic software update to approximately 2.5 months. This achievement may seem minor to some, but within the forensic industry, it represents a major breakthrough and highlights our unwavering commitment to staying at the forefront of iOS data acquisition. Our constant effort to bridge the gap between iOS updates and forensic capabilities ensures that investigators have the most advanced tools at their disposal to conduct thorough and effective digital investigations.

A Word on Apple A11 Chips

Devices equipped with A11 Bionic chips, such as the iPhone 8, 8 Plus, and iPhone X, were initially considered susceptible to checkm8, a powerful bootloader-level exploit that was thought to be unpatchable. However, with the release of iOS 16, Apple implemented a new SEP hardening patch, effectively shutting down checkm8’s access to user data if a screen lock passcode had ever been used on the device. We’ve already discussed it in iOS 16: SEP Hardening, New Security Measures and Their Forensic Implications.  This update rendered the exploit useless for accessing data on A11 iPhones running iOS 16.

Let’s reiterate: a bootloader-level extraction of A11-based iPhones running iOS 16 will fail if a passcode was ever used on the iPhone since the initial setup, making checkm8 extractions pointless for these devices if they run iOS 16.

Previously, other extraction methods for A11 Bionic devices proved to be challenging, as many existing OS-level exploits did not work on these chips, limiting forensic specialists to partial file system extraction for iOS 15.4 – 16.1.2, without access to the keychain. Fortunately, an updated agent-based extraction method is now available, leveraging a new OS-level exploit. This breakthrough now allows to perform full file system extraction and decrypt the keychain on A11 devices running all versions of iOS 15 and 16 up to and including iOS 16.5. With this advancement, investigators can now access critical data and evidence from a wider range of devices, enhancing their capabilities in the realm of digital forensics.

Wait A Minute!

When attempting data extraction using this new method, it is crucial to exercise patience. After restart the device, it is recommended to wait for at least a minute, preferably 2 to 3 minutes, before proceeding with the extraction process. This waiting period is essential to allow the device to stabilize and for background processes to settle. Note that the number of apps installed on the device can impact the kernel’s activity during this period, so an even longer waiting period may be required for successful extraction.

Additionally, make sure to place the device in airplane mode and additionally disable Wi-Fi and Bluetooth toggles before you begin the extraction. This not only eliminates the risk of remote lockout, but also helps minimize unwanted activity on the device, ensuring a more stable environment for the extraction process.

In real life, successful extractions might not be achieved on the first attempt. In our lab, one device took five attempts before the extraction succeeded, while several others required only two tries. Devices with limited data or minimal applications generally completed the process without issues on the first run.

How We Tested It

We extensively tested the update on a wide range of devices to ensure its reliability and compatibility. We hope that several more devices and iOS versions will be added to our testing list based on valuable feedback from our clients. This is the current list of devices/iOS versions/SoC we tested the update on:

• iPhone 8 & iPhone X, iOS 15.4, 15.6, 15.7.1, 16.0, 16.1, 16.2, 16.3, 16.4, 16.4.1, 16.5 // A11
• iPhone Xs Max, iOS 16.4.1 // A12
• iPhone 11, iOS 16.5 // A13
• iPhone SE (2nd generation), iOS 16.4.1 (а) // A13
• iPad Air (4th generation), iOS 16.5 // A14
• iPhone 13 Pro, iOS 16.5 // A15
• iPhone 13 Pro Max, iOS 16.4.1 // A15
• iPhone 13 Mini, iOS 16.4.1 // A15
• iPhone 13 Mini, iOS 16.5 // A15
• iPhone SE (3rd generation), iOS 16.5 // A15
• iPad Air (5th generation), iOS 16.4.1 // M1

Note: The exploit may not always work on the first attempt and could occasionally result in the device rebooting. In such cases, we recommend trying again, but it’s crucial to wait for at least a minute after the reboot to allow the system’s core components to stabilize. Furthermore, to increase security during the process, we advise using airplane mode, which can minimize external interference during the data extraction process.

Conclusion

Elcomsoft iOS Forensic Toolkit stands unrivaled in iOS data acquisition. With its powerful extraction capabilities, support for the latest iPhone and iPad models, and keychain decryption, it empowers forensic investigators with comprehensive access to valuable information. The recent addition of iOS 16.5 support, along with our commitment to future updates, solidifies EIFT as the most advanced iOS acquisition software available, unlocking new possibilities for your forensic investigations.

In the ever-evolving landscape of digital investigations, mobile forensics has become a critical aspect of law enforcement work. The challenges of extracting, handling, and analyzing data obtained from various sources have led to a growing demand for universal solutions. We’d like to emphasize the importance of every stage of mobile forensics, the significance of extraction, and the critical importance of expertise in this field.

Stages of Mobile Forensics

Mobile forensics involves several crucial stages that cannot be overlooked. These stages include preliminary tasks such as device isolation, transportation, and proper documentation. Following these, the actual extraction process takes place, which is then followed by analysis and generating reports for further investigation or archival purposes.

Extraction is a pivotal stage in mobile forensics as it can make or break an investigation. It is essential to choose the right extraction method to avoid damaging the device, missing critical data, or wasting time. A variety of extraction methods exists in mobile forensics, including advanced logical extraction, bootloader-based extraction, agent-based extraction, and cloud-based extraction. Each method has its advantages and limitations, so it’s crucial to understand them and have access to the necessary software. Please check out this article and follow our blog for updated information on selecting the appropriate extraction method, as the field constantly evolves.

The Choice of Forensic Software

Choosing the right forensics software is crucial for successful data extraction. Consider factors like compatibility with different devices, reliability, speed, and the platform the software operates on. It is important to conduct thorough research before investing in any software to ensure it meets the specific requirements of your investigations. A proper research may not be easy, as forensic vendors tend to hide essential information from their customers (read part 1 and part 2). It is crucial to understand that there is no single software solution that can fully meet the diverse needs of the DFIR field. Relying solely on press releases and marketing materials is ill-advised; always do your homework before trusting forensic software vendors’ claims.

The Choice of Extraction Methods

A variety of extraction methods exists in mobile forensics, including advanced logical extraction, bootloader-based extraction, agent-based extraction, and cloud-based extraction. Each method has its advantages and limitations, so it’s crucial to understand them and have access to the necessary software.

For iOS devices, low-level extraction is the most effective method by a large margin that returns the full file system image and decrypts the keychain containing important data like passwords and encryption keys. Low-evel extraction remains the only way to access encrypted conversations in secure instant messengers (e.g. Signal). However, low-level extraction availability is limited to older devices or versions of iOS, leading to delays in supporting newer iOS releases. This rapid succession of updates and patches makes data extraction a continuous challenge for forensic experts.

When it comes to low-level extraction, bootloader-level extraction and agent-based extraction are available. Bootloader-level extraction relies on vulnerabilities that exist in some devices’ bootloaders. For 64-bit Apple devices we’re using the checkm8 exploit, which, in our implementation, delivers repeatable, verifiable and safe extractions. Bootloader-level extraction, however, is only available for older devices (up to and including the iPhone 8/8 Plus/iPhone X generation and other Apple devices based on similar chips); moreover, there are severe limitations to bootloader extractions introduced in recent versions of iOS due to SEP hardening and other security measures.

If bootloader-level extraction is not available for a given device, yet another method based on the extraction agent may be used if the device is running a compatible version of iOS (at this time the highest OS version supported by the extraction agent is iOS 16.4, with support for newer releases in the works). The agent-based method is the second best after bootloader-based extraction. We published a comprehensive overview of the extraction agent in Exploring the Extraction Agent.

In cases where unsupported iOS versions are encountered, advanced logical extraction becomes the only viable option. While it allows the extraction of device backups, some system logs, media files and metadata, it may not retrieve critical data like email messages or conversation histories from popular instant messaging apps.

Last but not least, cloud extraction may provide a viable solution, especially in situations where the physical device is inaccessible for data extraction. Such situations may include physical damage to the device, such as water damage or hardware failures, as well as instances where the device has undergone a factory reset or has been wiped clean may hinder data retrieval efforts. In all these cases Elcomsoft Phone Breaker‘s cloud extraction option becomes the last resort, extracting all available information from Apple iCloud subject to authentication credentials.

Common Mistakes and Their Consequences

In general, some of the most significant mistakes during or before the extraction process that lead to data loss include:

• The device goes online during extraction, which may cause unwanted synchronization and/or remove wipe or remote lock.
• Failing to capture the complete file system and only creating a backup when low-level extraction is available.
• Neglecting to check other potential data sources, such as old local backups, cloud backups, or other devices.
• Resetting the password, inadvertently locking out access to critical data.
• Relying solely on one software tool without cross-verification.

These errors can have severe consequences and result in the loss of crucial evidence. Therefore, it is essential to exercise caution, follow best practices, and consider all available data sources to ensure the success of mobile forensics investigations.

The Analysis Stage

The analysis stage requires powerful hardware to process and interpret the extracted data effectively. Unlike extraction, analysis often demands a more thoughtful and manual approach. Knowing the tools and their options is extremely important. For example, disabling some computation-intensive options, such as image recognition, can significantly speed up the process. It’s best to use multiple software tools for cross-checking and compare their results for more accurate conclusions, and be cautious of vendors who prioritize the number of discovered artefacts over accuracy.

Although an all-in-one solution for extraction and analysis might be appealing, it is often not the most effective approach. For iOS devices, certain vendors provide outstanding extraction capabilities, while others specialize in Android devices, sometimes even specific chipsets (like ACELab targeting specifically MTK-based Android devices). In many cases, using separate tools for extraction and analysis yields better results and avoids unnecessary expenses.

Conclusion

It is essential to learn from others’ mistakes and utilize the right tools for the job. However, the most crucial aspect is to apply critical thinking and knowledge in every investigation. Armed with knowledge and understanding, you can avoid the pitfalls and achieve more successful outcomes in mobile forensics. Always stay vigilant, be informed, and trust your expertise to navigate the complexities of digital investigations effectively.

We continuously emphasize the importance of the extraction stage in mobile forensics. This stage holds significant weight, as the accuracy of the extracted data directly impacts the validity of the conclusions drawn from it. Even in high-profile cases, critical mistakes have been made during extraction. Fortunately, our approach to mobile forensics takes all these aspects into account. We prioritize forensically sound methods like checkm8, and we have developed an extraction agent with specific features and the widest coverage of Apple mobile operating systems. Please use our blog as a comprehensive reference covering the proper steps and methods for data extraction.