When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.
Mobile Artefacts on Desktops and Laptops
Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.
How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.
- iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
- Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
- Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
- Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.
iPhone users can optionally install iTunes on their Windows computer (or use the built-in version of said software on a Mac). Among other things, iTunes can be used to make periodic or manual local backups of the iPhone. These backups are arguably the most precious part of the evidence a mobile forensic specialist can collect from the user’s computer.
Apple’s iPhone has the better local backup system compared to Android’s stripped-off ADB backup. Apple has a comprehensive write-up on local backups in About backups for iOS devices.
According to Apple, “an iTunes backup includes nearly all of your device’s data and settings.” It’s been our consistent experience that a local backup contains almost everything one requires to restore an existing iPhone or set up a new device. Transferring files and settings to another device is fast and easy; the user’s experience with a replacement device will not be much different from using their old iPhone. Even the passwords (iOS Keychain) are saved in a local backup.
Encrypted vs. Unencrypted Backups
The user may optionally protect their local backups with a password. Password-protected backups are securely encrypted. In order to decrypt those backups, one would need to break or recover the password. Password recovery attacks are slow, with as few as 100-150 attempts per second on a high-end GPU.
There is a huge difference between encrypted and unencrypted iTunes backups. In a way, password-protected backups can be even more desirable for an expert than those without a password. Apple says the following about backup encryption:
The Encrypt backup feature in iTunes locks and encodes your information. Encrypted iTunes backups can include information that unencrypted iTunes backups don’t:
- Your saved passwords
- Wi-Fi settings
- Website history
- Health data
We’ve been able to extract saved passwords (the iOS Keychain) from encrypted backups only. Unencrypted iTunes backups still contain the keychain; however, the content of the keychain in unprotected backups is encrypted with a secure device-specific encryption key, allowing you to decrypt the content on exactly the same device the backup was captured from.
Since iOS 11, the iTunes backup password can be reset; to do that, you’ll need the iPhone itself and the passcode. Since iOS 13, you will need the passcode to specify the backup password in iTunes or iOS Forensic Toolkit.
Finally, some things are never stored in local backups.
An iTunes backup doesn’t include:
- Content from the iTunes and App Stores, or PDFs downloaded directly to Apple Books
- Content synced from iTunes, like imported MP3s or CDs, videos, books, and photos
- Data already stored in iCloud, like iCloud Photos, iMessages, and text (SMS) and multimedia (MMS) messages
- Face ID or Touch ID settings
- Apple Pay information and settings
- Apple Mail data
- Activity, Health, and Keychain data (To back up this content, you’ll need to use Encrypted Backup in iTunes.)
More on the topic:
The user’s passwords can be stored on their computer, cached by popular Web browsers or kept in a password manager app. Stored passwords can be used to unlock BitLocker-encrypted hard drives, access iCloud data and data in the user’s Google account, break strong encryption or access the user’s comprehensive location history.
In Windows, some of the most popular Web browsers featuring the ability to save passwords are Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer, and Opera Browser. In all of these browsers, stored passwords are only loosely protected. As a result, one can easily extract them with Elcomsoft Internet Password Breaker. Once the passwords are extracted, you can either use them to build a custom dictionary for attacking encrypted documents, or perform cloud extraction.
To extract data from the user’s iCloud account, enter stored authentication credentials in Elcomsoft Phone Breaker.
To extract data from the user’s Google account, use corresponding authentication credentials in Elcomsoft Cloud Explorer.
More on the topic:
macOS stores passwords in the keychain. Both native and third-party passwords will be stored in the keychain, at least when it comes to Google Chrome. As a result, accessing the passwords requires extracting and decrypting the keychain.
You can now extract data from the user’s iCloud account with Elcomsoft Phone Breaker (a Mac version is available). To extract data from the user’s Google account, use corresponding authentication credentials in Elcomsoft Cloud Explorer (a Mac edition is available).
More on the topic:
An authenticated email client (e.g. Outlook or Windows Mail) or a Web browser authenticated into an online mail service (e.g. Gmail, Hotmail etc.) may be used to request a password reset on other user’s accounts. Note that this will not work for Apple ID accounts with two-factor authentication. It won’t work on the Google Account either. However, you may still be able to request a password reset for other accounts such as social networks, chats and instant messaging accounts.
Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, experts can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Via the logical acquisition process, experts can extract a local backups, access shared and media files, and even extract device crash logs.
Extracting lockdown records from the user’s computer may provide an opportunity for extracting data from a locked iPhone. Note that logical acquisition is only possible with devices in AFU (After First Unlock) state; this is the reason why it is so important to keep the device turned on at all times.
We wrote multiple articles on lockdown records. While some of them are several years old, very little has changed since then (in particular, Apple added lockdown expiry in iOS 11.3, and protected lockdown files with access control permissions in macOS). We recommend the following articles:
Logical acquisition (even with a valid lockdown record) is only possible if the device has not entered a so-called USB Restricted Mode. More on USB restricted mode:
These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferrable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account).
Authentication tokens are pieces of data allowing the client (a Web browser, iCloud for Windows, Elcomsoft Phone Breaker, Elcomsoft Cloud Explorer etc.) connecting to the server without providing a login and password for every request. These pieces of data are stored in small files (Web browsers store them in cookies). These files can be used to spare the user from entering their login and password during the current and subsequent sessions. These very same files can be used to authenticate a cloud forensic tool into the corresponding cloud service without providing (or even knowing) the user’s login and password.
Authentication tokens do not contain a password or its hash value. Instead, they are totally random strings of data. A token cannot be used to attack the password.
The use of authentication tokens is limited. We laid out the types of data that can and cannot be accessed with a token below.
iCloud authentication tokens in particular are difficult to grasp. What are they, what tools are they created with, where they are stored, and how and when they can be used are questions that we’re being asked a lot. We have a number of articles that shed light onto authentication tokens.
Windows: Apple pins iCloud authentication tokens to the device they’ve been created on. Such “pinned” tokens cannot used on a different device if they are transferred. As a result, one can only use such tokens on the very same computer they’ve been created on.
macOS: The same device “pinning” applies to macOS computer. However, we’ve been able to access and decrypt unrestricted tokens in addition to “pinned” ones. You’ll need Elcomsoft Phone Breaker Forensic Edition to extract unrestricted tokens from macOS. You’ll need the same tool to download information from iCloud using the token.
Tokens are good for: accessing synchronized data including Contacts, Calendars, and Notes; Safari browsing history and open tabs; Wallet cards; Call logs; iCloud Photos. You can also access files from iCloud Drive including many third-party app containers (1Password, WhatsApp, Viber etc.), obtain recovery token for FileVailt2-encrypted drives and access iCloud mail.
You cannot use tokens for: changing the user’s iCloud password; disabling Two-Factor Authentication; accessing passwords (iCloud Keychain), Screen Time, Health (iOS 12 and newer) and Messages. You cannot use tokens to download iCloud backups.
(For the sake of being a 100% technically correct, iCloud backups may be downloaded with a valid token from non-2FA accounts only. However, the lifespan of these tokens is limited to just one hour since the token was created. In other words, it is so short that it has extremely limited forensic significance.)
If you have access to the user’s computer (Mac or PC), you may be able to extract a binary authentication token from that computer (with Elcomsoft Cloud Explorer) and use it to bypass the password and two-factor authentication protection. There are several types of tokens, which are restricted in different ways.
Google authentication tokens are small XML files. On Windows computers, those are stored on the user’s hard drive. They are kept in the Keychain in mac OS. The tokens are created after the user signs in to any Google service with Chrome browser (or the Google Drive app for Drive tokens). Experts can use the data from that XML file to authenticate ongoing and subsequent sessions without asking the user to re-enter the password or confirm the two-factor authentication prompt.
Google authentication tokens carry their own set of restrictions. While they are not “pinned” to a particular computer and can be easily transferred to a different PC or Mac, the token cannot be used to attack, reset or recover the user’s account password. However, tokens can be used to turn off two-factor authentication in the user’s Google account.
Tokens extracted from the Chrome browser are more universal, allowing access to a number of data categories. On the other hand, tokens produced by the Google Drive app can be only used to access files in the user’s Google Drive.
One can automatically extract, transfer and use Google authentication tokens with Elcomsoft Cloud Explorer on both Windows and macOS platforms.
More on the topic:
Mobile forensics is not just about the iPhone or Android handset. More evidence related to the use of mobile devices may be extracted from numerous other sources. We have described the artefacts one may find on the user’s computer, and their use for the purpose of mobile forensics.
Even if you cannot use an authentication token for accessing backups or any of the protected containers, Apple iCloud Keeps More Real-Time Data Than You Can Imagine accessible as synchronized data.